“Armies and missiles are no longer needed to cause mass damage. You can paralyze industrial plants, administrations and hospitals with a simple laptop. You can disrupt an entire electoral process with a smartphone and an internet connection.”
With these words the President of the European Commission, Ursula von der Leyen, in her speech on the ‘state of the Union' given before the European Parliament in September 2021, explained the importance of European intervention in the field of cybersecurity: public and private bodies, businesses and individual citizens have been subjected to increasingly complex cyber threats. The latest episode of a global hacker attack, on 5 February 2023, reinforced those warnings.
Therefore, interventions in the field of computer security have proved to be crucial for companies, as they are fundamental both to allow business continuity (since the performance of work activities is precluded in the event of a computer attack) and to protect corporate know-how and employee personal information.
Employee behaviors can have an impact on the integrity of corporate information systems. Every day, there is a risk of employees misusing corporate data, installing unauthorized applications, sending confidential emails to the wrong address, or becoming victims of a phishing attack.
Another aspect that should not be underestimated is that of making sure that the use of information security tools is compatible with the regulations on remote control of employees. For example, some employment legislation provides that the use of the information collected with work tools is generally permitted for all purposes connected with the employment relationship. If, on the other hand, the company needs to install safety tools that are not used by employees to carry out their duties (and therefore do not qualify as work tools), but which may result in remote control of the workers, it may be necessary to obtain a trade union consent or, failing that, an authorization from the labour authorities.
It is therefore essential for all tools, whether or not they qualify as working tools, to introduce internal procedures that precisely indicate the methods of use and performance of checks with reference to all software and hardware that can allow remote control of work activities.
Once the internal procedure has been elaborated, it is then necessary to clarify in the company disciplinary code that violations of the rules contained therein will be sanctioned; it will therefore be necessary to link the behaviours indicated in the procedure to disciplinary sanctions.
Furthermore, since corporate IT security systems by their nature also log personal data and information, these must be used in compliance with privacy legislation. The systems must be in compliance with (among others) the principles of relevance, necessity, and minimisation of data processing.
Finally, employees must be trained to make them aware of the risks of cyber-attacks, paying particular attention to the training of those who work remotely. In employee training it will be necessary to highlight:
- the importance of each measure to be taken;
- the consequences of breaches of security systems and the difficulties of recovery;
- the rules adopted by the employer in the procedures described above.
One of the main challenges for employers is protecting their data from increasingly frequent cyber-attacks. To reduce these risks, while avoiding liability to employees, employers must:
- train and inform employees on behaviours to avoid and risks in terms of IT security;
- introduce internal procedures that precisely indicate the methods of use and performance of checks with reference to all software and hardware that can allow remote control of work activities;
- make explicit in the internal disciplinary code that violations of the rules contained in the above procedures will be sanctioned.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.