Increased Operational risks as a result of the global pandemic
April 27th, 2020
Impact of the coronavirus crisis
Businesses around the world have been forced to respond rapidly and on an unprecedented scale, to the global pandemic. Governments in many countries imposed a range of lockdown measures which meant millions of organisations globally had to shift their employees to work remotely.
In normal times, businesses would have undertaken risk management assessments and detailed planning to move from office-based to home-based working.
However, during the initial wave of the crisis, these changes were imperative, in order for operations to continue.
Cyber and phishing attacks on the increase
Unfortunately, criminals are not shy of using global pandemics to their advantage. Cyber attacks are on the increase and so are phishing scams.
In fact, the World Health Organisation reported a dramatic increase in the number of cyberattacks directed at its staff in March.
Additionally, there have been numerous email scams targeting the public at large. A study by IBM found that Coronavirus-themed Spam Records increased 14,000% in 2 weeks from mid to end March.
Increased business risks as a result of the crisis
Many businesses, had to make employees work from home and represent a significant change to working practises. Therefore, it is essential to risk assess their new operations.
Information security risks
There are a number of information security risks employers need to consider.
Controlling access to systems
Employers need to ensure that access to existing systems is done securely when employees are working from home. Equally, when employees are furloughed, it is imperative that their access is removed from all business IT systems.
There have been numerous stories of new software hastily adopted and not be configured securely. This is because businesses may not have had the skills to fully understand the security issues.
Employees may be unable to follow the same secure data handling practices from their home office.
Protect systems from cyber attacks
Now, more than ever, businesses need to take the necessary steps to make sure their IT systems and networks are safe from cyber-attacks.
Importantly, this is not just because of data protection regulations. Businesses also need to be aware of ransom attacks, where criminals take over your data and demand a ransom for releasing it.
Ensure employees are alert to phishing scams
There has been a huge increase in the number of email phishing and scam emails.
Often, users are duped into thinking that the email is from a credible organisation, such as their government.
Then, they have to provide information such as passwords or financial data.
Therefore, it is essential that employees have awareness training.
Use of employees own devices
Are your employees using their own devices? If so, what steps should employers take to secure these devices and reduce the likelihood of data loss events?
Equally, when employees use their home wifi, is there an increased likelihood of ‘loss data’ risk?
Health & Safety risks for remote workers
Additionally, employers still have a responsibility to ensure that adequate Health and Safety standards are in place for home working.
So, we have ensured our employee (WFH) assessment addresses those risks too.
An employee working from home assessment
At Data Protection 4 Business, we have created a Working from Home Employee assessment to help employers.
The information collected through the assessments will enable employers to identify new and increased security and data risks.
What are the benefits?
Firstly, by completing the assessment, employees are attesting to the individual setup of their new offices.
Additionally, these assessments collate valuable information to help employers secure their IT systems and data from the increased risk of cyber-attacks and phishing scams.
Finally, the assessments demonstrate that your business is meeting the Accountability principle under GDPR.
Why is this important?
As a business, your obligations under the data protection regulations do not disappear during the crisis.
So, it is important that there is a risk framework which managers can use, in order to quantify the increased risks to the business.
In addition, the increased penalties which came in with the introduction of the EU General Data Protection Regulation, have increased the operational risks for many businesses.
Risk of GDPR penalties
A lot of people wrote about the potential for large fines. So, it is worth taking a look at what these could be.
Highest maximum fines
Most headline penalties are based on the highest maximum level of fines. These are 4% of global annual turnover or Euro 20m, whichever is highest.
Therefore, it is important to understand which compliance failures could lead to higher penalties.
In summary, any violation of the core principles of the data protection regulations, carry higher maximum fines.
As an example, this might include the failure to uphold the rights of the individual, such as the right of access to data. Equally, the unauthorised transfer of personal data to third countries also falls under this category.
Standard maximum fines
In addition to the highest fine level, there is also a standard maximum level. Currently, this is 2% of global annual turnover or Euro 10m.
The type of penalties applied to relate to violations of the administrative requirements of the regulations. So, for example, breaches of the data controller or processor obligations.
Factors to consider
The size of the penalty will depend on a number of factors.
- the behaviour of the organisation
- whether steps have been taken to be compliant
- if so, can these be demonstrated to the ICO
- also, does the culture within the organisation value data protection
What does this mean for your business?
Well, you can take a number of risk reduction steps, for example, a review of all home working setups. As well as that, staff training in safe data handling practises while working remotely.
Importantly, a review of all home working procedures, together with IT and GDPR security professionals, will help identify the risks.
How we can help
At Data Protection 4 Business we provide consultancy on IT systems and data security. In addition, we can help you with your risk management framework.
Contact us today. Or complete the form below. We would be pleased to help.