With many firms invoking business continuity plans and staff working from home or alternative locations, working processes and practices are being turned on their head, resulting in different ways of consuming, processing and handling data.
In this new remote working environment, employees are looking to business leaders to set the standards of how to manage data protection and information security appropriately and define what is acceptable under company policy.
Data protection and information security has been high up the agenda for the finance industry for some time and there is, across the industry, generally a good level of understanding of what best practice looks like and where the principal challenges lie. Reflecting that, last year, Jersey Finance ran a campaign focussed on cyber security awareness, which highlighted that good people can sometimes create a security risk by doing the wrong thing, albeit for the right reason.
David Cartwright, Deputy Chairman of the Channel Islands Information Security Forum (CIISF), suggests that the key to remote working is not to be panicked into dropping best practice:
“It’s tempting to use work-arounds, such as saving data to USB sticks or, even worse, sending company materials to your personal email address so you can access them on your home computer. Don’t be tempted to do it – if there’s any personal data on there at all, you’re likely to be committing a blatant breach of data protection legislation.”
As expected, a sudden spike in remote working carries with it immediate and obvious security risks. In its latest statistics, the UK Information Commissioner’s Office found that 13% of data breaches in Q3 2019 related to the loss or theft of devices containing personal data, or the loss or theft of paperwork or data left in insecure locations. In a mass remote working situation, it stands to reason that this figure would increase, with firms having to consider the risks resulting from a significant rise in the volume of data being accessed and transferred from company premises even more.
At the same time, the risk of cyber-attacks is rising too. Businesses are working through their immediate crisis management plans which in some cases means that previous IT investment has been put on hold or diverted in order to address the immediate operational priorities associated with ensuring secure mass remote working.
This may reveal weaknesses in systems and processes that cyber criminals will look to exploit – commenting on this issue, Arthur Mainja, Chair of the CIISF, points to the need for Jersey companies to be vigilant of the increase in cybersecurity threats, such as those that target remote access arrangements:
“Criminals will not slow down their efforts to access valuable data during the outbreak and will exploit the state of confusion arising from these circumstances to execute their malicious plans.”
It’s something pointed to in a recent PwC white paper too (‘Managing the impact of COVID-19 on cyber security, March 2020).
With the potential for human error higher than ever and with cyber criminals looking for an opportunity to make the most of cyber weaknesses, strong leadership is vital.
To mitigate the risk of employees turning to their own shadow IT solutions outside of the company network to try and get their work done, it is important that leaders make employees aware of their company’s preferred alternative working solutions, such as secure collaboration tools, and ensure they have adequate training to allow them to continue with their day to day roles.
Equally, with employees potentially accessing and transmitting personal information from home, leaders need to be absolutely clear on their firm’s data flows and footprints – and despite remote working arrangements, continue to observe watertight processes for understanding where data has originated from, where it is going, who is accessing it and how it is being processed and controlled. If they cannot ensure that, despite current circumstances, and there is inappropriate exposure of personal information, it could lead to liabilities for a firm as well as identity theft potential.
For instance, while messaging platforms such as WhatsApp have greatly enhanced information cascades to staff over multiple locations, such methods still carry risk – employees should be aware that data shared between users will still exist on personal devices and organisations should provide guidance on what is and what is not acceptable for sharing.
Firms might also consider blacklisting certain undesirable websites or applications, while the CIISF also recommends:
- requiring employee personal devices used for work to be equipped with employer-provided security software;
- that prior to permitting access to any remote systems, controls such as multifactor authentication be put in place;
- limiting remote access through an encrypted VPN;
- prohibiting access via public WiFi or working from public locations, where third parties can view screens or printed documents; and
- requiring the use of secure, password-protected home WiFi or hotspots.
Under remote working arrangements, it’s also sensible to have a ‘Plan B’, as increased user volumes have seen some solutions crash under demand. And it’s important to remember that not all solutions have privacy set as default, and it is therefore vital that users understand the configuration of new solutions in order to protect their data.
To support businesses in mitigating cyber security risks throughout this period of increased home and remote working, the Government of Jersey recently published five tips to stay safe when working from home, which also refer to guidance from the National Cyber Security Centre.
Looking forward, it’s possible that necessity borne out of the current situation may prove to be the mother of progress.
There is clear evidence to support the idea that remote working can deliver in a number of areas including employee wellbeing – the Owl Labs State of Remote Work 2019 study, for instance, found that remote workers are 29% happier in their jobs than on-site workers.
If firms can embrace that and draw on their experience of the current situation by focusing on their IT platforms and processes to ensure watertight remote information and data security, then the changes brought about by the current situation, for people, systems, processes and collaboration, may well bolster resilience and have a longer-term beneficial operational impact for businesses.
From a jurisdictional point of view, being able to demonstrate good, robust approaches to information security in these difficult times can send out a really strong message to our international stakeholders that we are a serious, sophisticated and highly professional IFC – and will set Jersey up so it is ahead of the curve to not only mitigate future challenges, but make the most of a world where information security and remote working need not be such strange bedfellows.