Keeping your data safe as your employees work from home

31 May 2020

Keeping your data safe as your employees work from home

As companies scurry to adapt to socially-distanced staff members working from home, protecting company data from video conferencing, home WiFi breaches and employees’ personal devices becomes increasingly important. Excel V. Dyquiangco explains.

The Covid-19 health crisis has forced many companies and governments around the world to make full use of digital technologies to confront this rising pandemic. Unfortunately, along with this comes a host of challenges, perhaps the most visible of which is the recent privacy issue on Zoom that may have violated or infringed the intellectual property rights of the video conferencing app’s users.

But more than that, technology in general has posed certain concerns in this day and age of lockdown and social distancing. How is your data being treated during this time of pandemic?

“There are hackers, opportunists, and online criminals who are taking this crisis, panic and emergency to try to lure people into all kinds of tricks by accessing their data and violating their IP rights,” says Suaran Singh Sidhu, a partner at Law Partnership in Kuala Lumpur, an associated firm of Eversheds Harry Elias. “In view of the current crisis and emergency around it, their systems become vulnerable.”

He adds that since people are now moving out of their comfortable offices into their homes, hackers may want to see what they can get out of their data.


The issue on video conferencing

The most recent of this issue involved Zoom, which has surged in popularity for business and social users alike during the early days of the pandemic. In Singapore, the Ministry of Education (MOE) initially used the Zoom video conferencing platform for students to engage in online live lessons. Unfortunately, there were two incidents of security breaches in lessons conducted via Zoom during the first week of full home-based learning. The MOE, therefore, temporarily suspended the use of the video conferencing platform to ensure that the security issues are ironed out and that teachers were adequately trained on the use of the platform for secure video conferencing.

Weiyi Tan, a partner at Eversheds Harry Elias in Singapore who specializes in compliance and investigations, says that since the incidents, Zoom has released new versions of the software, adding enhanced security features. “The MOE also now centrally manages teachers’ default security settings with Zoom to further secure the platform across school users,” she says. “Teachers have been provided with a checklist and a guide on putting the necessary security settings and protocols in place before they use the platform. With these measures in place, there is added confidence in the platform.”

In Malaysia, meanwhile, the Ministry of Education has yet to ban teachers from using Zoom for distant teaching purposes. However, Sidhu says that Malaysian teachers should be cautious when using Zoom to conduct online classes. “If Zoom’s security issues persist, then Malaysia should consider banning Zoom for teaching purposes,” he says. “In the meantime, there are other alternatives that teachers could use if they have concerns such as Google Classroom and Microsoft Teams.”

More recently, Zoom meetings were routed through servers in China which, according to Sidhu, poses a risk of personal data being exposed and the contents of meetings being monitored by Chinese authorities. This issue raises privacy and confidentiality concerns.


“It is important to note that usually, Zoom calls are routed within the same region where they originate and end,” he says. “However, during spells of heavy traffic, the video conferencing service shifts traffic to the nearest data centre that has the maximum capacity at that time. However, the China server should never have been an option for non-China participants. While the routing of calls to China may not necessarily be a problem, the nature of encryption on these calls is. There were issues on Zoom not providing end-to-end encryption for video calls despite their mentioning that they did.”

Tan adds, “There will be data privacy issues in terms of sharing personal information, as well as confidentiality issues if you share proprietary information that belongs to your company over these social media applications and platforms. Hackers will continue to challenge existing protocols and develop new ways of overcoming them. Therefore, it is essential that video platforms constantly take steps to upgrade their security protocols and ensure that users are kept informed of these updates and take steps to apply the appropriate security features.”


Phishing and other data applications

Phishing has been an age-old problem even before this pandemic. But during this crisis, concerns about phishing, where users receive an email that seems to be legitimate but isn’t, have been heightened. Recently, the World Health Organization (WHO) issued a statement that there have been many domains, which are not related with WHO, designed to lure people into thinking they are getting a message from the WHO. In addition, the National Security Council of Malaysia has also come out with a list of illegitimate and questionable emails.

Even when emails look legitimate, there have been instances when they have been forged. The same is true of WhatsApp and other messages.

In another instance, there have been malicious applications purporting to have been launched by government organizations. In Malaysia, there was an app called Perdana Menteri Malaysia App (Prime Minister) which required users to give out their bank details – until Cyber Security put a stop to this, saying that the app was illegitimate. Another was the Business Email Compromise Scams (BEC), where email addresses of personnel or executives were spoofed or compromised. In order to avoid this from happening, Sidhu says to look at the manner in which emails are being sent out in the office; the biggest takeaway here is to verify and to check whether this is legitimate or not.

“Emails are a treasure trove of data that can be stolen,” he says. “For example, you use Google and Outlook in your many devices, thinking that it is easier for you to put all in one and access it from there. Some of these applications are extremely not safe – they are actually seeing your data and seeing what is actually inside that data because you have given them full access, and beyond. So, try not to use email applications that are not certified, verified, or recommended by your company.”


