As the economy gradually begins to reopen, remote working continues to be in place for a large number of Irish organisations while the rate of cybercrime and data security incidents continue to increase. For many, the pace at which organisations were required to adapt to the effects of COVID-19 in order to maintain business continuity meant that remote working needed to be implemented urgently, leaving data security to take a lower place on the list of priorities than the set-up and roll out of remote working systems.
In recognition of this reality, we have set out below a summary of important considerations from a data security standpoint, taking into account the requirements of the EU General Data Protection Regulation (“GDPR”) and guidance published by various national data protection supervisory authorities.
Perhaps the most common form of cyber attacks in the current climate are ‘phishing’ emails, which are emails purporting to be from a legitimate institution designed to extract sensitive information from recipients – indeed, email phishing attacks have spiked over 600% since the end of February 2020. Phishing emails often look identical to messages from a reputable organisation, claim to enclose important information or breaking news, and ask the recipient to click on attachments or links. It is therefore of critical importance that employees are aware of phishing scams and how to avoid them, in particular by:
- Reading all emails carefully – phishing emails often contain poor spelling, grammar and punctuation;
- Checking the email address of the sender to see it if comes from a recognised legitimate source, particularly where the email in question references COVID-19; and
- Avoiding clicking links received through emails from unidentified or suspect sources, and manually typing the linked address into a web browser instead.
Viruses, Malware and Bad Domains
Devices used by workers operating outside of an organisations infrastructure often do not have the same protections against malicious domains and malware, increasing the risk of device compromise, and this risk may transfer to the organisations infrastructure when staff return to the workplace with the devices. Furthermore, one mis-click from an untrained or disgruntled employee can lead to his or her device becoming infected with a virus, trojan or other form of malware, and if their employer is using a remote desktop app or virtual private network there is now a high risk that the company network may now become infected with the malware which came from the employee’s device. This is particularly relevant when employees click on websites purporting to be related to COVID-19; of the 1.2 million newly registered domain containing COVID-related keywords between March and April 2020, at least 86,600 domains were classified as risky or malicious.
In order to mitigate their risk, organisations should:
- ensure that employees have updated their machines with appropriate anti-virus software and firewalls, and that the latest security patches are downloaded as soon as they are made available;
- consider implementing an expected standard of security for employee’s remote working stations in relation to information and data confidentiality, hard copy and electronic file destruction, and appropriate device usage;
- where an organisation uses a VPN, consider the use of a two-factor authentication process (i.e., two layers of security confirmation) for access to be permitted – for example, a password combined with submission of a code that has been sent to a secondary device;
- requiring employees to change passwords regularly to reduce the likelihood of them being guessed by a hacker;
- instruct employees not to save any work-related documents locally if they are operating on a shared machine and ensure the thorough deletion of files; and
- ensure employee devices are appropriately linked to the organisation’s network so that, where necessary, the hard drive can be wiped remotely.
While phishing emails remain a significant threat to an organisation’s data security, it is important to be aware that the vast majority of data breaches occur as a result of human error and where a business has chosen to use a virtual private network to enable all of its employees to work from home, the error of one individual could lead to major issues for every employee using the network. It is therefore of critical importance that all employees fully understand the implications of their actions when it comes to keeping data secure. This starts with internal handbooks and policies – these should be written in clear, accessible language and should be reviewed to ensure they are up-to-date and include any COVID-19-specific information. On the employee side, employees should be trained to ensure that the appropriate precautions to prevent potential data breaches are taken including:
- Always checking to ensure that they have selected the correct recipient and chosen the correct attachments before sending an email;
- Ensuring that work-issued devices are not used by anyone other than the employee to which they were given, including family members, roommates, etc; and
- Avoiding the use of personal accounts and email addresses, particularly in relation to work-related video conferencing, to avoid the unnecessary collection of their personal details.
What do we do if a data security breach has already occurred?
The first step for an organisation affected by a data breach is to conduct an investigation as to whether the breach is likely or unlikely to result in a risk to the rights and freedoms of natural persons – if the investigation finds that the breach is unlikely to result in such a risk, it is important that the affected organisations maintain a record of this investigation and clearly outlines the reasoning behind the finding that there is unlikely to be a risk to the rights and freedoms of natural persons.
In the event that an assessment into the breach finds that there may be a risk to the rights and freedoms of natural persons, the organisation concerned must report the breach to the Data Protection Commission within 72 hours of becoming aware of the breach. To this end, efficient communication with the employee will be necessary to properly assess the risk associated with the breach, and then provide the Commission with all of the details required. Furthermore, where a breach is likely to result in a high risk to the affected individuals, organisations must also inform those individuals without undue delay.
Although many Irish organisations may have been caught off-guard by the sudden need to enable large-scale remote working, it is likely that remote working will become part of a “new normal” long after the COVID-19 pandemic has passed. For this reason, it is important that organisations implement good working habits now to mitigate avoidable security risks long-term.
How we can help
If you require any assistance in relation to your organisation’s data security measures or your organisation has been affected by a data security breach, please feel free to contact Joe McVeigh or Lee Taren in our Privacy & Data Security Team.
This article is for general information purposes. Legal advice must be obtained for individual circumstances. Whilst every effort has been made to ensure the accuracy of this article, no liability is accepted by the author for any inaccuracies.
Remote Working and Data Security
As the economy gradually begins to reopen, remote working continues to be in place for a large number of Irish...
26 Jun 2020