Keeping employees safe online during lockdown
Jo Gallacher, June 11, 2020
On the 16 March the government lockdown came into action. I know, it feels as if we’ve aged 200 years.
As guidance was published preventing non-essential travel, hundreds of work computers were carried home, makeshift desks created and back supports ordered online. The nation became remote workers overnight.
Throughout this uncertain period one aspect which has made things undoubtedly easier is technology. We are all now well-rehearsed in virtual pub drinks with friends and video calls with colleagues.
Whether your vice is Zoom, Microsoft Teams, Google Hangouts or good old Skype for Business, teams have had to rapidly adjust to communicating online.
Yet without the sophisticated IT security systems of the office, employees are becoming more exposed to security threats and intrusion. So what can HR do to protect its employees?
It is an unfortunate fact of life that there will always be those who take advantage during a vulnerable situation. And coronavirus has been no different. As the world collectively mourns and readjusts, the cases of hackers and malicious parties trying to access information online has increased. The Chartered Trading Standards Institute estimates that the UK has been the most heavily targeted country for COVID-19 related phishing emails.
In a study of 1,000 businesses by IT security firm Barracuda Networks, 46% had experienced at least one security incident since the lockdown, with more than half (51%) recording an increase in the number of email phishing attacks. And there’s no predicting what or who will be targeted.
In May, legal firm Grubman Shire Meiselas & Sacks, which boasts clients including Lady Gaga, Lil Nas X and Robert De Niro on its books, was compromised, with hackers claiming to have 756 gigabytes of data including contracts and personal emails. EasyJet also revealed that the personal information of nine million customers was accessed in a “highly sophisticated” cyber-attack on the airline. No passport details were uncovered, but hackers stole 2,208 credit card details.
Cybersecurity and data breaches have always been a threat to modern workplaces. Yet there is growing concern that as more of us log on every morning from the comfort of our own homes, private data is more at risk of being intercepted.
Office-based workers are usually protected by a sophisticated malware system which flags and blocks suspicious emails but many home networks do not have the same protections.
“Cybersecurity is a real and constant threat to organisations and individuals,” says Ed Griffin, director of HR consultancy and researcher at the Institute of Employment Studies (IES). He argues that the increased security risks come from a variety of challenges which are not always easy to resolve.
“Many individuals are experiencing connectivity issues which means they may be saving confidential or sensitive data to their personal tech rather than to secure shared drives. Employers need to establish basic requirements for home tech security and ensure line managers cover the issues in virtual one-to-ones.”
The threat is varied and multifarious. It can appear as a luring link, an unknown email address hidden behind the name of a colleague or a call being intercepted.
John Chapman is chief information security officer at DellEMC UK Public. He says the variety of methods hackers use adds to the overall problem. “Individuals using personal devices for work purposes may inadvertently expose their company to unnecessary cyber risk, as personal laptops and mobiles are unlikely to have the level of cybersecurity protection or management needed to ensure the confidentiality of customer information.
“Workers without access to VPN who use unsecured home broadband with default, weak or shared passwords are susceptible to ‘drive-by’ hacking. Similarly using public WiFi networks, especially those with no passwords, can also pose a significant security threat.”
Despite the large risks to individuals and organisations, UK workers are currently not concerned according to research conducted by Promon. When polling 2,000 remote workers to better assess where organisations may be exposed during the pandemic, it found 77% were not worried about security while working from home.
Matt Phelan is all too familiar with the damaging impact this new wave of hackers can have after a Zoom call he was part of was hacked. The co-founder of the Happiness Index is now trying to help others from falling into the same trap. He said: “On a recent Zoom call one of the guests’ machines was taken over and started posting graphic images via the presentation function. We had followed the two main security guidelines of password and waiting room.
“We have reported it to the police and I have exchanged emails with the CEO Eric Yuan and CTO Brendan Ittelson of Zoom to help them stop this happening to other users. In the virtual world just like in the real world there are malicious people who will go out of their way to try and harm you. If this happens to you, cut the call immediately and have all attendees run a virus scan.”
Yet Phelan is adamant that any setbacks must not prohibit communication while working remotely. He added: “Despite setbacks like this video conferencing is an important part of the future and is essential for companies to cut pointless commuting, help the environment and enable remote working.”
On top of the obvious shocking nature of these hacks, one of the most difficult parts to comprehend in this new world is the feelings of distrust and uncertainty an invasion of privacy can have.
For many employees, this period may be first time they have willingly allowed colleagues to see the insides of our homes, share their personal lives or even removed the paper covering up their webcam. So the possibility that this new level of trust could be breached by external forces during what could be an extremely confidential and sensitive call, particularly when it comes to conversations with HR, should ring alarm bells for organisations.
Where personal and professional overlap
It is extremely hard to create a divide between work and life when these two elements of our livelihoods exist in the same place. This lack of divide is why many organisations are seeing their staff use work devices for seemingly innocuous things such as browsing through Asos or making a Zoom chat out of hours. Yet malicious ads are likely to appear anywhere, from e-commerce and media sites to porn sites. Yes, employees have been found to use their work devices for this, too.
Similarly, it’s vital that employees don’t use their personal computers for work-related projects. Sixty-one per cent of workers in the Promon study said they were doing this while working remotely, yet employees could be putting themselves in unknown danger.
Chapman adds: “Using personal email addresses could compromise sensitive customer information and breach regulations such as GDPR if hacked. Cybercriminals are using the virus outbreak to take advantage of people’s fears to steal identities and passwords. Convincing phishing attacks have stepped up markedly with hooks such as ‘for the latest on WHO advice please click here.’”
