The Biggest Cyber Threat To Your Business Could Be Your StaffPosted in : Supplementary Articles ROI on 11 August 2021
Cybersecurity has become a major cause of anxiety to companies worldwide and is now second only to the chaos caused by the COVID-19 pandemic.
The most recent PwC Global CEO Survey shows that nearly half of CEOs cited cyber as the biggest anxiety in 2021, up from 33% last year. And among CEOs in North America and Western Europe, it is the top business threat, and therefore the number one priority for CEOs in North America (69%), Western Europe (44%), the Middle East (41%) and Asia (40%).
With the increase in high visibility cyberattacks that have occurred since the beginning of the pandemic, there is a good reason for concern. The HSE cyberattack has shown just how much destruction cybercriminals can cause and it’s crucial organisations protect themselves against external threats and internal complacency.
According to HP Wolf Security’s Blurred Lines and Blindspots report, 76% of office workers say that working from home during Covid-19 has blurred the lines between their personal and professional lives.
The report found that half of the respondents now see their work device as their own personal device and 46% admitted to using their work laptop for ‘life admin’. Additionally, nearly 30% have lent their devices to someone else.
There have also been concerns about accessing data. HP Wolf Security’s report found that 71% of office workers surveyed are accessing more company data, more frequently from home than they did pre-pandemic.
Workplace security and compliance specialist CWSI has found that Irish businesses are seeing bigger increases in cybersecurity attacks than their European counterparts.
A European survey from CWSI revealed that 54% of Irish companies have seen a rise in cybersecurity breach attempts in the last year, the highest in Europe and compared to 42% on average for European firms.
Phishing is perceived to be the highest cybersecurity threat in Ireland (76%), followed by human error (58%) and ransomware (46%), CWSI said.
But just 68% of Irish organisations have carried out mobile security awareness training, and just 35% carry out regular penetration and vulnerability tests for mobile devices. See more on this from RTÉ: https://www.rte.ie/news/business/2021/0726/1237266-ireland-sees-biggest-rise-in-cybersecurity-attacks/
Key Data Protection Considerations Relating to Home Working
What does the DPC identify as some of the key operational and practical data protection considerations for remote working?
- Employers may need to send workstation equipment to employees (especially new hires) and as such will need to provide the IT and logistics department (and perhaps third-party delivery service providers) with employees’ addresses. The employee needs to be informed in advance that the department will be sending out the equipment and using their home address (their personal data) to do so, on the basis that the employer has a legitimate business need and therefore a legal basis for data processing.
- Another consideration is that of monitoring employees’ emails and activity on employer-owned IT equipment and/or over employer networks. Any such monitoring must firstly be justified on the basis of strict necessity and proportionality. Employers must adhere to the principle of data minimisation. Any monitoring or surveillance must not be excessive and must be flagged in advance to employees, typically in an employee privacy statement.
- Employees also need to be reminded of the applicable policies in your organisation around the use of email. Employee awareness campaigns and training sessions on email etiquette should include reminders on:
- Avoiding using work email for personal matters;
- Ensuring employees are sending an email to the correct recipient, particularly when the email contains a lot of personal or special category (sensitive) data;
- Warning of the dangers of accessing work information over public networks which are not secure and can easily be intercepted; and
- The steps involved in your internal data breach notification procedure, as employees are often the key.
- Ensure all IT devices are routinely secured, encrypted and updated by your IT department and such efforts are recorded.
- If employees are handling physical files and papers containing personal data from their home or remote workspace, ensure they are aware that data protection and confidentiality also applies to these. They must take steps to protect the confidentiality of these papers and store them securely when not being used and destroyed appropriately when no longer needed.
- Regarding recording information on the employee’s health in relation to Covid-19 – information regarding a Covid-19 test is considered to be an employee’s special category personal data and must be treated accordingly. If an employer wishes to record such information it is best to anonymise it to avoid any potential data breaches.
For more detailed information on some of the key considerations on remote working and data protection, see this recent article on the Legal Island Hub from Deirdre Crowley and Eimear Boyle of the Technology and Employment Law Units at Matheson: https://www.legal-island.ie/articles/ire/features/hot-topics/2021/apr/key-workplace-data-protection-considerations-in-the-remote-working-environment/
Legal Island Training Resources for Your Staff
Protecting Data when Home Working | eLearning Course
With more organisations now adopting remote working, what are you doing to protect your employees, customers and reputation? Compliance around data and data protection for remote workers is very important. This is why we created a 30-minute course to protect you and your organisation.
Cyber Security in the Workplace | eLearning Course
It is vital that your employees have an understanding of the importance of cyber security and the dangers which may be present in your workplace.
Legal Island’s Cyber Security in the Workplace eLearning course is tailored specifically to Irish law and provides comprehensive compliance training for all employees on cyber security practices in the workplace.
More on Data Protection & Freedom of Information
- Investigation reports, Inter company disputes and Subject Access Requests – How do I handle it?
- Use Of CCTV In Disciplinary Processes: New Ruling from The Court Of Appeal
- Court Of Appeal: Use of CCTV Footage In Disciplinary Proceedings
- Doolin v The Data Protection Commissioner 
- The Data Protection Commission’s Annual Report for 2021 - Key Takeaways
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.