Does your pandemic plan align with your data security plan?

As organizations across Canada, the U.S., and the globe institute remote work policies to address public health risks, the technology that permits employees to carry on business will be critical. During this time, information technology departments may face increased demand for access to systems and files that allow the business to continue operating smoothly, as well as assistance for employees adjusting to a fully digital workday. While this demand raises operational considerations for organizations of all sizes, data security and incident preparedness should not be overlooked.

What you need to know

• Cybersecurity breaches caused by malicious insiders are on the rise and may become more prevalent if employees are subject to less supervision when remote work policies are in force.
• Unauthorized access to sensitive data may be harder to detect when businesses are operating under alternative protocols to protect public health.
• Data security protocols should be reviewed concurrently with business continuity planning and implementation.
• Organizations’ cyber incident response plans must also be nimble enough to function effectively when the business is operating remotely.

Details

Two key data security issues should be considered alongside an organization’s business continuity and pandemic planning: incident prevention and incident response. In particular, these issues should be considered in the context of malicious insider threats to personal and confidential information.

Detecting malicious insiders during pandemic operations

Data breaches resulting from malicious insiders (current or former employees, vendors, business partners) who have exceeded or misused their access to an organization’s network or data in a manner that affects the confidentiality, integrity or availability of an organization’s information are an ongoing and growing area of risk for organizations¹. This risk is enhanced when insiders with significant access to confidential or personal information are encouraged or required to work remotely, without traditional supervision or communication channels.

Malicious insiders can go undetected for long periods of time, which can compound the scale and severity of the incident and harm to the organization and its customers. Malicious insiders can be difficult to detect if: a) their misuse of company data develops gradually; b) if their access to information appears relevant to their roles; and c) because they can be motivated by significantly different factors (e.g., self-interest, profit, activism, sudden personal challenges and blackmail). When a company is operating under new conditions—such as remote work and altered schedules—it will be even harder to detect unusual data use activities.

Because insiders have an institutional understanding of what and where the “crown jewels” or confidential sensitive customer information is stored, they can inflict significant financial and reputational damage to an organization. Once detected, such malicious insider-rooted breaches can also have a long-term impact on the business, including by diverting internal resources, affecting employee morale, compromising customer trust in the organization, and triggering litigation and regulatory investigations. All of these consequences will have even more severe effects on a company during a pandemic, when resources have already been diverted to ensuring business continuity.

Minimizing insider risk

Organizations must continually revisit their technological and administrative protocols for protecting data as their business continuity plans are being implemented. Businesses must be able to identify “hot-spots”—groups of employees that may be able to do the most damage—and tailor cybersecurity risk mitigation efforts appropriately. For example, access control permission should be reviewed and protocols for requesting and granting access to employees in different roles should be implemented. Importantly, oversight for those who are granting access to data cannot be ignored—multi-level authentication processes should be considered, along with manual and automated activity logging. Similarly, when requests to access data and systems will be sent by employees working remotely, authentication processes should be revisited to ensure system administrators are not being duped by sophisticated insiders or external criminals through false credentials.

Incident response during pandemic operations

Organizations of all sizes should review their cybersecurity incident response plans to ensure their protocols can be followed during periods of alternative business operations. For example, if in-person meetings of the incident response team are the default, alternative protocols for conference calls and secure messaging services should be prepared. Existing protocols for investigating suspected insider incidents should be closely reviewed to ensure that the confidentiality of the investigation is not compromised by remote communication practices during a public health emergency. Organizations should ensure they have tools in place to allow for segmented and broad communication within the organization where required to brief employees, management or board members on a developing incident without requiring individuals to assemble in person.

_________________________

¹ Even though negligent or error prone insiders also expose organizations to cyber risks (e.g., social engineering hacks: phishing, impersonation, business compromise fraud etc.), these types of insider-risks are easier for organizations to address through a combination of training and robust information security systems.

Read all our coronavirus-related updates on our COVID-19 guidance for organizations resource page.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.