Due to the corona crisis, we can mostly no longer work in the usual way. This requires creativity in devising and implementing new ways of working. Among other things, to safeguard the privacy of customers, employees and others, it is important to be mindful of the security of (sensitive) information in these new ways of working.In this article, I discuss the concerns and risks of working from home in these extraordinary times. The tips in this article focus on what organizations can do.
The security of working from home also depends on the setup of the home office and home PC. As an employer, you can give your employee tips on how best to handle information at the home workplace. I wrote an article about those tips earlier.
Transferring company data to the home office will often be via a network connection to the company's systems. For its security, the home worker depends on the setup by the IT department. For that, the following tips:
Ensure that systems can only be accessed after logging on to the corporate network. This access to the corporate network is often called a VPN. When working through such a VPN, internal systems are not directly visible and accessible from the Internet. Every software has vulnerabilities and when the only access from outside is through the VPN, there are fewer vulnerabilities usable for initial access by a hacker. Moreover, when an intrusion attempt is made, a malicious person has an additional hurdle to overcome: first gain access to the corporate network, only then can the systems be attacked.
Ensure that access to the corporate network is secured with two-factor authentication. That is, an additional code is required in addition to a username and password. This could be, for example, as a certificate on a company laptop, or it could be a code that can be read on a smartphone, as in online banking.
Monitor access to the corporate network 24/7 through logging on the Firewall so that unusual traffic that may indicate a hack is noticed and combated.
By no means all IT services are still offered through the internal company network. Many organizations use the Internet to access corporate applications in the cloud. Other organizations have their normal applications on the corporate network, but these are not available or are limited to use by home workers, for example, because the capacity of the network access does not provide for them. For these organizations, services in the cloud can offer a solution. More and more IT services and software are available in the cloud, both regular office automation and business applications. Another reason to start using applications in the cloud is the need for video conferencing, even in organizations in which this method of communication was not or hardly used until recently.
For an organization that already has a contract with a cloud service provider, the most important tip is to make the already mentioned two-factor authentication mandatory. This makes it much harder for hackers to get in.
For organizations looking to use cloud services on short notice because of the current crisis situation, we have the following tips:
Don't leave choosing cloud applications to individual employees, but consciously select which providers you want to partner with for each functionality. Free providers may do anything with the data. As an employer, you are responsible for this, also with regard to privacy laws.
Processing data within the EU is preferable. Not only the legislation, but also the mores surrounding personal data is different in many countries outside the EU. Moreover, data subjects should be informed about the processing of their data outside the EU.(1)
An ISO27001 certification or SOC2 statement provides a quick test of a verified information security foundation.
Because personal data are often processed - directly or indirectly - by the provider, a processor agreement will often be required. (Images of participants in a videoconference are also personal data).
When the use of non-contracted services really cannot be avoided, consider using pseudonyms (Client A and Client B), especially if sensitive personal data is involved.
Look carefully at the cloud service's security settings to prevent data leaks. Some services share data with everyone in the Internet by default. This will not be the intention in most cases.
With office automation in the cloud, documents can be shared. This can often be done without the recipient having to log in. This is convenient but with that, not only the intended recipient, but also a few billion other Internet users have access. Not infrequently, these documents also quickly appear in search engines.
Ask employees to report the use of (free) cloud services, to formally contract this service or to point the employee to safer alternatives.
Again, two-factor authentication is a must for most applications for proper data security.
For cybercriminals and other hackers, every crisis is an opportunity. With the threat of the corona virus in the background, recipients of emails from hackers, so-called phishing emails, are just a little easier to click on the link or attachment containing malicious software. These phishing emails are quite often about new treatment methods, testing opportunities outside official channels or how to protect yourself and your loved ones from infection.
Even hospitals that are already in crisis due to the influx of corona patients are not safe from cybercriminals.(2) That is why it is imperative that employees' PCs, including those at home, be equipped with updated virus/malware scanners. It is also especially important for employees to be aware of how malicious people are taking advantage of the situation and to be extra careful when clicking on links and opening attachments, especially from senders they do not know. Here the tip applies to making all employees aware of this.
The above tips are intended as first aid. Good information security requires a consistent policy and its implementation. This takes a little more time, but it will prepare you for the next challenge. In the article, I mentioned a broad palette of concerns. The Personal Data Authority and the NCSC have also published advice on working from home.(3)(4) The VNG has published an advice on video conferencing.(5)
(1) See also: https://www.privacy-web.nl/artikelen/data-naar-het-buitenland-wanneer-mag-dat
(2) Reported by NOS correspondent Rop Zoutberg https://twitter.com/RopZoutberg/status/1242728474449776640 and also in the Volkskrant of March 27 page 4 of https://www.volkskrant.nl/nieuws-achtergrond/tientallen-bedrijven-bieden-gratis-hulp-voor-ziekenhuizen-in-strijd-tegen-hackers~b2026f8d/
(3) https://www.privacy-web.nl/nieuws/veilig-thuiswerken-tijdens-de-coronacrisis
(4) https://www.privacy-web.nl/nieuws/voorzorgsmaatregelen-thuiswerken
(5) https://www.privacy-web.nl/publicaties/vragen-over-videoconferencingtools
See also: How to work safely at home as an employee during the corona crisis
This article can also be found in the Coronavirus dossier
