article by Roxana Ionescu, Partner and Head of Data Protection practice and Madalina Bucur, Associate, Data Protection practice, NNDKP
The COVID-19 pandemic is determining more and more businesses to “put the lock” on their offices. This means that a large number of employees all over the world have already been forced to set their homes as comfortable as possible to ensure an appropriate work environment.
Besides the operational and logistical challenges that may arise to make work from home possible, both businesses and employees should consider the security risks this may bring to the business activity and even to the employees’ own privacy.
The materialization of these risks could surprisingly change the priorities of the businesses in the context of COVID-19 pandemic, due to the major or even irreversible consequences the security risks could produce. This is why businesses have to implement preventive measures and avoid approaches like “this is not a priority right now”, “we focus only on keeping the business running”. Beyond the obvious reasons to do so – mainly to safeguard the confidentiality of its business – companies need to do this in order to comply with the general data security requirement under the General Data Protection Regulation.
Security risks can take different forms and can be of different degrees of severity. Among others, the following security risks may happen while working from home without even noticing or requiring great efforts from malicious parties:
- using personal devices, in lack of sufficient company equipment for all employees - This means that the professional and efficient tools implemented on business networks (e.g., backup tools, strong antivirus software) are no longer available, thus opening or facilitating the malware way to attack the devices and to leak personal data and confidential information stored therein;
- using unsecured Wi-Fi networks, even for a limited period of time. For example, an employee has to send an absolutely urgent e-mail with business data, but its Wi-Fi network is down at that moment so he chooses to connect to a public or to his neighbor’s Wi-Fi network, probably thinking that - well it’s just an email, what could happen in 10 minutes?! - This may open the doors wide for hackers to position themselves between the employee and its connection point and therefore to access every piece of information the employee sends out, including personal data and confidential information that may be crucial for a business;
- keeping smart devices using virtual assistants turned on into the working room. This may affect the confidentiality of business discussions carried out on telephone or skype - Hey, Alexa! I’m having a business call, so stop listening! – It is no longer a secret that such devices may record conversations even without specific commands from the users, in order to 'improve voice-recognition features’. While this is disturbing enough when thinking to our private life, this may have a greater impact if we consider the importance of confidentiality for a business;
- “old fashioned” phishing and hack attacks should not be forgotten, since it is expected for such not only to stop happening during COVID-19 pandemic, but even experience an increased number of attacks due to more favorable conditions while working from home.
While the security risks associated with working from home might already be observed by those companies who implemented this practice long time before COVID-19 outbreak, other companies who were forced to suspend overnight their office activity may be taken by surprise.
Here are some tips to prevent and mitigate the security risks of working from home the companies should think about:
- Adopt and implement a work from home policy to set out practical rules each employee working from home must follow in order to ensure the security of personal and business data;
- Refresh the employees’ memory on existing information security policies, by conducting various surveys or by remembering the employees where they can access such polices (for example, online intranet);
- Check with employees if they have secure internet network and updated antivirus programs in place on their personal equipment and provide the necessary support, if possible remotely;
- To the extent possible, ensure the use of Virtual Private Network (VPN) systems with encryption of traffic data;
- Instruct the employees to:
- avoid using social platforms to communicate business related aspects both with clients and with other colleagues;
- avoid working, if possible, in shared spaces;
- shut the door of the working room and lower the voice when having phone calls or videoconference, when they are in a space where others might hear the conversation;
- lock the equipment screen when leaving the desk/work area;
- avoid making and posting on social media selfies in/of the place set to work, in order to prevent zooming on such photos and seeing confidential business data;
- keep all hard copy documents containing personal data or confidential information until returning to the office, where such may be disposed in a safety way;
- avoid keeping smart devices using virtual assistants in the workplace.
- Reassess the access rights of employees into the business system and limit the access, if such is not necessary while working at home;
- Adopt and implement a clear procedure to be followed in case of a security incident and of a personal data breach (in case such does not already exist);
- Ensure technical support for all employees working from home;
- Check that the employees know the (new) rules and follow them.
It is likely that organizations have already putted in place similar measures as the above, in their prior efforts to ensure security of personal data and information security at the workplace. This is way organizations should start by checking if the already implemented technical and organizational measures are adequate and sufficient to ensure security even when working from home. Finally, organizations should not miss on documenting the actions taken to address the specific risks associated with their employees working from home, as this will be the first element checked by data protection authorities in case of an incident.
Considering the specific security risks when employees work from home and implementing measures addressing said risks is a long time win, as work dynamics continue to evolve, is likely remote work will become regularly used even after COVID-19 will be left behind, hopefully soon.