The discussion covered the importance of connectivity and of access to trusted information, the role of fit for purposes systems to capture records during a crisis and accountability for decisions made during the pandemic period. Discussion around the COVIDSafeApp highlight that privacy by design and governance of data are key for user trust. The move to remote working from home the past six weeks has increased information security and cybersecurity risks, which were explained by reference to examples of data leakage, data breach, shadow IT and cyber-crimes. The myriad of information, records, privacy and data challenges arising from COVID-19 require robust information governance structures to meet changed work environments with updated policies, processes and training.
If you would like to listen to the full discussion you can access a recording of the session here.
Sonya Sherman on public records, information access and information governance
- Connectivity: Access to trusted information is critical, today.
- Sustainability: Today’s solutions also have to support the business of tomorrow.
- Accountability: Decisions and actions will be scrutinised. Inform response ‘next time’.
Sonya noted that the COVID crisis has in some ways been a “burning platform” for digital transformation. Previous barriers to change have been pushed aside, but there is a risk that information strategy and governance are being overlooked in the rush. She believes it is possible to transform quickly and securely with the right tools, policies and practices.
Organisations today are focused on connectivity, providing access to equipment so their staff can carry on business as usual. But Sonya pointed out that access to information is just as important as access to technology. Information is what underpins important decisions and actions in crisis response – so the information has to come from reliable, well-managed sources.
These changes have marked a major shift in the way we work and Sonya predicted we will likely never go back to the old ways of working. The systems and processes we put in place today will be in use for the future. So we have to ensure they are sustainable and help us apply good governance across a remote workforce and a distributed information ecosystem.
Sonya’s final observation was that we also have to prepare to be accountable. She noted the inquiries have already begun into the recent bushfires and the Ruby Princess cruise ship. All the decisions and actions being taken during this time are likely to be subject to scrutiny in the months ahead, so good records and the ability to respond to requests for information, will be critical.
Just as we are now relying on records of how the SARS and Ebola epidemics were managed and the research into vaccines at that time, the records of our actions today will help us respond more effectively when the next deadly virus evolves. But Sonya emphasised this will only be possible if the data and information are well-managed today.
Dr Peter Chapman on cybersecurity & remote working
Peter noted that massive social upheaval combined with equally large changes to our standard business processes has created a perfect storm scenario for cyber-crime and data breaches – both deliberate and accidental. However agile organisations may be able to use this unique event as an opportunity to improve their cyber resilience.
He highlighted that with most of our business process workforce currently working from home, we are effectively flipping the concept of “BYO device” on its head. Larger, well-resourced organisations will likely have already had some IT security infrastructure in place to assist with this change; secured laptops running locked down standard operating environments, VPNs for connection through home wifi and multi-factor authentication requirements for critical systems. While smaller and less well-resourced organisations may not have had these systems in place and will struggle to implement them in the current environment, leaving them at significant risk of serious IT security incidents.
It logically follows that the work from home arrangements we have had over the last couple of months have substantially increased the risks of organisational data and records spreading into the “shadow IT” environment, such as personal computers and USB devices, cloud storage accounts and the like.
Peter stressed that while storing sensitive internal or client data on personal devices should clearly be ruled out in any appropriately worded Acceptable Use of Technology policy, organisations have to meet their employees half-way in this endeavour by providing secure, functional and easy-to-use devices and applications to conduct their work. Insisting employees utilise clunky, inefficient or otherwise broken “approved” technology is just asking for trouble.
As has been reported widely in the press, organised cyber-criminals and other groups are very effectively utilising the COVID-19 pandemic to supercharge their activities – with the possible exception of the call-centre scams, quips Peter, who are also apparently struggling with the whole work from home thing as well.
He reminded all participants that cybercriminals generally exploit one or more of our negative attributes when they use social engineering to trick us into clicking on something we shouldn’t – whether it is greed, fear or ignorance – and the current environment has plenty of those things going around, so it unsurprising we have seen so much phishing activity of late.
Cybercriminals can deploy authentic looking websites, applications, emails and SMS broadcasts, even quicker than the official channels – scam emails and SMS messages about accessing government payments were in the wild within a day of policy announcements – which should be the biggest tip off as the government would never move that quickly.
He highlighted that while many of these attacks are aimed at private individuals, they are equally effective at compromising the personal devices of employees that are trying to work from home with insufficient technology resources.
Apart from deploying ransom-ware and other malicious software, once access has been obtained an attacker may just quietly monitor an employee’s emails, waiting for an opportune moment to launch a high value “man in the middle attack” or just siphoning off sensitive data.
It’s easy to get caught up and overwhelmed in the doom and gloom of IT security risks, especially when they are exacerbated by the rapid changes we have seen in the last few months. However Peter spotlighted that many organisations and many employees have demonstrated a lot more flexibility and capacity to change than would have been guessed at pre-COVID. He’s hopeful that organisations can use this experience as a platform for implementing improved security of their data, bringing employees along for the journey by clearly showing the need for things like anti-phishing programs and restrictions on the use of non-vetted applications and devices in the light of the increased cybercrime activity while we have been battling COVID.