Privacy, cybersecurity challenges amid COVID-19 - COVID-19 blog | Deloitte Australia has been saved
Limited functionality available
Governments adopting trace-and-track apps to prevent the spread of the pandemic have raised questions about the ‘right balance’ between pandemic response and privacy considerations. James Nunn-Price and Manish Sehgal set out the risks and challenges for individuals and businesses
The sudden global outbreak of COVID-19 brought significant challenges to our day-to-day lives. In recent weeks, several countries have begun to ease their COVID-19 lockdown restrictions, yet pandemic-related cyber threats appear undiminished.
In the face of COVID-19, from healthcare to commerce, cybersecurity and privacy rights have never been more important. Even before the pandemic, the World Economic Forum’s publication of The Global Risks Report 2020 listed cyberattacks as the biggest global threat after environmental risks.
Overview of cyber challenges
While the focus is on the health and economic threats posed by COVID-19, cybercriminals around the world undoubtedly are capitalising on this crisis. The impact of COVID-19 on cyber preparedness is broad, and ranges from a rise in COVID-19-related phishing and ransomware attacks, increased delays in cyberattack detection and response due to IT/security teams being spread too thin, and increased security risk from remote working/learning, to positive ones such as the cyber posture of organisations naturally improving as a result of the pandemic.
Heightened cyber challenges include:
Although many of these cyber and privacy challenges existed prior to the COVID-19 pandemic, they now pose an even greater threat as the size and scale of connectivity for remote operations expands and the deployment of technology that collects data on the virus increases.
Protecting privacy, ensuring safety
The pandemic has prompted governments, as well as public and private organisations, to adopt necessary measures to prevent the spread of the virus and mitigate the health crisis. Nations are using leading technologies as part of an overall response to combat the outbreak.
Often such measures include collecting and processing a large variety of information related to people and employees such as names, addresses, workplaces, travel histories, and health information, sourced from tracing and surveillance tools, both on mobile devices and physical assets.
This aspect of accessing and processing information (private and health-related) has raised questions around the globe about the “right balance” between pandemic response, recovery measures and privacy considerations.
Tracing applications help to monitor and alert healthcare authorities about potential encounters with COVID-19. They have become highly recommended government tools, adopted by the public at large and used by health authorities trying to contain the pandemic.
Like most of the world, several nations in Asia-Pacific are working to flatten the curve. A common method is the active deployment of technology that collects data on the virus, including tracking and surveillance of those who have been infected.
Contact tracing applications being used in the region have diverse features including:
The paramount interest behind all of these variations is the protection of human life, and privacy considerations may be seen as a big ask in a crisis like this. Nevertheless, there is a pressing need to maintain the right balance between the two extremes. Privacy may be easily compromised in the absence of rights checks and controls in such contact tracing applications. Consider these examples:
To avoid compromising a user’s privacy, contact tracing applications should consider privacy principles such as “privacy by design” and “privacy by default” during the design and refresh stages. Before releasing for public use, it is recommended to perform a comprehensive data protection impact assessment (DPIA) to identify the potential impact on a user’s privacy, and address it. During the use of such technologies, simple to comprehend privacy notices should be provided for users to understand: (1) how the data entered by them, and collected via tracing features, will be used; (2) with whom the data will be shared; (3) why data are being collected; (4) how long will data be stored; and (5) where data will be stored.
In addition, all processing of personal data should be proportional to the purpose of tracking the disease trajectory and safeguarding public health. Security controls including encryption and anonymisation should be implemented to secure the data, and to avoid any data leaks or manipulation by non-trusted third parties. After the purpose is met, and in accordance with local laws, data collected and processed should be securely disposed of.
The use of tracing apps and digital technologies seems to be promising to monitor and curtail the virus’ spread rates, especially once lockdown measures are lifted. However, just like many emerging technological advancements, these tools may bring privacy and security concerns, which need to be carefully managed to ensure optimum results in the battle against the coronavirus.
Remote working: the next normal?
Almost overnight, organisations worldwide found themselves in shut-down situations, where workers had to shelter and work from home. Prior to the COVID-19 outbreak, 27% of users globally worked remotely on the average weekday. Estimates as of 31 March 2020 suggest that now more than 60% of users work remotely.
In this new environment of remote working, many professionals are using personal devices versus company-issued machines to access organisational networks and systems. Here we highlight a few key cyber vulnerabilities of a remote workforce, and how to help mitigate the risks.
“Bring your own device” explosion, and collaboration tools. Many workers do not have company-issued laptops for home use. This means they are accessing corporate networks and systems on devices that may have vulnerabilities, or already be compromised. Likewise, workers are relying heavily on web conferencing and collaboration tools to do their jobs, which can be compromised by threat actors (“Zoom-bombing” being the most prominent but not the only example).
The use of such devices by employees working from home leads to a significantly increased risk of cyber adversaries accessing internal infrastructure where data and intellectual property can be accessed. Personal devices may not have the latest security patches, anti-malware tools, or a VPN connection to ensure a more secure connection to the business environment. Deloitte research indicates that 1,000-plus insecure personal devices connect to enterprise networks every day in 30% of US, UK and German companies, without IT’s knowledge.
Steps to consider
Increased volume of phishing targeted at employees and senior executives. The economic impacts of COVID-19 have spurred a series of wage subsidies and cash drives. As employees receive many communications from government entities and their employers, it is critical that they avoid phishing campaigns, for example ones disguised as relief payment plans.
Between 13-26 March 2020, there were more than 400,000 incidents of spam emails pertaining to COVID-19. Chief financial officers, in particular, have been targeted through campaigns to gain access to, and take over, their email accounts (e.g., via cloud API keys) in order to approve payments without their knowledge.
Suggested top actions
These and other cyber challenges are causing organisations to rethink their digital transformation initiatives. Organisations will rebound at varying speeds as they seek to include remote employee enablement and productivity into their plans and prepare for the “next normal”.
How we work will be one of the most pronounced changes, as many enterprises experience the morale, cost-saving and productivity benefits of a remote workforce. Flexibility will become the new norm – both from employer and employee perspectives.
COVID-19 will change our lives forever. New styles of working, new cyber issues, and new proposed policies and regulations will have a permanent impact. As organisations align their strategies and workforces around COVID-19, there are several cyber and privacy considerations to think about.
For the privacy of individuals, it is imperative that the right balance between pandemic response, recovery measures and privacy considerations is achieved. From a cyber perspective, the cyber posture and security hygiene of an organisation will naturally improve as a result of the pandemic, as companies adopt newer technologies and digital processes, with cyber embedded everywhere.
The key is for leaders to use their responses to the pandemic as an opportunity to grow, shaping future ways of working that are more efficient, effective and collaborative, with confidence that cyber risk is being managed effectively.
Authors: James Nunn-Price is the Asia-Pacific cyber leader and Manish Sehgal is the Asia-Pacific privacy and data protection leader at Deloitte.
Originally published in Asia Business Law Journal.
James is a recognised cyber expert and successful business leader contributing to service and cyber security innovation at businesses and regulators for over a decade. He has implemented good practice cyber operations, managed services, global cyber incident response capabilities and has led multiple complex award winning projects for clients. James has given key note addresses at conferences, been quoted a number of times in the press, written articles, appeared on live TV and radio and won awards.