By Annelies Moens CMgr FIML
As the economy slowly restarts, leaders have an opportunity to assess which tools and measures to retain from their way of operating during the pandemic. Many businesses may not return to operating the way they did before the coronavirus lockdown, and in many respects, this could be a positive development for business. For example, working remotely from home may be considered business-as-usual.
Now that the urgency of setting up third-party tools and resources for operating remotely during the crisis has diminished, it is important to assess their long-term and more permanent use properly. In particular, ensuring good security and privacy practices are in place. In a rush to deploy new technology, some tools and resources may have been deployed without the usual oversight.
This article takes you through some security and privacy considerations and provides a checklist to kickstart your security and privacy health check. Such a health check is timely in light of the increased penalty regime under the Australian Privacy Act expected to be implemented later this year.
Hosting and data back up
When you have staff and contractors working in multiple locations, it is imperative to ensure they have appropriate access to data which is stored securely and backed up. Selecting a vendor whom you can trust to host and back up your business’ data is critical for your business continuity. For example, can your host provider access your business’ data? If so, it could increase the risk of data breaches and law enforcement access (both foreign and local) about which you may not be aware. Using providers who offer end-to-end encryption alleviates that risk, as only your business and its authorised users can access the data. Companies need to be mindful that they can lose access to such data. For example, if they lose or forget their passwords in environments offering end-to-end encryption (the key stays with the business, not the host) – which is why those types of environments provide the best security and privacy.
Video conferencing
During the pandemic, video conferencing became the norm for business calls, exercise programs and catching up with friends and family. The lax security and privacy settings of some video conferencing providers became newsworthy fodder as usage rates escalated. Depending on which jurisdictions your business operates in, international privacy laws, such as the General Data Protection Regulation (GDPR) also become relevant. Many aspects around transparency are not being met in the privacy policies of popular video conferencing tools, leaving users unsure of the handling of their data.
Apps and Bluetooth
Many of your employees or contractors may have installed the COVIDSafe App following its release in Australia on 26 April. Equally, many may not have installed the app. It’s important to note that section 94H of the Privacy Amendment (Public Health Contact Information) Bill 2020, which passed on 14 May 2020, makes it a criminal offence for employers to require individuals to download the app as a precondition of access to premises, employment or other services. The COVIDSafe App uses Bluetooth technology. So, consider the impact of having Bluetooth on for other apps and data held on mobile devices. Mobile devices are often used to connect to personal accounts, banking, and crypto-wallets and to work data and systems, particularly when working remotely or from home. Other apps may start to track location, for example, as is often the case in shopping centres. The latest security and Bluetooth patches will be essential for device privacy and security. For a list of practical and privacy and security considerations, see: COVIDSafe app – Are you sitting on the fence?
Three steps to kick start your security and privacy health check
- Conduct vendor risk assessments
Assess the privacy and security risks of your vendors – including your video conferencing service providers, host and back up storage providers. This also includes employee monitoring software, customer relationship management software and all other service providers handling company and personal information, including any shadow IT set up during the pandemic. - Develop a Bring Your Own Device policy
Make sure it addresses the privacy and security implications of accessing company and personal information using those devices. Consider Bluetooth, permission settings for apps, security updates and patching, firewalls, virus protection, multi-factor authentication, partitioning between business and personal data, and virtual private networks. - Review your own business’ privacy and security practices
Ensure that what happens operationally is actually reflected in your company’s privacy policy. Include data collected throughout the business, not just data collected online, such as through the company website. Global privacy regulations will also have impact when you are collecting personal information from individuals overseas.
Annelies Moens is a Chartered Manager and Fellow of IML ANZ. She is an international privacy expert and the managing director of Privcore, a privacy consulting business.