Data Privacy and risks of the Remote Work Environment
Digital Transformation in every field of our lives has led to the increased collection of our personal data on every device we touch from laptops to mobile phones, to tablets, leaving a digital trail. This data is then used for various purposes such as targeted advertising, research proposes or even corporate espionage. But boundaries need to be set to avoid corporate or other malicious parties taking advantage of this information or even corrupting it.
For this purpose, the Doctrine of information privacy was coined in the late twentieth century. These laws are set to protect citizens’ privacy and they govern which data is being shared and where it is stored or collected and imposes restrictions accordingly. All companies are supposed to follow these laws and state their policies to the user. However, many companies impose confusing navigation setups and difficult language to display their policies which can be regarded as a misinterpretation of their services.
What About GDPR?
The “General Data Protection Regulation” applies to companies or businesses that receive personal information. This law was introduced after it became known that Facebook had been tracking information of its users even when they are logged out; not only that but also of other internet users that do not have an account on Facebook at all. This raised concerns regarding privacy protection and the European Union introduced a new law called GDPR which introduced new policies combating Facebook’s collection of data. Thus, any website going against these laws will be given a penalty. Some of the new policies included are:
- Websites must provide their users with more control over their data. If a website wants to sell/trade your information to third parties, they have to get the user’s permission.
- All the information that a website has extracted from the user should be visible to the user when required.
- If the user wants to delete their data than the website has to comply without objections.
- If there is a cyber intrusion or data breach on a website/platform that can harm the users, the owners of the platform must notify all users about the breaches within 72 hours.
Unfortunately, for many, GDPR is considered a failure. Among many consumers, GDPR is best known as an annoying series of pop-up privacy notices. In parallel, the astronomical penalties have failed to materialize. In fact, GDPR has created new bureaucracies within many corporations, and with those, tension and confusion. And it’s unclear if the EU data authority which oversees the law is adequately equipped to handle its demands. As Politico has pointed out, it appears that not only has the GDPR made the big tech companies more dominant, it’s now laid out the rules of the road by which they can introduce even more privacy-destroying offerings. For example, New forms of data collection, including Facebook’s reintroduction of its facial recognition technology in Europe and Google’s efforts to harvest information on third-party websites, have been given new leases on life under Europe’s GDPR.
According to 2019 report by Ogury LTD - A staggering eight percent of consumers globally feel they have a better understanding of how companies use their data since GDPR's introduction.
Increased Cyber Attacks due to Pandemic:
Due to COVID-19, the work environment has changed in a very short period of time with many companies having shifted to remote work policies during the pandemic while also attempting to stay as productive as possible. This rapid culture shift has created many potential security threats due to the fact that for the first time, employees are working in an environment that’s largely unsupervised and unprotected.
Working remotely means that there are a greater number of attack surfaces to be taken advantage of as employees are often forced to work on their own devices. This means introducing new operating systems and interfaces that require their own dedicated support. These devices, more often than not, are operating without any virus protection, without firewalls, without anything protecting logins, and without many other standard protection software. Some ways criminals have exploited these new remote workers are:
- As the pandemic has progressed, more and more individuals have gone online to search for information regarding the pandemic. Hackers, posing as the WHO (World Health Organization) or the CDC (Center for Disease Control) have made many attempts to take advatage of employee panic to foist phishing attacks on them when clicking on links and emails that promise information regarding the Corona Virus.
- As people have shifted to zoom or google meet type platforms to allow remote communication, there has also been a wave of fake conference invites that are malicious. In parallel, many companies have experienced virtual meeting “hijacking”.
- Ransomware has increased during this pandemic as perpetrators have gained access to and "locked down" individuals or companies preventing access to data. Thus, for example, hackers developed an app called “COVIDTracker” that supposedly provides real-time coronavirus updates but instead, the user unknowingly provides it administrative access which installs COVIDlock ransomware on their device.
Such cyber-attacks can cause reputation damage but also real immediate monetary damage to businesses who's data has been corrupted or locked. As such, companies must focus on the complete supply chain and the cyber-security position of vendors in their particular data-chain. They need to make sure that the individuals they are subcontracting certain services to hold the highest of security standards during the pandemic and protect themselves from online threats.Supporting a secure remote work-place:
Organizations need to redefine their security standards and remote access policies in order to keep company data secure. Additionally, they must train and educate their employees about the new threats, how to combat them, and when they should contact the IT department. Here are some examples of some prudent policies that should be put in place:
- Companies should make sure that all employees are accessing company resources through a secure VPN. VPN’s provide a safe way to transport company data while minimizing the risk of cyber intrusion.
- To prevent unauthorized users from accessing the company, employees should have multi-factor authentication set up on their accounts and other portals. For example, for every remote access, a password could be sent and be valid for a particular time.
- Companies should not create public zoom meetings and should make sure to require a password for entry. Additionally, meeting links should not be shared on public platforms as hackers can gain access and virtually “hijack” company meetings.
- Companies should make sure that each end-user has the most updated version of software and meeting applications as many providers are constantly updating their security setups.
- Companies should create dedicated guides and rules regarding which brands of software are to be used in any given professional situation.
Covid-19 will hopefully eventually end, but remote working is here to stay. As such, it's critical that organizations establish secure and well-thought-out remote working infrastructures just as they would for their physical locations.