This article was written by John Swinson and Johnathon Hall.
The rapid progression of COVID-19 has resulted in widespread changes to the working environment for both the public and private sectors worldwide as workplaces encourage employees to work-from-home.
While this shift brings about a number of challenges to the average workday, it is important that both employers and employees maintain awareness of cyber-security risks while adapting to and operating in the home workplace environment.
This awareness is particularly important given the uncertainty surrounding the standard of care the management and private and confidential client information is held to in the collective work-from-home environment.
External threats in the digital space
In recent weeks COVID-19 has begun fostering an environment susceptible to criminal cyber-activity that targets workplaces moving to a working-from-home model.
The ACCC's ScamWatch has recently reported a substantial increase in the number of COVID-19 themed scams. This includes the targeting of personal and client confidential information through phishing e-mails designed to provide warnings or news from reputable organisations, including the World Health Organisation. The risk posed by the legitimate format and style of these emails is heightened by the common unfamiliarity with working outside of the office, which may cause employees to lower their guard to external security threats.
Particularly, the shift towards digital communication to avoid physical proximity between employees will encourage employees to place a higher trust in emails and unexpected callers than previously done in the office environment.
In addition to creating a higher dependence on digital communication, an increase in remote working creates concern of:
- employees using unsecure internet connections;
- incompatibility and security flaws in local software on home computers used to access workplace networks;
- self-help for IT issues, including in the use of new software adopted to facilitate working‑from‑home; and
- an increase in the number of individual IP addresses accessing company information.
These factors together create a challenging environment for IT teams or service providers to manage due to the number of unknown variables and can be difficult to address if proper policies are not put in place.
Policies for the secure home workplace environment
Businesses can successfully pre-empt and manage cyber-security issues by encouraging cyber-safe practices at both an individual and management level.
At a management level, workplaces should actively reinforce or investigate adoption of a clear working from home policy to guide consistency in the security practices used by employees. Examples of key working from home policies include:
- strong password construction and refresh policies, including the adoption of multi-factor authentication using separate work devices where appropriate;
- ensuring that any video conferencing platforms used for workplace discussions are secure and cannot be accessed by external parties without prior permission;
- awareness of those in the surrounding home environment and the confidential nature of any information being handled or discussed, as many professionals begin to share a common work environment;
- requirements to use work devices where possible to create more certainty in the software used by employees and to facilitate workplace-wide software updates;
- use of a virtual private network (or VPN) connection to secure all workplace information on a single network; and
- encouraging employees to communicate with clients on the phone to confirm instructions if any e‑mail content appears abnormal or is particularly critical (i.e. bank account details and instructions to transfer funds).
At an individual level, workplaces should be encouraging employees to not only exercise an appropriate level of individual caution but to proactively alert IT teams or service providers to any unusual activity. This will facilitate a comprehensive approach to determining any compromising events and for determining the best external response required when communicating any security threats or breaches to clients.
Maintaining duty of care obligations
Businesses should remain aware of their duty of care obligations to customers despite the shift in work environment, and particularly their obligations surrounding customer privacy and maintaining confidentiality.
Given the unprecedented nature of the COVID-19 event, including the mass shift towards a working‑from‑home model, the level of care owed towards the security of customer data may shift toward a lower standard. On the other hand, obligations for maintaining security may be held to a higher standard than normal given the increase in risks to confidentiality arising from working outside the security offered by the office environment. Accordingly, workplaces should take the necessary precautions to ensure the security of customer information at a systems level and encourage employees to remain aware of their surroundings.