COVID-19: Privacy and Technology Related Risks
The COVID-19 pandemic has impacted our work life in a way that was never anticipated before. Due to the nature of the threat, social distancing and other challenges, such as non availability of key staff at offices, have forced many organizations to ask their employees to Work From Home (WFH). Since the start of COVID-19, this has rapidly become the norm and many people are working from home but, unfortunately, many Organizations have not considered the manifold technology related risk factors associated with WFH. The purpose of this short paper is to take stock of such risks so that companies can attempt to address them depending upon their own businesses and circumstances.
WFH is not a short-term Disruption
WFH will be the norm or business as usual for quite some time, given the fact that the “Lockdowns” along with the threat to human lives will remain even after the Apex has been reached in some countries. This is quite evident from the fact that the number of tests per one million of population, as of 8th April, 2020, for the following selected countries, are as follows (Source: Google/WHO) :
The above seems to validate the assertion that there is a huge gap between the testing being done and the size of the population (one million sample size) that ought to have been tested. This seems to clearly suggest that even if the lockdown is lifted by the end of April, 2020 the implications of the virus, both from the point of view of health and economic considerations, will persist and there will be several out breaks (the Japanese Government has initiated a complete lockdown in Tokyo and some other cities as it fears a second, more severe outbreak), and hence the need to work from home is more likely to become the business as usual (BAU). Even the US has projected that the current wave might not be over until late June or early July, but there is a trepidation as to when, not if, a second wave might, also occur. The low figures of only 102 for India and 191 for Pakistan clearly indicate that this might just be the case.
Before discussing the risks faced by Companies insofar they pertain to employees working from home, it is pertinent to discuss the data privacy issues which have emanated from the approach adopted by Governments across the world. According to a BBC report, China attempted to trace cases using 5G technology as well as AI and Robotics. The US Government has hired services of companies like Palantir and Clearview AI for infection monitoring by surveillance, geolocation and facial recognition. There are, therefore, concerns amongst the global information security community about these infringements of privacy and associated data. Starting at the lower end of the scale, an article titled, “Protecting Privacy During an Infectious Disease Panic” was published in 2014. The focus of the article was on the Ebola outbreak, and the resulting situation in which media obtained and published information about individual Ebola patients to their individual detriment.
Unfortunately, data privacy issues came to light recently under the COVID-19 pandemic in Pakistan as well when the first patient’s (Patient Zero) details were divulged by the electronic and print media. While this halted as a response to a public outcry, such risks continue to remain.
Many argue that infringement of data privacy, to save lives during the Pandemic, is justifiable, even if laws e.g. GDPR of EU, Personal Data Protection Bill, 2018 of Pakistan, are broken. Some continue to argue that data is a corporate asset, able to be used in any way for commercial gain because of the investments the Organization has made in procuring and analyzing the data.
Organizations need to be careful in how they disseminate data of their employees, and ensure that there will be no misuse after the crisis is over. This could be done by obtaining documented requests from requesting organizations and limiting the data to the actual need.
WFH Protocols and Threats
In many countries, the Governments ordered lock downs with immediate affect (e.g. India) while in others a gradual approach was adopted (US, the UK, Pakistan, to name a few). Regardless of the Governmental approach, many Organizations asked their employees to work from home, without much preparation to address the related risks, besides the Privacy of data risks as discussed in the preceding paragraphs.
Many people commenced WFH using their company provided laptops but using internet provided by their ISPs. Quite a few are facing bandwidth issues due to their own use, e-learning by children (in many countries schools and colleges are closed) and spouse if he or she is also working. Many would think that this issue would only be related to developing countries (e.g. Pakistan) but it is not surprising to note that the example cited happened to be experienced by a manager level person in California, USA.. The result of the issue, mentioned in the example, was that the Internet collapsed and thus, important timeliness were missed.
There are other risks relating to ISPs, Routers, etc. It is not possible to discuss all such issues here as the circumstances of each person/employee would be different even within the same company. These would depend upon the company, designation within the company and Security provided e.g. a VPN, etc.
Confidentiality of Data
It is pertinent to note that the demand on maintaining confidentiality of data remains the same even if one is WHF compared to working from office – in fact it becomes even more stringent. In a typical office, one is working in a controlled environment with departmentalization, physical and logical access controls and supervisory controls etc. all in place to ensure that confidentiality of data is maintained. However, WFH presents a tough challenge. There is no supervisor physically present, segregation of work environment is not a privilege everyone can enjoy, and the list goes on. So how does one maintain data confidentiality and, more importantly, how does the management ensure that this is being done? These aspects need consideration and there is no single one size fits all solution.
Cyber Security Risk
It would be logical to imagine that Cyber Security (CS) in the office, say, together with a Security Operation Center (SoC), would need major enhancements in order to provide information security for personnel working from home. However, given the investments required, particularly in these tough financial times, as well as the practicality of implementing such solutions in a short time, largescale implementation would be unlikely. Consequently, there is a need for CS to be practiced from home. In order for this to happen, Organizations need to disseminate protocols for each employee to practice. As an example, this would require re-configuration of home routers, which of course, would vary depending upon the make and model. Additionally, before such a process commences, permission of the ISP would be needed.
Business Continuity Planning (BCP) AND Disaster Recovery Planning (DRP)
BCPs and DRPs are normally prepared assuming that the Organization would be affected by incidents like Crashing of Primary Server or Primary Server site impacted by fire, earthquakes, floods etc. Plans to mitigate these include a DR site (where users can log in), an Alternate Processing Site (APS) where minimum staff can be moved to continue operations, policies and procedures to be adopted during the disaster etc. The prime assumption is that the disaster is company specific and the entire country is not in a lock down, similar to what happened after the death of Benazir Bhutto, the former Prime Minister of Pakistan, after her assassination in December 2007. While the country came to a halt and incurred huge financial losses, the duration was only for three days. However, typically no BCP/DRP accounts for a Pandemic like Covid-19 which, effectively, has brought all major countries to a lock down that has severely impacted business continuity as well plans in place to address organization specific disasters.
Notwithstanding the above, micro level BCPs have to be developed by organizations for use of their employees or personnel working from home.
It can be concluded that organizations need to assess their risks, modify controls wherever required, and make small investments. It is conceivable that majority of these risks, and consequently investments, will pertain to network security including cyber security and tools that each individual will need for implementation e.g. VPN.
Waqar is a former Partner of EY & currently the CEO of TRACS LLC, USA, a Technology Consulting Company, as well as CEO of TRACS (Pvt) Ltd., a subsidiary based in Pakistan.
Note: TRACS has developed a Risk Model which calculates the overall WFH Technology Risk of a company, based on input of certain key information.