Fortress or Sandcastle: Cybersecurity risks of working from home

---

COVID19 has led to more and more people working from home.  This trend will continue in the future.  Homes are not made of bricks and mortar in cybersecurity terms.  Cybercriminals are finding it easier to huff and puff, and blow these straw houses down.  Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt explains why and suggests what can be done.

There is no overarching cybersecurity law in Hong Kong, unlike locations such as mainland China and Singapore.  However, there is plenty of law and regulation on the subject.  Businesses operating in the financial services, telecommunications and healthcare sector, in particular, have specific regulatory obligations to meet.

Last week, for instance, the Securities and Futures Commission (SFC) issued a circular to remind licensed corporations to assess their operational capabilities and implement appropriate arrangements to meet cybersecurity risks associated with remote working.  The key risks the SFC identified are:

1. Remote access to internal networks: The security measures recommended by the SFC include:
    
   1. implementation of robust virtual private network (VPN) solutions using multiple VPN servers
       
   2. use strong passwords and two-factor authentication for remote access login
       
   3. implement security controls to prevent unauthorised installation of hardware and software on devices provided to staff
       
   4. implement robust network segmentation

 
2. Videoconferencing platforms: The security measures recommended by the SFC include:
    
   1. formal assessment of security features of the videoconferencing platform
       
   2. require participant registration for attendance in the videoconference, and restrict access to those registrants (via a waiting room facility)
       
   3. use random meeting ID’s, not personal meeting ID’s
       
   4. enable and use password protection and other privacy and security features

The SFC also stressed the importance of providing cybersecurity training at this time to provide staff guidance on cybersecurity and risk management in respect of remote working.

We can also look at cybersecurity through the prism of personal data.  The basic data security principle is that a data user must take all practicable steps to protect the personal data it holds against unauthorised or accidental access, processing, erasure, loss or use. Data users must take account of the nature of the data, and the potential harm if those events happen.  Also, the data user must take all practicable measures to ensure the integrity, prudence and competence of persons having access to the data.

This may be the obligation of a data user in respect of personal data, but it is an appropriate standard for all proprietary or sensitive data held by a business.  If an employee accesses proprietary or sensitive data in his home, then a properly managed business must take steps to ensure that the data are protected against unauthorised or accidental access, processing, erasure, loss or use in the home.  Yet this is frequently not the case in the best of times, and it is even less the case during COVID19.

The reasons for increased cybersecurity risk from working at home include:

1. Poor home digital health.  This can include desktop and wifi access without passwords, home shared networks, inadequate virus protections, insecure access to the internet, IT systems that have not been updated with latest upgrades or patches, and cross-infection from bad personal IT practices.
    
2. Poor information security governance.  There is a significant risk of sensitive documents and information being stored on personal computers.
    
3. Poor oversight.  Management and IT teams are remote.  Training is reduced.  Reporting is sporadic.  The home is not a professionally managed work environment.

All of these risks have been amplified by the sharp increase in working from home brought about by COVID19.  Additionally, remote-working at scale substantially increases the burden on IT teams, who themselves suffer greater inefficiency by operating substantially remotely.  All this when actually heightened vigilance is needed because of the change in patterns of usage.

The overall result is data sprawl.  More data on more devices in more locations.  It is a cybersecurity nightmare.

Data sprawl creates prime pickings for the cybersecurity criminal.  COVID19 has seen a rapid increase in phishing attacks.  Phishing is a cybercrime usually conducted by email in which the criminal poses as a legitimate company or person to request individuals to provide sensitive data and passwords.  These are often sophisticated approaches that exploit vulnerabilities of character and personality, as much as vulnerability of IT protection.  An email that appears to be from a business supplier (slightly misspelled) that requests the recipient to open an attachment to view the business resumption schedule.  An unsolicited email from a fraudulent website that promises the latest information on COVID19 if you just click that link.  Before you can say big bad wolf, data is lost, stolen or ransomed.

More blunt cyberattacks become straightforward in this environment.  Home IT systems and software may not have been updated with the latest patches or upgrades.  Poor passwords, encryption policies, authentication processes and administrator governance all offer ways for the outside threat to find a way in to wreak havoc.  Or simply silently steal data and then hold the data for future exploitation.

Data sprawl is also a cloak that conceals the conduct of the insider threat.  The inside threat can reveal itself as:

Malicious:  An employee who wishes to extract confidential proprietary data to set up a competing business or to share with a competitor. 

Blissfully unaware:  An employee who works in coffee shops using unprotected, open wifi’s. 

