In the current emergency context of the spreading of the COVID-19 ("Coronavirus") contagion in Italy and the issuance by the Government of relevant containment measures, many companies are exploiting from Smart Working to guarantee business continuity.

Smart Working by itself is not an unknown phenomenon, as it allows workers to perform also from unusual workplaces. Today, it is becoming more and more indispensable to keep a minimum pace of business operation, at least for the time being due to restrictive circumstances imposed in quarantined areas.

Smart Working has various implications, herein-below are summarised some aspects to take into consideration for the protection of personal data and confidential business information.

The remote connection to the company network allows the access, inter alia, to personal data of other employees and business partners, as well as restricted commercial information, trade secrets, contractual conditions for customers, production know how, blueprints.

Unauthorised accesses or loss of such data might have very burdensome consequences for the companies involved, not merely on a commercial standpoint but also for potential breaches of the applicable data privacy framework(s), which might ultimately lead to sanctions and penalties.

The importance of a policy for allowing the use of Smart Working in safety conditions

Regardless of the actual technical mean for remote connection (worker's device through a VPN access or company's device operating as a virtual machine connected through specific credentials and security mechanism to the company network), this shall be duly regulated, this both under ordinary and exceptional circumstances.

Each employer shall equip with internal policies, manuals and procedures for the correct use of the company network, as well as of the mailbox and of the devices assigned to the workforce (most of the times, phone and tablet/laptop).

Those instructions are a valid contribution to built up a company culture made of awareness on the protection of personal data and restricted information and, at the same time, are a viable mean to achieve the same scope in "emergency" cases like the present peculiar Coronavirus circumstances.

Further to the above it is fundamental to verify and maintain active the normal technical security measures deployed for the protection of the IT structure. This, in order to have any access through external devices or networks made in the highest degree of security available (e.g., without limitation, cryptography-protected hard disks, backup systems, firewalls).

Examples of practical instructions for Smart Working employees

Should the company be already equipped with the policies below, it is still useful to provide Smart Working employees with the following basic recommendations:

In general, maintain the maximum care and attention to keeping the company devices and to perform any access in the safest conditions, which, more specifically, implies:

  • Deploy company devices solely for working purposes, safe for allowed personal use outside business hours;
  • Avoid working in any public place, where the device accessing to the company network might be left unguarded and potentially be stolen;
  • Avoid – at least during working hours – to lend the device used to access company network to any third party (e.g. friends, relatives), as they could potentially unduly connect;
  • Frequently chance the access password and keep it confidential;
  • In any event, the device connected to the company network when not in use shall be left locked with the programs' widgets minimised (lock by using CTRL+ALT+CANC Block – or – Windows+L);

During the use of devices connected to the company network:

  • Do not install/use any software not pertaining to work (e.g. streaming, download, music, games programs) which has not been already installed/approved by the employer or which might infringe any third party's licence or copyright (the company's IT structure may, however, already have in place specific restrictions to such). This recommendation applies also for accesses to the company network through personal devices;
  • Avoid any parallel connection with other virtual machines, as not to incur in any risk of undue linking of third parties' networks with the company one;
  • Do not enter into the company network any external-origin file not pertaining to work as well as not archive any work-related file on any device's hard disk. Any filing or storage shall be performed exclusively on the company network;
  • Do not employ, without limitation, any USB key, connect card and similar other devices without the prior approval by the company (which might be already equipped with specific relevant locking systems in the IT structure);
  • Do not employ – safe for un-deferrable working tasks – public places' and/or password-less Wi-Fi networks.

It shall be also reminded to the workforce that the company has the right to perform the due checks and controls on the use of IT work devices in compliance with applicable employment regulations (notably, the labour's code – "Statuto dei Lavoratori") which, in case of infringement, might lead to disciplinary sanctions.

From its side, the employer shall provide all technical instructions to guarantee a safe access to its network, also through personal devices. A further safety measure, if viable, is the provision of a dedicated IT support contact channel for employees.

Keep high the employees' awareness on cybersecurity to strengthen protection from external attacks

Further to the above, it is also advisable to develop employees' awareness on how to face potential data breaches, notably following cyber-attacks from external sources (e.g. Trojan, macro malware, ransomware, phishing), which are usually spread through apparently genuine but fake emails.

For instance, it shall be made specific attention to.

  • Emails apparently coming by colleagues or commercial partners asking the opening of a link/document contained therein advised as bringing a payslip or an invoice. In such cases it is recommendable to check the address coupled with the relevant user name, as well as the message signature, as most of the times this kind of messages are send out with the intention of unduly access the company network/files;
  • Emails containing .doc files which, upon opening, request the permission of a macro installing. No permission shall in this case be granted and, should this have already been done, the device must be immediately freezed/locked and the employer contacted to report a potential IT violation.

As a matter of fact, the current Coronavirus emergency has already highlighted thst this could be exploited unlawfully for email cyberattacks. For example, in the last few days have started circulating in Italy several kinds of email containing the "CoronaVirusSafetyMeasures.pdf" attachment (which might lead, if opened, to the install of a malware) or sent through the indeed fake inbox of Dr. Penelope Marchetti of WHO.

At the same time, it is pivotal to always remember the importance of a responsible and proactive approach. In case of any doubt the employee shall indeed refer to the company before opening any suspect email/attachment. The think-before-you-click recommendation is always viable.

Last, the employer should keep the IT assistance channel open and active for Smart Working employees also in these days, as dedicated support request might be more needed.

Per leggere la versione in Italiano ....

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.