Since the beginning of 2020, communities throughout the world—personal and professional—have been impacted in a way that was always only talked about in hypothetical scenarios, such as running an organization completely virtually. Belief in the technological prowess achieved by humans meant that this hypothesis would never come to be tested. The opposite is true.
There is not a facet of business that has not been impacted by COVID-19. Security and privacy-related matters now have to be looked at through a different lens.
At an enterprise level, working from home presents new and additional risk. Organizations will have to plan to identify, manage and mitigate the risk presented to them in this new normal. As long as teams were working from an access-controlled, audited, segregated and monitored environment, physical data protection risk areas were contained on the premises of the enterprise and more easily managed. In the work-from-home (WFH) scenario, the risk extends to the employee’s home, which becomes another point that has to be secured.
The invisible migration of workforces from an enterprise environment to the home environment has been a lock-stock-and-barrel migration for an indefinite period. Work contracts seldom mention the employer’s working from home policy; therefore, policy conflicts are bound to surface, not to mention contracts signed between vendors and clients governing the movement of data, hardware, assets and intellectual property.
Force majeure clauses (i.e., unforeseeable circumstances that prevent someone from fulfilling a contract) have been a part of enterprise contracts, similar to an enterprise’s own get-out-of-jail-free card, to help clients who might have had a watertight contract. In the new pandemic-induced working environment, the work must continue, and enforcing force majeure can bring about severance of ties only when the need of the hour is continuity.
Risk must be mitigated to ensure the sanctity of the data being worked on and reduce the liabilities associated with these risk areas. Enterprises must now look at deploying additional measures to address the new risk and compliance requirements.
It is the story of the new normal.
The New Normal
It has been discussed constantly over the last few months. Contrary to popular opinion, the new normal is not just new terminology to expedite digital transformation; it is not a gimmick. It is a clear challenge that has presented itself equally before individuals, enterprises and governments. Unlike ideas related to self-preservation (e.g., wearing masks, maintaining social distancing, washing hands regularly), security and privacy have always been perceived as the flagbearers of protecting an enterprise’s data, often with individuals considering it an impediment. The coronavirus-induced era of the distributed workforce and the absence of a physical office, albeit in the interim, change a number of metrics for individuals as much as these circumstances change the metrics for organizations. The reality is that the employee and the employer have to address this challenge together rather than in separate capacities.
The precursor to the question on personally identifiable information (PII) is about establishing a work contract between the employee and the employer, the client and the vendor, or other similar relationships.
ALONG THE SAME LINES OF KEY PERSON INSURANCE AND EXECUTIVE INSURANCE, EMPLOYEE CYBERINSURANCE MAY BECOME A REALITY.
It is important to look at the impact of WFH in the new normal from lenses that are critical to an organization.
Employee Work Contracts and Ways of Working
A work contract is sacrosanct and the basis of every conversation or negotiation when it comes to getting a fair value for the effort expended in executing the requirements mentioned in the work contract. Most work contracts between the employee and the employer mention the aspect of taking up work from home in passing, without any concrete rules to govern the same. Discretion of the manager has been the oft-touted approach.
It is telling from a contingency planning point of view that a contingency was always thought to be needed for a short-lived situation (e.g., hurricanes, storms, floods) and those which could result in resuming work after only a short period of WFH. It is safe to say that these contingency policies were inadequate, but things always appear clearer in hindsight.
As enterprises move to the new normal, the key things that need to be deliberated and included in work contracts are as follows:
- Clauses on confidentiality of information during WFH
- Dos and don’ts of employees working
from home:
- Implementation of a zero trust architecture on the network
- Issuance of guidelines to employees on securing their home networks such as ensuring adherence to stringent password guidelines and updating the latest patches on the operating systems
- Completion of security training for employees
- Use of secure cloud infrastructure for remote users to have access to data
- Assurance of adequate network bandwidth for employees to perform their job responsibilities
- Consent for the installation of software and monitoring of usage of personal devices
- Examination of the compensation structure
on expenses:
- Investment by the enterprise to provide adequate working conditions at home (e.g., buying furniture or equipment)
- Reimbursement of Internet charges
- Enterprise-identified accommodations
- Along the same lines of key person insurance and executive insurance, employee cyberinsurance may become a reality. Enterprises may have to make provisions for cyberinsurance-related risk arising from employees working from home.
