Today, with the uncertainty on the extension in time of the current situation caused by the coronavirus and the future possibility of new similar situations, the trend initiated earlier by a large number of companies with the implementation of telework in specific areas and with established guidelines, the present situation has led this to the extreme both in relation to time and to the business processes involved.
The unexpected way in which it has arrived, in both speed and scope, has involved the generalization of telework to levels unthinkable a few weeks ago, introducing in turn a whole series of risks very relevant to the entities.
In the ideal environment, this situation should have been referred to in the Business Continuity Plans of the entities, allowing us to anticipate the situation, thinking, reflecting and trying to minimize the risks associated with it. In reality, the majority of entities, and covering the wide range, from entities that had a Business Continuity Plan but that with the probability associated with a specific threat of pandemic had not implemented the related recovery plan, to those entities that had a partial or outdated plan, and all those many entities that did not have one at all, the entities have implemented telework, not always managing or at least being aware of the risks associated with it.
Forced by the unexpected current situation, this non-planned and non-structured implementation, and bringing with it the variables of time, number of employees and business processes, lead to a very high volume and, in many cases, sensitivity of the data (with the obvious example of health data this is perfectly illustrated) that are moving across networks, subject to much higher risks and different from those that existed until a few weeks ago, in the implementation of the same business processes.
If privacy was already on the agendas of all entities before the Covid-19, now the current context is giving it a plus of protagonism and will make it both now and in the return to normality, one of the main lines on which entities should pilot certain policies and decisions.
Making a reflection, the basis of the new regulation on the protection of personal data is based on the concept of risk management and, specifically, in the management that each entity, based on the typology of data and the processing that it makes of these, values the existing risks and on this basis applies the security measures that it deems most appropriate to preserve the privacy of the data. The current situation based on telework involves significant and, in many cases, new risks, which are the result of new platforms for sharing documents, group work tools, remote access, different business flows, etc. that involve a review of the life cycle of data, and an update of the different risk analyses (Privacy Impact Analysis) that are based on this. We must make sure to manage the security of privacy at present and in the future.
This environment is the perfect setting for new threats and the Spanish Data Protection Agency itself warns of increased information security risks because of threats such as:
- Non-secure networks. A large number of remote accesses occur via the Internet, and organizations normally do not have control over the security of external networks used.
- Phishing attacks. Phishing campaigns that use as a pretext the interest that captures the progress of the COVID-19 have increased. These seek to steal personal information, spread fake news and/or deliver unwanted advertising.
- Ransomware. Prevents users from accessing their system or personal files and requires the payment of a ransom to be able to re-access them.
On the basis of the new risks that may affect the confidentiality, integrity and availability of data and with the need to provide security to the information, we point out some guidelines for managing the security of privacy, on the basis of the key elements in the new situation. The security measures must ensure the remote access solutions, including the security of the server, location and security of the client’s software, covering authentication, authorization and access control for remote access solutions; and at the same time, ensure the client’s telework devices and protect the data in them:
- Maintain up-to-date and patched servers, operated on the basis of the security settings defined by the organization and managed only from trusted hosts by authorized administrators.
- Assess the factors of device performance, traffic examination, non-protected traffic and the NAT (Network Address Translation) to determine the locations of remote access servers.
- Ensure that all internal remedies made available through remote access are adequately protected by firewalls and other access control mechanisms.
- Application of cryptography to sensitive information from remote access communications, wireless networks and other non-reliable networks.
- Have remote access security solutions available via VPN (Virtual Private Network) to access the organization's network from an external location.
- Assess solutions of virtual desktop infrastructure (VDI), consisting of employee desktops controlled by the company and that make up safe work environments. Any security policy applied to the organization’s physical devices, such as updates, backups, software control, DLP tools, etc., can be transferred to virtual desktops of employees.
- Enable remote authentication mechanisms such as robust passwords, double authentication factor or mutual authentication.
- Implement a demanding access control policy based on profiles, functions and the implementation of access based on the principle of least privilege.
- To the extent possible, provide employees corporate devices, since in these are applied the security policies that the company considers appropriate.
We must ensure the continuity of business processes through the implementation, updating and periodic test of the business continuity plan (BCN) and the disaster recovery plan (DRP). This element, of different implementation in organizations today, is allowing the continuation of business activity, and is enabling companies to continue to operate more or less efficiently in the current situation.
In the same way, we must have an incident response plan of the information system so that in the event of a risk materializing, employees have the necessary procedures and channels to communicate it, and the systems and security area, the security information events management systems (SIEM), data visualization tools, and/or capabilities of automation and artificial intelligence (AI), which allow to monitor, detect and respond effectively and efficiently to the incidents, and at the same time, comply with the terms of art. 33 of the GDPR.