The COVID-19 pandemic has had a number of impacts on how businesses operate, including a rapid rise in the work from home (WFH) model, the use of video conferencing platforms and increased access to employees’ health-related data for monitoring purposes.
These changes have resulted in new and increasing risks for organizations’ cybersecurity and privacy teams, many of which are struggling to balance the needs of the business with the various privacy and other legal obligations, including the confidentiality and integrity of data in their IT systems.
Privacy compliance sits with many General Counsel and in-house departments, and the individuals responsible for that portfolio have had to address many issues throughout the pandemic. Questions around the hasty roll out of cloud-hosted collaboration and video conferencing solutions, increased remote access to IT networks, and the use of personal devices and home WiFi networks have been raised. Employee health monitoring (e.g., tracking personal travel, symptoms, diagnosis, etc.), COVID-19 data sharing, new partnerships, and the procurement and creation of innovative technologies also form part of this list.
Meanwhile, news headlines are capturing how cybercriminals are exploiting this time of disruption. For many organizations, the number of phishing attempts and other cyberattacks have grown exponentially.
To address this vulnerability, many organizations need new and updated policies and procedures, education and training, impact assessments, risk management measures, and negotiated contracts. There is a lot of work to be done by cybersecurity and privacy teams, notwithstanding that many of them have experienced reduced budgets and staff. This presents an opportunity to bolster the maturity of an organization’s cybersecurity and privacy program.
Like many other organizations, the Vancouver Airport Authority’s cybersecurity and privacy team has been taking proactive steps to mitigate these potential risks. Below is some guidance that we hope can be easily implemented (even with limited resources) based upon our journey in the past few months.
Awareness: Leverage Other Departments
Cybersecurity and privacy are everyone’s responsibility, particularity when a large portion of the workforce is in WFH mode. It is critical to have working groups that involve the right departmental employees at the right level of management to weigh in on specific issues. It is not just a Legal or IT senior management exercise (although it is also important to continue ongoing discussions at this level for proper oversight, accountability and transparency). For instance, the help of HR, Procurement or Operations is often needed to implement practical solutions in a timely manner.
HR departments in particular can play an important role in raising awareness as the culture shifts to WFH arrangements. Emails or intranet postings with simple WFH tips on how to connect securely to the network, physically protect work-issued devices, dispose of paper copies of work materials, avoid the use of non-organization–issued tools and address increased phishing risk can go a long way towards protecting an organization.
Organizations may be able to reuse existing cybersecurity and privacy education modules and policies, as incident response plans and technology use guidelines remain relevant and useful. It may also be prudent to schedule tailored training with the managers of high-risk departments—for instance, those that handle personal information and sensitive business data—so that they are up to date on current practices and can pass along practical advice to their staff. Customized training will be particularly important for organizations that have cross-boarded new staff into high-risk departments because of layoffs.
Short-term Fixes: IT Configurations and Processes
Given the almost overnight shift to WFH, some organizations may have hastily procured video conferencing solutions and other innovative technologies without conducting full due diligence of vendors and their products and services. This type of due diligence would typically be performed through documented cybersecurity and privacy impact assessments.
It’s not too late to run through a streamlined version of these impact assessments now and consider ways to mitigate any risks. For organizations that haven’t developed impact assessments yet, they could create informal questions that teams can ask in the interim. This is particularly important in situations where personal information and sensitive business data are being shared.
Cybersecurity and privacy working groups should consider the security features and configurations that are enabled and disabled for staff. Where the IT department does not have the ability to control features and settings, the gap might be remedied through rules and expectations that staff must follow. For example, does every staff member need the ability to turn on the recording functionality of a video conferencing solution? And can external apps be blocked from integrating with non-organization–issued tools? If not, how will the organization inform staff of its rules and expectations in this regard?
Also remember to check the encryption level, the account credential requirement and the ability to turn on multifactor authentication; whether patches are up to date; the security level when accessing solutions on the network (through all devices, including personal mobile phones); and, of course, the monitoring and logging of any network-related activities.
Final Reminders
- If you don’t need it, don’t collect it. For example, when monitoring employee health, consider only what specific information is necessary for the purpose and whether it’s reasonable to collect it.
- When developing innovative technologies in-house, guide staff through privacy by design principles at the outset.
- Disclosure of personal information externally should only be done in accordance with the applicable privacy legislation.
- External partnerships and data sharing require negotiated contracts/data-sharing arrangements, as well as proper IT protocols.
Most importantly, remember that cybersecurity and privacy are not static issues with a one-time solution for any organization. They require ongoing efforts to keep pace with the changing landscape. Sometimes it’s the smallest tweak or instruction that ends up protecting the organization from future cyberthreats.
Argiro Kotsalis is Vice President, Legal & Chief Governance Officer, and Sepideh Alavi is Legal Counsel at the Vancouver Airport Authority.