- Just as employee background checks and drug tests have become a fact of life, physical audits of employee home offices and home networks may be required. Organizations will have to weigh the inclusion of rights of audit on the premises of the information against employee privacy concerns and rights. These are not as straightforward because domestic arrangements vary and can be a source of complexities (e.g., how to handle a scenario where an employee shares premises with friends who work for competitors, how to decide what kind of employee declarations will be required to mitigate risk and liability, how to determine if third-party audits of home offices are required).
THE PANDEMIC-INDUCED ODC DOES NOT POSSESS THE SECURE PHYSICAL ENVELOPE THAT PROTECTED IT EARLIER, BUT THE GOOD NEWS IS THAT THE VIRTUAL NETWORK IS STILL AS SECURE AS IT WAS EARLIER.
Customers and Contracts
Many large outsourcing contracts include stringent security terms during the setup of office space and networks. The security team requires the service providers to maintain a secluded and secure environment for the teams working on their projects. The teams need to work on a virtual network that is isolated and inaccessible from the service provider’s main network, and the teams need to be located in an offshore development center (ODC) that is strictly access controlled and audited.
With the coronavirus pandemic, the ubiquitous unibody organism that was the ODC has been disintegrated into various suborganisms—individual team members working on the projects—that come together through technology and connectivity. The pandemic-induced ODC does not possess the secure physical envelope that protected it earlier, but the good news is that the virtual network is still as secure as it was earlier.
Key aspects of client contracts to consider include:
- Renegotiate client contracts to ensure the physical security aspects of the contracts are amended.
- Sign additional nondisclosure agreements (NDAs).
- Re-examine the risk and controls that need to be implemented to ensure adherence to client contractual clauses.
Data Security
The new normal of WFH also presents a well-known challenge: phishing and data identity scams. The number of phishing scams in the name of a charity or a humanitarian cause have been on the rise during the pandemic. Scammers have always been good at sending emotional appeals to help the less fortunate in times of need and, with an overload of media stories around suffering and the impact of the coronavirus, these phishing scams continue to appear, even on organizationwide firewall-secured networks.
Data are usually secure within the virtual premises of an organization’s firewall infrastructure, but when employees begin to work remotely through their personal devices, the need for an efficient and enforceable bring your own device (BYOD) policy is apparent. Organizations must also foresee additional expenditures in procuring devices that can be shipped to employees in case employees do not want to use their personal devices for official work or do not have personal devices that can meet enterprise guidelines. It is entirely possible that such a provision does not exist in the work contract that the employee has with the employer.
Deepfakes
In the virtual mode of working, another risk is deepfakes. Deepfakes are a technique in which a person in an existing image or video is replaced by someone else’s likeness. They are created using powerful techniques including machine learning (ML) and artificial intelligence (AI) to manipulate the audit and visual data to be misleading.
The potential risk to the organization is lack of awareness of the risk of deepfakes, nonavailability of the right technology to detect occurrences of deepfakes and alert the organization, not having the right validation methods to verify using independent sources, and not having the right incident management and response mechanism to curtail and contain occurrences.
Key aspects to consider to mitigate the risk of deepfakes include:
- Educate employees to identify and verify suspicious content, even when it is received from known sources.
- Create stronger access controls systems to prevent the usage of digital signature. Dual approval mechanisms such as multifactor authentication (MFA).
- Use risk-sensing solutions.
- Formulate a brand safety and resilience strategy to address the large-scale spread of misinformation.
