02 April 2020

COVID-19 NFP Guidance – Digitally safe while socially distant – the importance of cyber-security awareness in the COVID-19 climate

This article was written by John Swinson and Johnathon Hall.

The rapid progression of COVID-19 has resulted in widespread changes to the working environment for the charity and not-for-profit sector worldwide as workplaces encourage employees to work-from-home.

While this shift brings about a number of challenges to the average workday, it is important that both employers and employees maintain awareness of cyber-security risks while adapting to and operating in the home workplace environment.  Charities, not-for-profits and community legal centres (CLCs) must also manage these risks with the added complication of having volunteers work remotely.

This awareness is particularly important given the uncertainty surrounding the standard of care the management and private and confidential client information is held to in the collective work-from-home environment.

External threats in the digital space

In recent weeks COVID-19 has begun fostering an environment susceptible to criminal cyber-activity that targets workplaces moving to a working-from-home model.

The ACCC's ScamWatch has recently reported a substantial increase in the number of COVID-19 themed scams. This includes the targeting of personal and client confidential information through phishing e-mails designed to provide warnings or news from reputable organisations, including the World Health Organisation. The risk posed by the legitimate format and style of these emails is heightened by the common unfamiliarity with working outside of the office, which may cause employees and volunteers to lower their guard to external security threats.

Particularly, the shift towards digital communication to avoid physical proximity between employees and volunteers will encourage employees and volunteers to place a higher trust in emails and unexpected callers than previously done in the office environment.

In addition to creating a higher dependence on digital communication, an increase in remote working creates concern of:

  • employees and volunteers using unsecure internet connections;
  • incompatibility and security flaws in local software on home computers used to access workplace networks;
  • self-help for IT issues, including in the use of new software adopted to facilitate working‑from‑home; and
  • an increase in the number of individual IP addresses accessing company information.

These factors together create a challenging environment for IT teams or service providers to manage due to the number of unknown variables and can be difficult to address if proper policies are not put in place.

Policies for the secure home workplace environment

Organisations can successfully pre-empt and manage cyber-security issues by encouraging cyber-safe practices at both an individual and management level.

At a management level, workplaces should actively reinforce or investigate adoption of a clear working from home policy to guide consistency in the security practices used by employees and volunteers. This should include updating any confidentiality or general agreements with volunteers (see below).  Examples of key working from home policies include:

  • strong password construction and refresh policies, including the adoption of multi-factor authentication using separate work devices where appropriate;
  • ensuring that any video conferencing platforms used for workplace discussions are secure and cannot be accessed by external parties without prior permission;
  • awareness of those in the surrounding home environment and the confidential nature of any information being handled or discussed, as many professionals begin to share a common work environment;
  • requirements to use work devices where possible to create more certainty in the software used by employees and volunteers and to facilitate workplace-wide software updates;
  • use of a virtual private network (or VPN) connection to secure all workplace information on a single network; and
  • encouraging employees and volunteers to communicate with clients on the phone to confirm instructions if any e‑mail content appears abnormal or is particularly critical (i.e. bank account details and instructions to transfer funds).

At an individual level, workplaces should be encouraging employees and volunteers to not only exercise an appropriate level of individual caution but to proactively alert IT teams or service providers to any unusual activity. This will facilitate a comprehensive approach to determining any compromising events and for determining the best external response required when communicating any security threats or breaches to clients.

Use of hard copy files and technology equipment

Confidentiality agreements with employees and volunteers may not contemplate (or may explicitly prohibit) the taking of hard copy files or technology equipment from the workplace. Organisations that are reliant on volunteers should actively reinforce or investigate adoption of a clear working policy to guide consistency in the security practices used by employees and volunteers. Amendments to existing policies and agreements could include: 

  • a specific provision allowing hard copy files and technology equipment to be taken home with consent of a manager or supervisor;
  • an obligation on each employee and volunteer to enter any hard copy files or technology equipment taken from the office into a register so that items can be tracked by the organisation and returned as required; and
  • ensuring that all hard copy files are either in the employee or volunteer’s possession or stored in a secure location.

Maintaining duty of care obligations

Organisations should remain aware of their duty of care obligations to customers despite the shift in work environment, and particularly their obligations surrounding customer privacy and maintaining confidentiality.

Given the unprecedented nature of the COVID-19 event, including the mass shift towards a working‑from‑home model, the level of care owed towards the security of customer data may shift toward a lower standard. On the other hand, obligations for maintaining security may be held to a higher standard than normal given the increase in risks to confidentiality arising from working outside the security offered by the office environment. Accordingly, workplaces should take the necessary precautions to ensure the security of customer information at a systems level and encourage employees and volunteers to remain aware of their surroundings.

 

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

COVID-19: Implications for Business

The spread of Coronavirus (COVID-19) has forced us to think and act differently. Beyond the human response, now is the time to think about what the consequences may be on your business, and how best you can prepare for those.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    As part of our Blog series 'The Big Conversation Series', we spoke with Peter Walton (CEO of CARE Australia) & Diana Nicholson (KWM Partner + Board Director of CARE) to ask 'What are the...

    29 October 2020

    Q. What area at KWM do work in and what is your specialisation? A. Business Services – Business Services Leader Canberra Q. How long have you been with the firm for? A. 7.5 years Q. Why are you...

    29 October 2020

    Q. What area at KWM do work in and what is your specialisation? A. I work in the Perth Dispute Resolution team and I specialise in general commercial litigation Q. How long have you been with the...

    29 October 2020

    COVID-19 has caused economic hardship for companies around the globe and has required many to act quickly in order to ensure supply of in-demand goods or services.

    28 October 2020

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.