With the advent of the novel coronavirus COVID-19, many organizations around the world are undergoing a seismic shift on an accelerated timeline towards telework or remote working for some or all employees. In addition to ensuring that the networks, VPNs, and other IT resources are capable of supporting such a shift, organizations that have not built such teleworking into their disaster preparedness plans should be aware of, and take steps to mitigate, the cybersecurity and data privacy risks involved in such a shift. We have set forth below several key considerations for organizations as they implement increased teleworking strategies to help address the spread of COVID-19.
1. Access to Restricted Systems – Many organizations have systems that are subject to on-premises access only. With the shift to teleworking (by choice or government initiative), these systems may need to be opened up for remote access by authorized users. Ensuring that such systems are configured appropriately and that additional authentication requirements are included for remote access to these specific systems (e.g., additional and distinct password requirements and/or two factor authentication) are key elements to maintaining the integrity of those systems in a teleworking environment.
2. Availability of IT Resources for Teleworking – While a certain subset of the employee population may already have organization-issued devices for remote working, many organizations will struggle to meet the demand for such devices in the event a substantial number of traditionally non-remote workers begin to telework. Assuming that a rapid procurement process is not feasible, this can leave organizations with only two options:
- Deployment of prior-generation or stored laptops and other devices – In the event prior generation or stored laptops and other devices are deployed, there is a risk that these devices do not have up-to-date security software and have material gaps in their software security patches.
- Permitting workers to utilize personal devices for accessing organization systems and resources – Organizations may have relatively little control over the security of the personally owned devices of their work force, unless those devices have been subject to prior efforts to bring them into conformance (e.g., via security applications on mobile phones).
3. Phishing Attacks – Major news events provide an attractive opportunity for malicious actors to leverage concerns to attack organizations. Phishing and malware attacks disguised as health updates or updates to sick leave policies can provide an easy method to attack even the most well-trained workforce. The impact of these attacks may be further exacerbated by the remote work force solution depending on what devices are at issue (i.e., organization-owned or personal devices) and the security solution for remote working (e.g., firewall configurations and remote access to restricted systems).
4. Increased Remote Connections – Beyond the strain on VPN and other technology solutions that may be utilized by organizations, an increase in remote connections can provide ample cover for malicious connections to be made. The risk of such connections is further increased if the employee is utilizing an unsecured or compromised connection (e.g., working from the local coffee shop).
5. Data Privacy Risks – With respect to the security monitoring of employee and workforce member use of devices outside the office, particularly on personally-owned devices, organizations should thoughtfully address data privacy considerations. Key considerations include whether the organization has properly issued a privacy notice and/or obtained consent, whether a data protection impact assessment is needed for the monitoring activities, whether a cross-border transfer solution is needed, and whether appropriate terms are in place with any vendors or third parties that may access the data. Employment-related considerations would include whether employee representatives should be consulted on the monitoring activity, whether any data collections could be used at a later time as a basis for discrimination or unfair treatment claims.
Cybersecurity and Data Protection Checklist for Teleworking
- Do we have two-factor authentication in place for remote access?
- Are restricted systems capable of being accessed remotely and appropriately configured?
- Are restricted systems subject to additional layer of authentication or security for remote access?
- Are all remote workers utilizing organization-owned devices for remote access?
- Are those devices fully updated with security software and patches?
- Are remote workers utilizing personally-owned devices for remote access?
- Are those devices subject to appropriate security controls?
- Have we prepared our network and workforce for how to address the increased risk in cyber attacks in the remote working context?
- Have we issued appropriate privacy notices and/or obtained suitable consents for our planned monitoring activities?
- Do we need to address privacy terms with any vendors or other third parties that may access the data from our devices?
- Do we need to address any cross-border transfer restrictions that may apply to our workforce’s remote access to systems?
- Do we need to carry out a data protection impact assessment on the proposed data collection and processing activities?