Careless:  An employee who saves documents to his thumb drive so he can work outside, and loses his laptop and thumb drive on that journey. 

The convergence of the business and personal worlds can lead to a casual attitude to IT security.

So what to do?

Management.  Cybersecurity – now more than ever – is a senior management issue.  There should be a direct reporting line from the head of the IT team to the CEO.  IT security should be a standing item on the Board agenda.  At an operational level, an IT audit should be conducted so that the IT team knows what will be used in the home environment and what is the environment of the home networks that will be used.  Each business should consider issuing its own devices to be used from home for business.  If resources allow – and I know that is a big ‘if’ – consider beefing up the IT team at this time so that they have resources to meet the additional risks they face.

Governance.  Each business should have clear guidelines on the use of IT for remote working.  Each business should review its IT Usage Policy to make sure it provides clear guidelines on remote working.  The Information Management Policy should clearly identify the data sources of the business, where and how those are stored, and how access is controlled – all on the basis that access to the workplace may be restricted.  The business’ Disaster Recovery Plan should give clear guidance to management on the steps it should take if a cybersecurity incident occurs.  This should consider that the disaster may mean restricted or no access to the physical workplace.  Personal Data Policies must govern the use, retention and security of personal data that contemplate a remote working environment.  Contractual arrangements with third parties should have clear use limitations and ensure that third parties are required to adhere to the same standards of security.

Training.  Governance matters for nought unless people know, understand and follow the guidance in the policies.  The weakest link in any cybersecurity defence is the human being.  The need for training and education is continuous and can be delivered remotely.  Training now can include simulated phishing attacks.  This can demonstrate how even the most confident of workers can be vulnerable to the human error that is at the root of most cyber attacks. 

Technology.  The technology response is critical.  Antivirus and spam software should be made available to home users.  Screening software to scan and assess threat levels of attachments should be deployed.  Those working from home should be reminded and prompted to install patches and security updates regularly.  Only business data should be permitted on business-issued devices.  Those devices should contain business data in a separate container that can be locked or wiped remotely.  Two-factor authentication should be required for remote access.  Access levels should be highly restricted for sensitive data.  Use of robust and multiple virtual private network software should be deployed.  Access should ideally be to a virtual desktop so that data remains within the business’ server environment.

And if the worst should happen…

Report a data incident to management as soon as it occurs or comes to light.  Assess whether the incident has resulted in data loss, erasure or removal.  If a data breach has also resulted in data loss, consider whether and what notifications to regulators are needed.  Consider whether any third-party liability under contract arises.  If cyber insurance has been obtained, consider notifying the incident to insurers.  Consider reporting any criminal act to the police authorities.  Most importantly, take legal advice, as proper advice followed promptly can prevent further damage, help mitigate reputational risk, and may assist in recovery of any property, data or funds that have been misappropriated.

COVID19 has brought cyber risk to the fore, but remote working will be with us long after COVID19.  Businesses must ask themselves whether they have the systems in place to ensure the same level of cybersecurity whether their people are in the office, at home, or on the road.  If not, now is the time to act.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Edited Video Transcription

There isn’t a single cybersecurity ordinance in Hong Kong.  This is different, for instance, to places such as China and Singapore which have a Cybersecurity Law and Cybersecurity Act.  Instead, in Hong Kong, we have the cybersecurity provisions in a few different areas in the legal framework.  We have the Personal Data (Privacy) Ordinance.  We have certain crimes that relate to cybersecurity.  Most cybersecurity regulation is on a sectoral basis. There are specific regulations for the telecommunication sector, the financial services sector, and the healthcare sector.  These are critical sectors and services in Hong Kong, and the regulators for those sectors are quite focused on cybersecurity.

Let’s take one example.  Just last week the Securities and Futures Commission in Hong Kong – which is the securities regulator – published a circular to all the licensed corporations giving them guidance on the very topic that we’re speaking about today: cybersecurity risks of remote working.  Even in the securities industry you can find the same flashpoints and hot buttons are there in respect of remote working.  The areas the SFC zoned in on were video conferencing – what we’re doing right now – and remote access to network systems.

The SFC focused upon the need for VPNs, and ideally multiple VPNs, for remote access, and a proper password and two-factor authentication standard for remote access.  Those sensible security controls also apply across the board to all businesses that have remote working.

