Data more vulnerable as working patterns change

As huge swathes of the UK workforce adjust to home working to help minimise the spread of COVID-19, businesses are experiencing more cyber-attacks as criminals look to capitalise on new vulnerabilities.

Data breaches can affect any organisation at any time. No business should ever be complacent, but because of the rapid shift in working patterns in response to COVID-19, we’ve seen a significant rise in cybercrime, particularly phishing attempts. Organisations now face additional challenges in managing confidential and personal data during what is already a difficult time.

The data risks associated with homeworking are not new

All forms of remote working require confidential or proprietary information leaving the relative safety and comfort of the office, for a less controlled, and in some cases chaotic, environment.

What is different now is the speed so many organisations and workers have been thrust into a homeworking environment. Criminals are now capitalising on the fast changing and new working practices businesses now find themselves in. Using scams and malware to exploit public anxiety, increased desire for information and gaps in security.

Issues to be aware of

• Increased phishing attacks. The lack of face to face contact can increase the risk of spoofing, and where calls are diverted outside the corporate network it can be more difficult to identify who is calling. Where personal data is to be shared over the phone, it becomes more important to be able to establish the identity of the caller.
• Distracted workers. Where staff are distracted; whether due to childcare responsibilities -especially now the schools have closed, working alongside spouses/partners in cramped conditions, or concerns over health of family and friends, it is easy for errors to be made, emails to be sent to the wrong person, data entries to become inaccurate.
• Corporate network boundaries can become blurred. Workers who use their own computers and mobile phones to access applications and continue day to day business, this equipment may not be encrypted, or carry up to date anti-virus protection.
• Security updates delayed. Due to a change in working patterns and variable connectivity, security updates for corporate machines can be negatively impacted.
• Disposing confidential information. It is almost inevitable that some hard copies of confidential information will be kept within the home environment. Without secure shredding previously available in offices, particular care needs to be taken over the way in which confidential information is disposed of.

What you can do

Firms need to look at three key areas

1. Support colleague during this difficult time
2. Reduce the risk of cyber-attacks
3. Data protection

To protect your business from this increased threat, it is important to undertake basic cyber hygiene. The National Cyber Security Centre, or NCSC, provide an excellent 10 step guide to cyber security.

Review your business policies and procedures such as data protection and IT security policies, along with the technology to support them. It’s an organisations responsibility to put these in place across all working environments, including home working.

Identify any additional risks there are and develop appropriate steps to overcome these.

Implement multi-factor authentication. This can help workers identify themselves when using online systems or transferring confidential information.

Communicate regularly with your staff. Develop a regular communication channel, be it email, video or conference calls, so you can alert staff about risks the business faces, upskill their knowledge and know what to look out for and present solutions. Additionally, you can use this channel to hear what challenges your staff experience day to day. An added benefit is to help make those team members feel more engaged who are not used to remote working, especially whilst anxiety is high.

Develop a flexible working culture. Some workers now find themselves in a potentially difficult working environment, with many distracting influences. Opening up dialogue on a more flexible working day could help them focus more, potentially being able to spot suspicious emails better.

The powers that be…

The Information Commissioner has acknowledged the unprecedented situation many organisations now find themselves in.  Whilst the statutory requirements cannot be relaxed, the ICO will not penalise organisations that have re-prioritised staff away from core data protection activities.

Additional communication with data subjects would help manage expectations where individuals look to enforce their rights, or are concerned about decisions being made on out of date information.  It is likely that an increasing number of data breaches will occur – whether relating to missing or inaccurate data; errors in sending emails; increased malicious threats to the network. Breaches will still need to be recorded and analysed – some though may not necessarily be sufficiently serious to be reported to the ICO.

Nonetheless, steps will need to be taken to prevent recurrence, whether through changes in business processes to accommodate home working, deployment of technology or simply additional training or guidance to staff in these difficult time.

If you have any questions or need support, our data protection and technology experts can help you navigate these challenges.