Organisations and individuals are increasingly harnessing the opportunities presented by technology in the current COVID-19 climate. The pandemic has placed a growing reliance on data, cloud systems and online communications as organisations combat the challenge of stepping out of the office and into remote working settings. However, remote working presents its own set of risks, particularly in relation to cyber security and data. Organisations should assess potential cybersecurity risks and adopt measures to counteract those risks to maintain cybersecurity resilience.
Cybersecurity Risks – Working from Home
The cyber security threat landscape is constantly evolving and increasing in complexity. Organisations should, as a matter of best practice, regularly assess their cyber resilience and readiness to ensure effective operations. As part of this exercise, it is important to understand the potential risks an organisation may face.
The factors listed below may increase an organisation’s vulnerability to potential cyber security incidents, such as data breaches:
- A quick and unplanned shift to having people work from home. In the early stages of COVID-19, businesses may have rushed to purchased devices and technical equipment. This may have left little time for IT and security teams to properly implement security measures such as multifactor authentication measures on devices.
- The use of tools that do not ensure the proper protection of personal information. For example, organisations may use free instant messenger applications which do not have adequate privacy safeguards.
- A lack of understanding, visibility and training about the potential and actual cyber security risks faced by an organisation both at a management level and employee level.
- A lack of oversight about what level of security is in place where employees are using their own devices.
Minimising the Risks
The Privacy Act 1988 (Cth) (Privacy Act) including the Australian Privacy Principles (APPs) continue to apply to remote workforces. Entities subject to the Privacy Act are required to take active measures to protect personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure.
To minimise the potential of a data breach and, organisations can take the following steps:
- Understand your organisation’s threat profile and identify threats that can compromise your businesses’ data and information assets. A joint report from consulting firm BDO and security not for profit organisation, AusCert, entitled 2019 Cyber Security Survey (Joint Report), highlights that organisations tend to invest in the risks they believe to be prevalent. However, if there is a lack of congruency between the perceived risks and the actual risks, organisations risk failing to adequately to protect their businesses. The Australian Office of the Information Commissioner (OAIC) recommends that organisations conduct a threshold assessment to establish whether a Privacy Impact Assessment (PIA) may be required to properly assess privacy issues in the context of remote working arrangements. The OAIC recognises that a PIA may not be strictly necessary if (a) an organisation’s remote working practices do not change existing information handling practices, or (b) the privacy implications of these practices have been assessed previously and existing control are appropriate. Irrespective of whether your organisation conducts a PIA, records of the risk assessment undertaken should be retained so your organisation can demonstrate compliance with the Privacy Act.
- Ensure employees are educated and made aware of the potential risks associated with cyber security incidents such as data breaches and are trained on how to avoid those risks. The BDO and AusCERT Joint Report revealed that phishing accounted for the most common cyber security incident in 2019 and attributed its popularity to its low complexity and high success rate. Employee training is critical to combat this risk risk, particularly as employees may become less risk averse in remote working environments.
- If employees are using their own device, ensure that employees have an understanding of and implement the minimum security requirements as determined by your organisation. Additionally, the investment in multi-factor authentication, anti-virus software, security walls and ensuring updates of these services can reduce vulnerabilities.
- Ensure your organisation has data breach plan in place. It is imperative that both employees and management know what to do if things go wrong when data is compromised. By having a data breach plan in place, you can respond in a way that aligns with legislative requirements and community expectations. In Australia, the Notifiable Data Breaches (NDB) scheme requires any organisation or agency covered under the Privacy Act 1988 (Cth) to notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. If an eligible data breach occurs, a quick, streamlined and effective response can minimise the effects of the breach and also have a positive impact on the public perception of an organisation’s trustworthiness.
As a businesses’ technological capabilities grow, so too do the potential cyber threats it faces. In the COVID-19 climate, organisations should therefore take a proactive approach to cyber security risks by identifying them in the first instance, invest in mitigating them and follow up by implementing measures in place to effectively respond to them.