Cybersecurity and data privacy in a COVID-19 era
Risks brought about by the implementation of remote working and contact tracing, among other measures
Risk management has widened its focus in recent years to encompass a series of non-financial risks, including cybersecurity, third-party, as well as conduct and culture risks. These issues are by no means new for organisations, but the ongoing COVID-19 pandemic has no doubt sharpened the focus in particular on cybersecurity and data privacy threats.
According to Pacific Prime Thailand, cyber crime incidences increased by about 37% from February 2020 to March 2020, partly due to the implementation of remote working arrangements by organisations in Thailand during that period. This is not a surprise: as organisations shift towards greater levels of remote work, an increasing number of employees are working on devices that sit outside their organisation’s firewall. In total, cyber crime has also been estimated to cost Thailand some THB 286 billion per year – or a significant 2.2% of its national Gross Domestic Product (GDP).
In a similar vein, data privacy concerns also came to the fore in Thailand amidst the introduction of contact tracing mobile applications deploying Bluetooth or GPS-based technologies to track and trace symptomatic and COVID-19 positive individuals. In particular, user permissions – typically sought by mobile applications to enable them to access a user’s personal data on the device – was an area of concern, as some users found the level of permissions requested by the applications to be overly excessive.
For their part, regulators are also increasingly requiring organisations to demonstrate the adequacy of their risk management programs to manage cyber and data privacy risks. In this article, we will take a brief look at some recent regulatory developments in Thailand, and propose some considerations for organisations to take a more strategic approach towards managing these risks.
Recent regulatory developments in Thailand
Thailand recently introduced two new laws pertaining to cybersecurity and privacy: the Cybersecurity Act (CSA), and the Personal Data Protection Act (PDPA). The objective of the CSA, which covers both public and private sector entities, is to establish standard approaches to mitigating cyber risks for Critical Information Infrastructure (CII), or information and communications infrastructure that is deemed to be critical for national security.
On the other hand, the PDPA regulates the way personal data is collected, disseminated, and stored by organisations. All organisations whose activities involve the use of personal data of subjects in Thailand will be required to meet this data protection standard, and establish a lawful basis for the collection, dissemination, and storage of the personal data.
Nevertheless, concerns remain around several issues relating to the PDPA, such as the sharing of health data by the insurance and other related sectors. With the PDPA’s enactment postponed to 2022 in view of the pandemic, it is therefore important that regulators and other stakeholders continue to engage with one another on shaping industry guidelines to enable specific considerations to be taken into account, and for organisations to develop a better understanding of the PDPA’s requirements.
Navigating the new normal
When it comes to cyber and data privacy preparedness, constant change is often the most difficult to manage in any organisation – and this provides the greatest advantage to the adversary. Implementing new ways of working, technology upgrades, personnel changes, regulatory adjustments, and changes in third-party systems can also introduce new, unanticipated vulnerabilities.
These changes – many of which have no doubt been accelerated by the onset of COVID-19 – coupled with the constant evolution of threat tactics, constantly alter an organisation’s risk profile and decrease preparedness, causing a natural erosion of overall readiness if left unchecked. To develop solutions that cultivate an innovative and secure environment, organisations should consider their cyber and data privacy strategies along three paths:
1. Establish a coordinated governance model
One way in which leaders can work to raise the profile of cyber and data privacy risks across their organisation is to establish an integrated governance model that is aligned with key business strategies and supported by consistent frameworks. To be effective, such an integrated model should seek break down silos between business units and product environments so that security can be considered and implemented seamlessly across boundaries.
2. Inventory the organisation’s cyber
Cyber vulnerabilities are embedded throughout the organisation, and potentially its products – typically not due to carelessness or accident, but simply because of their interconnectivity. A natural follow-up is to inventory critical assets, identify the risk, and pinpoint exactly where those cyber vulnerabilities exist, to the best of the organisation’s ability.
A solid first step is to document the organisation’s critical assets. This can include taking stock of where data is stored, where single points of failure have occurred within supply chains, which processes are automated, and which devices are connected to which networks and servers. Much of this comes down to “hand-to-hand combat” where leaders across the organisation will need to wade through each of their assets to determine if and where potential cyber threats may exist.
As digital transformations increase in scope and scale, taking a cyber inventory also needs to become a regular work process rather than a periodic event. This is because every new technology integration can give rise to new security considerations.
3. Invest in digital transformation
With an economic slowdown triggered by COVID-19, today’s cyber and privacy leaders are also focused on digital transformation as an important strategy to achieve greater efficiencies, while better protecting the business. This puts a spotlight on emerging technologies, such as cloud, analytics, Internet of Things (IoT), and artificial intelligence (AI), to simplify their environments, collaborate more effectively, manage data more efficiently, and do what is needed to enable better delivery of their products and services.
Amongst many potential applications, they can be leveraged to build controls directly into processes, prioritise areas for testing and monitoring, enable all transactions to be reviewed rather than relying on sample testing, and identify potential risk events in real time to allow preventive action to be taken. By automating routine tasks, they also free up employees to work on higher-value activities.
However, leveraging these emerging technologies requires organisations to first prioritise having comprehensive, high-quality, and timely risk data. This is lacking in many institutions due to multiple legacy IT systems for different lines of business or geographic markets, often the result of a series of past acquisitions that were never fully integrated. The data challenges have also only grown with the onset of COVID-19, with more data being generated from more sources than before as employees work remotely.
Ultimately, the far-reaching tentacles of cyber and the evolving complexity and challenge of its accompanying threats will continue to tax an organisation’s ability to effectively focus on business outcomes. As the COVID-19 pandemic continues to reshape our new normal even as we speak, its accompanying cyber and data privacy threats will necessitate a shift towards greater collaboration and awareness across the enterprise to achieve business outcomes while ensuring security considerations from the outset.
The views and opinions expressed are those of Parichart Jiravachara, Partner, Risk Advisory, Deloitte Thailand and Sakolsri Satityathiwat, Senior Consultant, Clients & Industries, Deloitte Thailand, and do not necessarily reflect Deloitte’s view.