The GDPR regulations were something of a minefield for HR when they were first introduced in 2018. The threat of an online security breach means HR must work quickly to minimise the risk, says Francesca Mundy, lawyer and editor of Sparqa Legal. “Any data that the business handles that contains personal information will trigger data protection law and businesses must remember their data protection obligations at all times.
“If there has been a personal data breach due to a cyberattack and that breach carries some risk to individuals, businesses will have to notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
“They may also need to notify affected individuals. Even if they do not need to report the breach to the ICO (because they don’t think there is a risk to individuals) they should still keep a written record of it.”
Mundy advises HR to report any potential cybercrime to the Action Fraud Website and consider signing up to the free Action Fraud Alert Service to provide updates about cyber scams and fraud in their area.
She adds: “These legal obligations serve as a reminder of the importance of businesses having effective cyber security policies and procedures in place to ensure that they can both protect their business from attack and comply with their legal obligations if and when an attack does occur.”
The big switch
Like many organisations, the British Heart Foundation (BHF) has switched its employees to remote working for the foreseeable future. Though cybersecurity is an issue for its director of people and organisational development Kerry Smith, investing in a new technology over the last two-to-three years has meant the organisation has minimised its risk.
She says: “Our cybersecurity team has increased proactive monitoring to avoid any potential threats and ensured our existing technologies can cope with the increase in remote working.
“We communicate regularly and run training about the risk of online threats, particularly in relation to the increase in phishing attacks in the charity sector. Awareness of these issues is continually increasing across the charity and is at a comfortable level.”
The BHF also offers formal cybersecurity training for its staff. “Everyone that joins the BHF takes part in mandatory training during their first three months which includes a specific module on cybersecurity. We rolled out mandatory data protection e-learning training to all staff last year, which was in three modules,” adds Smith.
“We also require that every new starter undertakes data protection training. The module covers various elements to be aware of such as phishing scams and how to report them internally. There is also regular engagement with all employees on cybersecurity matters to help maintain awareness.”
Training crept up as the number one solution to the increased online risk across all organisations HR magazine spoke to. Some cybersecurity vendors have begun to offer free online training programmes to help bring remote workers up to speed on essential security topics, such as how to identify malicious websites or ways to prevent phishing attacks.
Mundy also recommended HR updates its procedures and policies to help set out expectation for staff in relation to data security and confidentiality.
She says: “To comply with data protection obligations, it is likely to also be appropriate to have a separate data protection policy setting out what duties staff are under when they are handling personal data, including ensuring that it is processed securely at all times.
“If you allow staff to use their personal devices while working from home, consider a BYOD (bring your own device) policy to address the additional security risks that will arise. For instance, this will help you to ensure that appropriate security measures are taken when it comes to handling sensitive information, including any third-party data, on personal devices.
"It will also be beneficial to have a personal data breach policy setting out the business’s response plan in the event that a data breach occurs following a cyber attack.”
Chapman also encourages HR to conduct more one-to-ones to make sure cybersecurity is on their radar. He adds: “Working from home can introduce additional pressures of loneliness or the juggle of work/family commitments, which can impact a person’s ability to perform to the best of their ability.
"Something we’ve found incredibly helpful for employees’ sense of connectedness and mental wellbeing has been the introduction of regular ‘off-topic’ one-to-ones and team meetings.
“For more than a decade, we’ve built a culture around the idea that work is outcome-based, not anchored to a specific place or time. Still, for many people and businesses, there will be a period of adaptation to a different way of working, now and in the future.”
Proving that cybersecurity truly is a minefield is the added issue of an ‘insider threat’. This is where an employee form within the organisation reveals sensitive information. David Lorrimer, director at lawfirm Fieldfisher said instances of an ‘insider threat’ by an employee, which many companies may not be focussed on, could expose organisations to significant damage at a critical time.
He says: “Typically the insider threat captures staff members who unintentionally cause damage, for example by clicking the link in the phishing scam email or unwittingly publishing data to a public and unsecured filesharing facility.
“We know that there is an increased risk here, as businesses information security functions will be focussing on other challenges such as transitioning staff members to home working environments and opportunistic nefarious actors are increasing activity.
As the economy slumps and many businesses are unable to operate, HR has unfortunately had to have plenty of difficult conversations regarding redundancies and furlough arrangements. For a nation which prides itself on its work ethic (rightly or wrongly), this was a particularly hard pill to swallow for some employees, leading to feelings of bitterness and resentment towards employers.
“Perhaps less commonly, those staff members who are motivated to damage an organisation. As employers are forced to make difficult business decisions around furloughing, career progression and redundancies, this category could increase too,” adds Lorrimer.
He therefore echoes Mundy’s sentiment that employers ought to update their policies and rules and roll out virtual training to minimise risks.
“While there are many priority items competing for the attention of employer's compliance, legal, HR and information security functions, failing to take action here could be result in material financial and reputational damage, at a time of particular vulnerability,” Lorrimer says.
When used correctly, tech can be a marvellous feat which enriches our lives and helps to keep us connected and engaged (as seen on page 42-43). But if we are to appropriately convert to new styles of working, with flexibility and remote access at its core, employees will need to better understand the risks this lifestyle can pose.
When contacted for comment on this feature, many HRDs directed us to their heads of IT rather than choosing to discuss the issues themselves. This is indicative of the current attitudes towards cybersecurity and where the responsibility lies.
Given the threat to both organisations and employer safety at this critical time, HR should be aiming to lead the way in this ‘new normal’ and an understanding of cybersecurity and how to keep employees safe online is a fundamental part of this.