This article was written by John Swinson and Johnathon Hall.
The rapid progression of COVID-19 has resulted in widespread changes to the working environment for the charity and not-for-profit sector worldwide as workplaces encourage employees to work-from-home.
While this shift brings about a number of challenges to the average workday, it is important that both employers and employees maintain awareness of cyber-security risks while adapting to and operating in the home workplace environment. Charities, not-for-profits and community legal centres (CLCs) must also manage these risks with the added complication of having volunteers work remotely.
This awareness is particularly important given the uncertainty surrounding the standard of care the management and private and confidential client information is held to in the collective work-from-home environment.
External threats in the digital space
In recent weeks COVID-19 has begun fostering an environment susceptible to criminal cyber-activity that targets workplaces moving to a working-from-home model.
The ACCC's ScamWatch has recently reported a substantial increase in the number of COVID-19 themed scams. This includes the targeting of personal and client confidential information through phishing e-mails designed to provide warnings or news from reputable organisations, including the World Health Organisation. The risk posed by the legitimate format and style of these emails is heightened by the common unfamiliarity with working outside of the office, which may cause employees and volunteers to lower their guard to external security threats.
Particularly, the shift towards digital communication to avoid physical proximity between employees and volunteers will encourage employees and volunteers to place a higher trust in emails and unexpected callers than previously done in the office environment.
In addition to creating a higher dependence on digital communication, an increase in remote working creates concern of:
- employees and volunteers using unsecure internet connections;
- incompatibility and security flaws in local software on home computers used to access workplace networks;
- self-help for IT issues, including in the use of new software adopted to facilitate working‑from‑home; and
- an increase in the number of individual IP addresses accessing company information.
These factors together create a challenging environment for IT teams or service providers to manage due to the number of unknown variables and can be difficult to address if proper policies are not put in place.
Policies for the secure home workplace environment
Organisations can successfully pre-empt and manage cyber-security issues by encouraging cyber-safe practices at both an individual and management level.
At a management level, workplaces should actively reinforce or investigate adoption of a clear working from home policy to guide consistency in the security practices used by employees and volunteers. This should include updating any confidentiality or general agreements with volunteers (see below). Examples of key working from home policies include:
- strong password construction and refresh policies, including the adoption of multi-factor authentication using separate work devices where appropriate;
- ensuring that any video conferencing platforms used for workplace discussions are secure and cannot be accessed by external parties without prior permission;
- awareness of those in the surrounding home environment and the confidential nature of any information being handled or discussed, as many professionals begin to share a common work environment;
- requirements to use work devices where possible to create more certainty in the software used by employees and volunteers and to facilitate workplace-wide software updates;
- use of a virtual private network (or VPN) connection to secure all workplace information on a single network; and
- encouraging employees and volunteers to communicate with clients on the phone to confirm instructions if any e‑mail content appears abnormal or is particularly critical (i.e. bank account details and instructions to transfer funds).
At an individual level, workplaces should be encouraging employees and volunteers to not only exercise an appropriate level of individual caution but to proactively alert IT teams or service providers to any unusual activity. This will facilitate a comprehensive approach to determining any compromising events and for determining the best external response required when communicating any security threats or breaches to clients.
Use of hard copy files and technology equipment
Confidentiality agreements with employees and volunteers may not contemplate (or may explicitly prohibit) the taking of hard copy files or technology equipment from the workplace. Organisations that are reliant on volunteers should actively reinforce or investigate adoption of a clear working policy to guide consistency in the security practices used by employees and volunteers. Amendments to existing policies and agreements could include:
- a specific provision allowing hard copy files and technology equipment to be taken home with consent of a manager or supervisor;
- an obligation on each employee and volunteer to enter any hard copy files or technology equipment taken from the office into a register so that items can be tracked by the organisation and returned as required; and
- ensuring that all hard copy files are either in the employee or volunteer’s possession or stored in a secure location.
Maintaining duty of care obligations
Organisations should remain aware of their duty of care obligations to customers despite the shift in work environment, and particularly their obligations surrounding customer privacy and maintaining confidentiality.
Given the unprecedented nature of the COVID-19 event, including the mass shift towards a working‑from‑home model, the level of care owed towards the security of customer data may shift toward a lower standard. On the other hand, obligations for maintaining security may be held to a higher standard than normal given the increase in risks to confidentiality arising from working outside the security offered by the office environment. Accordingly, workplaces should take the necessary precautions to ensure the security of customer information at a systems level and encourage employees and volunteers to remain aware of their surroundings.