Last week, a legal services firm, Law In Order, suffered a cyber security attack with hackers claiming to have stolen confidential data and threatening to release it unless they made a payment to the hackers within seven days (it is understood that this threat has now been withdrawn). Law In Order is one of the biggest providers in Australia of e-litigation services, which means that it has access to sensitive information that can expose organisations to legal liability issues if any of its confidential information is leaked.
At around the same time, a fake zoom invitation gave hackers access to the hedge fund Levitas Capital's email system, who then sent three fake invoices worth $8.7 million. Levitas Capital was forced to close after its biggest client withdrew its funds following the breach.
However, the nature of either of these companies' business is somewhat irrelevant given the bigger picture that these attacks expose and the key messages for employers. As the number and sophistication of cyber security attacks inevitably increase, organisations will be looking at ways to minimise this penetration and thus the impact. Necessarily minimising penetrability is going to depend on workers being vigilant about protecting their employers' and principals' resources and equipment, complying with policies and not allowing a complacency creep in their daily duties.
Working from Home
As a result of the COVID-19 pandemic, working from home has become the "new normal". Whilst working from home Government health recommendations are relaxed as community transmissions dwindle and more workers return to the office, it is expected that many will still work from home for a certain period on a regular basis. Organisations will need to adapt their systems and expectations to factor in the challenges that regular working from home arrangements present, and privacy of data and vigilance around responses to emails are just two of them.
When more than one person lives in the same household and they are all working from home, there is a much greater risk of other people overhearing confidential conversations or gaining access to confidential information and documentation. In the haste to move people into working from home arrangements, organisations may have been less diligent in ensuring the IT systems in people's homes is as secure as those in the office and they are unable to monitor interactions in the new workplace with those that are not workers. In summary, the measures that organisations normally have in place in the workplace to help prevent a data breach are being overlooked while working from home, leading to a potential relaxation of the usual measures which increases the risk of cyber security breaches.
It is important for organisations to prevent cyber security breaches for a number of reasons that the two cases above demonstrate and that is risk to business. In these instances, the threatened risk and the one which eventuated were loss(es) of clients. Additionally, there are legislative obligations around privacy that are more likely to be compromised in the working from home scenario particularly around use and disclosure of confidential information, not to mention the obligation to notify affected individuals where an organisation suspects there has been an unauthorised access to or unauthorised disclosure of personal information that the organisation holds, and it is likely to result in serious harm to one or more individuals.
As part of their obligations no matter where they work, workers are expected to ensure that any security software installed by the organisation is not disabled, that they install security software if required on their own devices and must ensure, when they connect to the organisation's network, to have a virus scanner for their personal devices which is updated regularly. Workers must be vigilant to any potential scam and hoax emails and should immediately contact IT for assistance and report it to their manager.
Tips for Organisations
1. Policy implementation: organisations should ensure that they have computer, privacy and confidential information policies and that they are regularly reviewed and updated to ensure that they are "fit for purpose" and properly address potential issues with workers working from home on a more regular basis. These policies should cover issues such as:
- the required levels of security for the confidential information;
- the worker's responsibilities in relation to managing confidential information while working from home;
- the worker's responsibilities generally for IT and computer security and in particular around installation of appropriate software and being wary of scam and hoax emails and the reporting of the same;
- ensuring that all devices used by the worker are password protected and stored in a safe and secure location when not being used; and
- the ability of organisations to lawfully conduct surveillance of their employees will need to factor in that this surveillance may be done on personal devices as well as company-owned.
2. Training: Organisations should ensure that workers know the best practices when it comes to working from home by training and explaining to them the importance of confidential information.
3. Communication: Organisations should ensure that they communicate on a regular basis with their workers. This will help workers have a sense of involvement in the business and will avoid workers having unintentional conversations about work with family or friends as they would normally do at work, which can result in the sharing of confidential information.
PCS has published this week a Whitepaper on the impact of COVID-19 on employment practices such as the impact on organisations of working from home.
Read our Whitepaper here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.