Sidhu says to also change passwords regularly so that even if your password has been compromised, that compromise stops moving forward. Updating apps can be a painful thing to do, but those who are not in the habit of doing so can be feeding information to hackers. “Hackers will realize the app problems [early], and they will take advantage of those versions.” he says. “The hacker would know that those people who have not updated are vulnerable to that.”


Use of personal devices

With many people working from home these days and using their personal devices for work, trouble starts. According to Tan, personal devices are not part of the IT structure that the company has set up.

“In the office environment, the company IT would set up infrastructure to safeguard the company’s proprietary or confidential information, so if your work computer gets stolen, for example, the IT department may be able to remove the information on your work computer as a way of controlling or containing your information,” she says. “Employees using their personal devices may not have security software installed in their devices, unlike devices issued by the company which are subject to the company’s IT security systems. Hence, the risk of data theft increases.”

Personal devices are often equipped with consumer-grade anti-virus protection which may not be sufficient against sophisticated cyber attacks. Employees may also forward sensitive information, including personal data and social media accounts, leading naturally to data theft.

WiFi is also susceptible to attacks, as neighbors can easily access this and other information. Closed environments such as condominiums or other high-density places are most vulnerable.

Sidhu also says not to mix the office computer with the personal laptop, as this is not a safe environment. “Find ways to strengthen that by putting in additional security measures,” he says. “Keep them distinct. Office laptop only for the office and personal emails only on the personal laptop. Go and use a web browser for it, and keep those two things distinct.”

Tan agrees, “Keep your work documents in your work computers or keep work documents in a secure environment. And don’t share sensitive information online, because this is susceptible to hacking.”


Collecting data

Even before the lockdown happened, in Singapore, companies have been taking and collecting personal data of their employees, including their passport information and their body temperature, for the purpose of tracing and making the necessary disclosures to government agencies in the fight against Covid-19.

“In certain situations, data collected are also disclosed to other companies or commercial partners with whom you have dealings and, in turn, the information may be delivered somewhere else just to see if everyone has been exposed to the virus,” says Tan. “If we look at this basis, we can deal with personal data if consent is procured. Consent may be found in employment contracts, but for third parties, they would not have given you consent prior to going to your office. The argument is that this is necessary to find who is infected with the virus.”


She notes that it is about how to mitigate the legal risks of sharing sensitive information, and that it is very important that the information gathered is proportionate to the need. “Don’t over collect. There have to be control measures in place to make sure that the data is secured and not subject to theft,” she says.

In Singapore, the Personal Data Protection Commission has issued guidelines to organizations to tell the people that they can collect personal data, that no consent is required, but also states the protocols and guidance to what can be put in place.

“Organizations can collect without consent because it is necessary to respond to an emergency that threatens the life, health and safety of other individuals,” says Tan. “They also said that NRIC numbers can also be collected, but you have to comply with data protection provisions. We should always ensure that data gathering is reasonable.”

She adds that when using contact tracing apps, know when personal data is going to be used.


Force majeure and the need for a business continuity plan

Because of this pandemic, force majeure clauses have become increasingly important. According to Sidhu, cyber security attacks are included in the force majeure clause as a new thing to protect against.

Moreover, in the event that this happens, business continuity is important.

“Many of the technological inputs that are required for an organization to operate requires some level of outsourcing, although every delivery is dependent on a key technology vendor,” says Rhys McWhirter, of counsel at Eversheds Sutherland in Hong Kong. “This could be as simple as an email server, a document management repository platform, to far larger and more strategic platforms such as Microsoft to IBM to the running of contact centre solutions.”

McWhirter adds that with force majeure, there should be a business continuity plan which includes the disaster recovery plan.

“A business continuity plan (BCP) outlines the specific procedures that organizations must follow in the event of a disaster so this typically covers business processes, assets, human resources, business partners and technology,” he says. “We also look at discovery recovery options, and this is very different from the BCP in terms of technological policies. These are often used to describe the restoration of business functions, but the discovery recovery option is more on the IT infrastructure and the operations of enterprises.”

 “The need for a business continuity plan and robust business continuity provisions in your key technological contracts is no longer a matter of best practices,” he says. “It is in fact a matter of regulated requirement in your technological outsourcing arrangements.”


Prepare for the long-haul

“Even after the quarantine is lifted, it is likely that physical distancing will need to stay in place until the virus can be contained or a vaccine is found,” says Tan. “As such, organizations that can work remotely may continue with these practices. Some might even reduce work time in the office and promote more remote work. Meetings, conferences and exhibitions may turn to online platforms instead of the traditional face-to-face practice. According to the World Health Organization, cancelling social and religious gatherings in the future should be seriously considered and virtual alternatives should be used instead. Therefore, it is likely that people will continue to use online platforms to carry out their day-to-day activities.”

Law firms

Please wait while the page is loading...