On video conferencing, the SFC recommended basic privacy and security controls that are in the hands of the administrator and the user of the service.  Yes, they suggested a formal assessment of the video conferencing platform.  The other recommendations are the practical sensible recommendations you would expect.  Make sure that you only send invitations to people who you want to attend the session.  Don’t make passwords public.  Have a waiting room facility so that the host can control who to admit to join the meeting.  All very sensible, practical stuff.

The SFC circular is one examples of a common focus on cybersecurity among core regulators in the financial services sector.  Each of the core regulators – the SFC for the securities industry, the Monetary Authority for the banking industry, the Insurance Authority for the insurance sector – has a cybersecurity guideline or supervisory framework in place.  The common theme in these regulations is that cybersecurity must have the attention of senior management, up to and right at the board level.  Then, there must be governance, management and control systems in place to manage and meet cyber risks.

Let me clarify what people think of when they think of cybersecurity as opposed to what it really is.  Often times people think of cybersecurity as the external threat—things like malware, distributed denial of service attack, hacking – these kinds of things.  In reality, the biggest cybersecurity threat is a human being.  It is the people within your own workplace—wherever they may be working—what their habits are and what their human personalities and characters are.

Let me talk about phishing.  Phishing is something that is designed to exploit human frailty. There may be a malware bullet, but the delivery system is relies on human frailty to deploy that external threat inside the computer networks and infrastructure of the business.

Here’s a simple cybersecurity threat.  An employee loses a thumb drive.  An employee uses open Wi-Fi networks in a café shop.  More maliciously, an employee extracts data from the IT systems in order to set up a rival competing business.  These are all cybersecurity risks.

If you look at the fallout from a cybersecurity incident, then you can understand why businesses should take particular measures and steps to try and combat that.  

The fallout can be:

• criminal.  There are criminal offenses in some Ordinances relating to unlawful access to computers and theft of property including information, technology, and data.
• civil liability.
• reputational damage and loss.
• From an employee perspective, if you do the wrong thing, it could mean that you’re out of a job.
• If you’re in a regulated industry, you may be subject to regulatory fines and penalties under the regulatory code, or found to be no longer fit and proper.

So the fallout can be quite serious.

The way you address these risks is through management, governance, guidance, and controls.  Now as a lawyer, I see that in terms of putting in place policies and guidelines around a range of issues.  There should be an IT Usage Policy.  That can govern how you use hardware and software, how you use the internet and social media, and all other interaction between the employees, and the IT systems and networks of the business.  Now, there should be a section in every IT Usage Policy that deals with remote working. 

Remote working is not necessarily just the remote working we’re doing right now or have been doing.  It also includes business trips and any kind of activity where you’re not working in the physical environment of your business’ office space.  Why would that be a particular risk?  The risks arise for a few reasons.  There’s a difference in the pattern of usage of people who are accessing the IT network and systems.  The IT department themselves are working remotely and without the full infrastructure and support that they would be typically accustomed to in the office. There are multiple risks there. You try and address the user risks in the IT Usage Policy.

You should also have a retention policy in respect of data usage.  That’s particularly important in the circumstance that we’re now moving into which is looking at where people are moving from a remote working circumstance back to the office.  Your data retention policy should deal with issues like: What do you do with the data that is still on home systems?  It shouldn’t be there.  Now, there is an opportunity to clean up, and return data to be brought back to IT systems in the workplace, and destroy other data that should not be off-site.

You should also have a Personal Data Privacy Policy. This policy will deal with collection, use, retention, and security of personal data.  You should be adopting a data minimisation approach to remote working.  You should minimize the personal data that leaves the workplace and the workplace IT systems, particularly if the destination is an unprotected area of the home network systems.  

Cybersecurity in your remote working location is also a live issue.  Your IT department is likely to do an IT audit of the home setup of each remote worker.  What kind of Wi-Fi system is being used?  Is there a password on the Wi-Fi system?  What kind of VPN system is being used?  Is the access to IT work systems in a closed-loop?  Is two-factor authentication, access codes and password protection in place before you get into secure work systems?  Are there proper protocols in place to make sure that workplace documents do not get saved into home networks or downloaded to home networks and then forgotten about?  These are the kinds of things that you will look at in your policies and procedures.

And of course you’ll do training.  You can still do training on a remote basis.  Thinks of what we’re doing right now.  We are training you to make sure you know how to behave and conduct yourself when videoconferencing remotely. These are just some thoughts and tips in relation to the legal environment and regulatory environment and how it applies to cybersecurity issues in a remote working environment.

From the “Cybersecurity Considerations” webinar hosted by the Dutch Chamber of Commerce in Hong Kong.

---

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.