More than 12 months after the onset of the Covid-19 pandemic forced professionals across all industries into widespread adoption of remote working, many companies are still exposed to unnecessary security risks.
Early on, our team wrote about the initial risks in Business Security in Times of Furloughs and Home Working, and discussed the problems arising as employees made a mass exodus from workplaces to home offices. Given the extreme circumstances and personal and professional stress of the past year, it is understandable that many of these risks continue to persist. The longer they go ignored, the more dangerous they become. They cannot go overlooked any longer.
Sensitive data and IP are more exposed than ever before. Surveys have reported more than half of employees believe they can get away with riskier behavior when working from home, and roughly half cited “not being watched by IT,” “being distracted” and/or productivity as reasons for not following safe data practices (Tessian – The State of Data Loss Prevention 2020 Report). FTI Consulting’s recent Resilience Barometer survey found that 22 percent of respondents listed cyber-attacks and threats as one of many negative impacts experienced since the beginning of the pandemic, with external threats and securing new technologies listed as the top areas of concern. Nearly one-third said they had experienced the loss of customer or patient data over the last 12 months. A separate study by McCann Fitzgerald and Mazars found that while 80 percent of companies believe that large-scale remote working has created data protection risks, only 55 percent have moved to mitigate this increased exposure.
We understand that having a distributed workforce logging on from dozens, hundreds or thousands of disparate homes is riskier than limiting employees to working from one (or a smaller number) of company-controlled premises. The logistics of enterprise security are easier to manage when a business controls the physical work environment. With the emergence of widespread remote working, that control has dissipated, and many organizations have failed to address the dangers.
It is the remit of every organization to ensure that their employees conduct their work in an environment that reduces the risk of security and privacy breaches. To ensure effective safeguarding of company data, organizations must develop a robust, full-featured security plan implemented at all levels. Key areas of focus include:
- Liaising with suppliers, contractors and vendors ensure that their systems are secure and proper data protection practices are in place. In a rush to enable remote work, many organizations glossed over their due diligence of providers, inviting potential regulatory enforcement relating to data storage and protection. An organization with even the most stringent internal standards could become exposed by proxy if a third-party associate is lax with its standards.
In fact, 27 percent of respondents in the FTI Resilience Barometer listed third-party suppliers as a key security risk during Covid-19. Businesses must appraise the standards of all connected entities to achieve a holistic picture of their risk landscape. - Monitoring access to internal systems. Consider restricting and reviewing access during irregular hours or from locations where there are no operations to ensure security maintenance. Likewise, instruct personnel to use Internet connections that are appropriately secure, no matter where they are working.
- Regular review of all internal databases, servers and digital storage systems to ensure ongoing security and continued function. Slight changes to one part of a broader system can have a complex impact on other parts. By committing to evaluating and testing internal systems on a rolling basis, businesses will be able to mitigate the chance of unexpected issues emerging.
- Conduct regular audits of all outstanding electronic devices issued to organization personnel and implement a remote device management system. The ability to quickly reference a complete list of all work devices currently in circulation (with a record of their specifications, ownership and status) is a valuable asset for any organization looking to limit exposure.
This list is not exhaustive but represents a snapshot of the security issues and considerations businesses must begin to address. Such plans are best designed in conjunction
with experienced cybersecurity and information governance experts, who can analyze the organization’s challenges in the context of its unique legal, regulatory and security risks and build solutions to fit its needs.
It’s important also to remember that most breaches of sensitive information and regulatory violations will lead to an investigation, enforcement action and/or litigation. In addition to taking the above steps to improve security, organizations can also prepare for the potential data-related legal or regulatory matters that may arise if a breach does occur. This includes preserving evidence and standardizing legal hold processes, ensuring remote investigation methodologies are documented and defensible, retaining trusted incident response partners and understanding and meeting notification obligations.
The penalties for data protection breaches are significant (the largest issued to date was a €50,000,000 fine for a GDPR violation) and likely to become more frequent and severe. Developments across Europe add fuel to the fire and demonstrate the need for organizations to prepare for ongoing remote work issues. These include:
- In France, cross-border posting of workers and worker expenses have been subject to new legislation since July 2020. Negotiations concluded in November have determined that employers will be obligated to bear all business expenses associated with remote work moving forward.
- Pending legislation in Germany may see employees granted the statutory right to “non-availability” outside of standard working hours.
- In Spain, specific laws governing employees who provide remote service regularly (30+ percent of the time during a three-month reference period) came into effect at the end of 2020.
- As a result of Schrems II, law firms and corporations have become acutely aware of the implications and legality of cross-border data transfers, especially when data is moving outside of Europe. Brexit is adding to the complications, as organizations here must now also take the legality of their data transfers to the U.K. into account. This is particularly important for teams working remotely spread aross numerous jurisdictions
Hopefully, the pandemic and related crises will soon be a memory, but remote working is undoubtedly here to stay. Preparing now for this reality will avoid future security, privacy and regulatory failures in the future.
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
GrĂ¡inne Bryan and Javier Garcia-Chappell, FTI Technology
Dave Harvey, FTI Cybersecurity