- Collaborate with media platforms for speedy identification of deepfakes, removal of fake content and dissemination of clarification.
ALTHOUGH THE VIRTUAL WORLD IS UNFORTUNATELY REPLETE WITH CHALLENGES, THE PHYSICAL WORLD WILL ALSO NEED TO BE RE-EXAMINED, SPECIFICALLY SECURITY AND PRIVACY POLICIES.
Handling of PII Information
When discussing the employee-employer relationship, the first important privacy aspect that comes to the fore is maintaining personally identifiable information (PII) data. The procedures for maintaining the sanctity of PII are clearly laid out in large and mid-sized organizations, and they are adhered to as a rule. The new normal presents a new challenge where employees and contractors must inform the employer about their health status to ensure that proper care is taken in the event of an employee contracting COVID-19. With people working remotely, there is a possibility of PII being filed according to procedure and being available for others to access. These instances are bound to show up in organizations that do not have a clearly defined data policy for their internal cloud infrastructure or even for firewalls on personal devices. It is not just the employers; the PII must be shared with designated hospitals and even government officials to help contain the spread of the virus. It is safe to assume that employers, hospitals and government agencies are not governed by the same PII policies and are not on the same data and information-sharing networks. The challenge is for everyone to be aware and build solutions around it quickly. The International Association of Privacy Professionals (IAPP) has released its Data Protection Authority (DPA) guidance on COVID-19 for a majority of countries, to which employers can refer.
Many people are hopeful that the current pandemic situation will soon improve, and the new normal will begin to look a bit like the older normal with people getting back to their workplaces. Although the virtual world is unfortunately replete with challenges, the physical world will also need to be re-examined, specifically security and privacy policies. Consider this hypothetical example: An employee returns to the office and is requested to stand in front of a camera that is connected to a facial recognition–based verification process. After enrolling in the program, the employee moves to the kiosk to scan their face to move past the security setup. A simple swipe of the access card that would have granted entry to the office results in a red flag and a beep. The organizationwide contact tracing application has raised a flag about the employee staying in a block with a high number of COVID-19 cases. Within a few seconds, the government databases send back a message stating that the employee has not been tested for COVID-19 and must be tested because the person is staying in a high-vulnerability zone. The employee is led to the testing kiosk and the results come up negative after a few hours. The time spent in the isolation facility at the office made the employee realize the extensive mechanisms that are being used to ensure employees’ safety. Happy at the negative COVID-19 results, the employee heads to her or his designated space in the office. The employee has to contend with questions about the restricted access in the morning and what followed. It is all part of a laughable story over a coffee, maintaining social distancing.
In this scenario, there are some other things to consider:
- Did the employer get consent from the employee before signing them up for the facial recognition program?
- Did the employee have enough time to understand how their data can be used?
- Are employees aware of the protected health and financial information they are using and the security and privacy requirements around them?
- How are the facial recognition and the health data going to be processed?
- How does the employer address the breach in maintaining PII when the employee’s status was known to everyone around the swiping kiosk?
Conclusion
These scenarios ranging from WFH to using personal devices to contract realignment and the aspects of physical security are a few examples that organizations and employees are encountering in this new normal. Complex scenarios involving managed cloud infrastructure, proprietary code, copyrighted assets and intellectual-property-related projects are going to test the boundaries of an organization’s privacy and security policies. Implementation of policies and adherence to processes in these unprecedented times can be extremely difficult, but it is an opportunity to roll out measures that were concepts only a few months back. The shift to the new normal requires rapid and holistic risk assessment approaches and rapid mitigation strategies in order to tackle the uncertainties of the new era.
Deepa Seshadri
Is a partner at Deloitte Touche Tohmatsu India LLP. She has more than 22 years of experience in the field of cybersecurity and governance risk and controls. She specializes in enterprise governance, risk and compliance, and cyberstrategy-related work for global technology and manufacturing companies.