As organizations across Canada, the U.S., and the globe institute remote work policies to address public health risks, the technology that permits employees to carry on business will be critical. During this time, information technology departments may face increased demand for access to systems and files that allow the business to continue operating smoothly, as well as assistance for employees adjusting to a fully digital workday. While this demand raises operational considerations for organizations of all sizes, data security and incident preparedness should not be overlooked.
Two key data security issues should be considered alongside an organization’s business continuity and pandemic planning: incident prevention and incident response. In particular, these issues should be considered in the context of malicious insider threats to personal and confidential information.
Data breaches resulting from malicious insiders (current or former employees, vendors, business partners) who have exceeded or misused their access to an organization’s network or data in a manner that affects the confidentiality, integrity or availability of an organization’s information are an ongoing and growing area of risk for organizations1. This risk is enhanced when insiders with significant access to confidential or personal information are encouraged or required to work remotely, without traditional supervision or communication channels.
Malicious insiders can go undetected for long periods of time, which can compound the scale and severity of the incident and harm to the organization and its customers. Malicious insiders can be difficult to detect if: a) their misuse of company data develops gradually; b) if their access to information appears relevant to their roles; and c) because they can be motivated by significantly different factors (e.g., self-interest, profit, activism, sudden personal challenges and blackmail). When a company is operating under new conditions—such as remote work and altered schedules—it will be even harder to detect unusual data use activities.
Because insiders have an institutional understanding of what and where the “crown jewels” or confidential sensitive customer information is stored, they can inflict significant financial and reputational damage to an organization. Once detected, such malicious insider-rooted breaches can also have a long-term impact on the business, including by diverting internal resources, affecting employee morale, compromising customer trust in the organization, and triggering litigation and regulatory investigations. All of these consequences will have even more severe effects on a company during a pandemic, when resources have already been diverted to ensuring business continuity.
Organizations must continually revisit their technological and administrative protocols for protecting data as their business continuity plans are being implemented. Businesses must be able to identify “hot-spots”—groups of employees that may be able to do the most damage—and tailor cybersecurity risk mitigation efforts appropriately. For example, access control permission should be reviewed and protocols for requesting and granting access to employees in different roles should be implemented. Importantly, oversight for those who are granting access to data cannot be ignored—multi-level authentication processes should be considered, along with manual and automated activity logging. Similarly, when requests to access data and systems will be sent by employees working remotely, authentication processes should be revisited to ensure system administrators are not being duped by sophisticated insiders or external criminals through false credentials.
Organizations of all sizes should review their cybersecurity incident response plans to ensure their protocols can be followed during periods of alternative business operations. For example, if in-person meetings of the incident response team are the default, alternative protocols for conference calls and secure messaging services should be prepared. Existing protocols for investigating suspected insider incidents should be closely reviewed to ensure that the confidentiality of the investigation is not compromised by remote communication practices during a public health emergency. Organizations should ensure they have tools in place to allow for segmented and broad communication within the organization where required to brief employees, management or board members on a developing incident without requiring individuals to assemble in person.
1 Even though negligent or error prone insiders also expose organizations to cyber risks (e.g., social engineering hacks: phishing, impersonation, business compromise fraud etc.), these types of insider-risks are easier for organizations to address through a combination of training and robust information security systems.
Read all our coronavirus-related updates on our COVID-19 guidance for organizations resource page.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2023 by Torys LLP.
All rights reserved.
Pensions and Employment
Banking and Debt Finance
Board Advisory and Governance
Disputes and Investigations
Private Equity and Principal Investors
Food and Drug
Government and Crown Corporations
Industrial and Manufacturing
Media and Communications
Mining and Metals
Oil and Gas
Power and Renewable Energy
Consumer and Retail