During the past couple of days, numerous actors, including the Danish Centre for Cyber Security and the Danish Data Protection Agency, have emphasized how the various precautionary measures related to COVID-19 have increased the cyber security threat to companies’ and organisations’ security measures, as working from home increases the risks to cyber security.
Companies and organisations should be aware that the risk based approach taken in respect of cyber security standards and rules, similarly applies in the current situation.
As an example, the risk based approach, as set out in article 32 of the General Data Protection Regulation (GDPR), requires an assessment of the increased risks of working from home on company hardware with access to company networks. Although working from home is more common at the moment due to the COVID-19 precautionary measures, it is important to note that this will not exempt companies and organizations from taking into account the added cyber security risks associated with working at home in a risk based approach.
Companies and organisations must continue to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”, cf. art. 32 of the GDPR.
Under these unusual circumstances, where a wide part of the population is required to work from home, some employees may be tempted to use easier and more accessible solutions, although such solutions may not be as secure. This may for example be the case if employees find that it is easier to work around the VPN connections or to skip or ignore software updates.
Companies and organisations must therefore be aware of the fact, that some of the workarounds, which employees may generally be prone to use, and which under normal circumstances would be caught by on-site measures or not possible on-site at all, may potentially entail liability of the company or organisation on behalf of its employees, as such acts may be negligent. Similarly, it is important to be aware of such workarounds or inadequate practices from a data protection perspective.
As a result, it is important that companies and organisations provide sufficient instructions to its employees regarding security measures when working from home.
We endorse the recommendations issued by the Danish Centre for Cyber Security on 14 and 15 March 2020, containing specific action points to mitigate the increased cyber security risks associated with working from home:
Recommendations for companies and organisations
- Should it at some point become relevant to temporarily adjust or suspend information security policies (in part or in whole) as a result of access requests to systems or to facilitate a different pattern of use, it is important to ensure that such adjustments or suspension are accompanied by adequate measures to counteract any negative consequences.
- Ensure that hardware provided to employees, e.g. iPhones, laptops, etc., is encrypted, and that access is restricted by appropriate password protection.
- Ensure that communication channels are established and that all employees are aware of such channels.
- Be aware of the cyber security threat landscape, as criminals may try to use the current situation, e.g. to spread ransomware and send phishing links and text messages, under guise of COVID-19.
- Ensure that employees are aware of the processes and measures established to ensure remote access securely, and to test that such measures are effective (e.g. VPN, multiple factor authentication, etc.).
- Ensure that the infrastructure supporting remote access has the capacity and number of licenses required to accommodate the increased number of users that need access at the same time.
- Ensure that automatic software updates are enabled when employees are working remotely. Alternatively, if this is not technically possible, ensure that employees are regularly reminded to update software on the hardware they are using when working from home.
- Ensure that the company is aware of risks associated with temporary access or permissions, and to reassess, when the need and use of such access and permissions ceases.
- As the situation turns back to normal, remember to evaluate the experience and collect feedback, to improve remote access, related processes and contingency plans.
Recommendations for the employee
- Use the tools and communication channels, which your company has put at your disposal and remember that the information security policies of your company or organization still apply when you are working from home. As an example, be aware that your company or organization may have rules for use of private email accounts and file exchange services.
- If your work computer does not update automatically, make sure to do so manually.
- Make sure to test that the remote access works, in order to ensure that potential problems may be remedied up front.
- Be aware of any potential fake email or text messages, which you may receive in guise of news about COVID-19.
- Remember to also protect the physical access to your work computer, when you are working remotely.