Privacy and working from home - five steps your organisation should be taking to minimise risk
It is notable that so many businesses have been able to move relatively seamlessly to a remote working model in the wake of COVID-19. However, this rapid and unexpected shift presents some obvious cybersecurity and privacy risks, particularly where organisations are new to remote working. As Australia settles into an extended period of partial lockdown and social distancing it is important that organisations ensure adequate remote working protocols are maintained and that staff are educated on potential risks.
What steps should my organisation be taking?
- First, it is critical to get the technology right. At a minimum, these should include providing a virtual private network (VPN) or other secure link for email communications, employing two-factor authentication for access to work accounts and ensuring employee devices have the latest operating systems installed, as well as security software to protect from viruses and malware.
- However, on-line security is as much about behaviour and processes as it is about technology. Organisations should have policies in place which require employees to adhere to appropriate security behaviours such as maintaining good password hygiene (strong passwords, regularly changed), physically securing devices and access codes and avoiding public wi-fi networks.
- The large scale move to remote working has attracted cybercriminals looking to cash in on the trend. There is already evidence of coronavirus related phishing scams and work-from-home scams targeting remote workers in a bid to steal their personal information or gain access to company accounts. For organisations, this is often their greatest vulnerability. Employees need to be reminded regularly of the risks of phishing attacks and what to look for before opening an email or clicking on a hyperlink.
- Physical security is also an issue. With so many people working remotely, inevitably large amounts of confidential (including personal) information is brought into insecure shared spaces. For instance, sensitive documents may be left unsecured within a share house, conversations and written communications may be overheard or accessed by third parties in public areas. To mitigate this risk, organisations should set clear expectations around the handling, storage and disposal of sensitive information, including guidance on establishing 'private' workspaces within the home.
- Many organisations now have specific cyber risk insurance cover, given the potential for significant financial damage if commercially sensitive or customer data are disclosed. It will be important to ensure that the existing policy is sufficient to cover the increased risk arising from remote working.
Our team is actively monitoring and considering the implications of legal and regulatory developments in response to the COVID-19 pandemic. You can find our COVID-19 collection here.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.