To celebrate Information Awareness Month (IAM2020) and Privacy Awareness Week (PAW2020), we kicked off with an online panel discussion on the myriad of Information Governance issues arising from the COVID-19 pandemic.
Our panellists included – Melanie Marks, Christopher Colwell, Sonya Sherman, Dr Peter Chapman, Matthew Golab and the discussion was facilitated by Susan Bennett.
The importance of connectivity and of access to trusted information, the role of fit for purposes systems to capture records during a crisis and accountability for decisions made during the pandemic period were all highlighted. Discussion around the COVIDSafeApp emphasised that privacy by design and governance of data are key for user trust. A key focus of the discussion were increased information security and cybersecurity risks with the move to working from home. These include the risks of data leakage, data breach, shadow IT and cyber-crimes. In summary, the discussion emphasised that the myriad of information, records, privacy and data challenges arising from COVID-19 require robust information governance structures to meet changed work environments with updated policies, processes and training.
Sonya Sherman on public records, information access and information governance
- Connectivity: Access to trusted information is critical, today.
- Sustainability: Today’s solutions also have to support the business of tomorrow.
- Accountability: Decisions and actions will be scrutinised. Inform response ‘next time’.
Sonya noted that the COVID crisis has in some ways been a “burning platform” for digital transformation. Previous barriers to change have been pushed aside, but there is a risk that information strategy and governance are being overlooked in the rush. She believes it is possible to transform quickly and securely with the right tools, policies and practices.
Organisations today are focused on connectivity, providing access to equipment so their staff can carry on business as usual. But Sonya pointed out that access to information is just as important as access to technology. Information is what underpins important decisions and actions in crisis response – so the information has to come from reliable, well-managed sources.
These changes have marked a major shift in the way we work and Sonya predicted we will likely never go back to the old ways of working. The systems and processes we put in place today will be in use for the future. So we have to ensure they are sustainable and help us apply good governance across a remote workforce and a distributed information ecosystem.
Sonya’s final observation was that we also have to prepare to be accountable. She noted the inquiries have already begun into the recent bushfires and the Ruby Princess cruise ship. All the decisions and actions being taken during this time are likely to be subject to scrutiny in the months ahead, so good records and the ability to respond to requests for information, will be critical.
Just as we are now relying on records of how the SARS and Ebola epidemics were managed and the research into vaccines at that time, the records of our actions today will help us respond more effectively when the next deadly virus evolves. But Sonya emphasised this will only be possible if the data and information are well-managed today.
Christopher Colwell on records management challenges
Chris started out by observing that for many organisations the current environment and remote working had highlighted the importance of documents and records to the efficient running of business. Records in their various forms are not just evidence of past actions but they are in effect the “lifeblood” of most organisations.
Following on from Sonya’s observations Chris noted that there were two major challenges facing organisations at this time. The first is having fit for purpose systems to capture the appropriate records of business during a crisis incident such as this one. The second challenge at present is being able to access all relevant systems and records remotely. This will be especially challenging if some of those records were in hardcopy form rather than digital.
Chris pointed out that the ability to capture records into organisational systems and then preserve them for their correct periods of time is especially important not only for accountability, transparency and business efficiency, but also for the greater public good as well. Records of what steps were taken and by whom and when will be especially important for learning from the current pandemic as a society.
He noted that records and information management professionals are particularly well placed to assist organisations to make judgements about what kinds of records they should be focussing on to ensure that the corporate and societal record of this time is preserved. That is one of the key skill sets that they can bring to bear at this time. Chris also noted that when things return to some semblance of normal it may also be important to conduct some kind of reconciliation exercise to ensure all the right records are captured. This will be especially important where manual workarounds and personal devices may have been used at particular points when corporate systems failed or had been off-line for a period of time.
These points were further highlighted and reinforced during the webinar chat as participants drew everyone’s attention to the declaration made by UNESCO through its Memory of the World program calling on member states to turn the “threat of COVID-19 into an opportunity for greater support to documentary heritage”. On the day of the webinar six leading information management associations including ARMA International and the International Council for Archives also issued a further statement and advice highlighting that “the duty to document does not cease in a crisis, it becomes essential”.
Dr Peter Chapman on cybersecurity & remote working
Peter noted that massive social upheaval combined with equally large changes to our standard business processes has created a perfect storm scenario for cyber-crime and data breaches – both deliberate and accidental. However, for agile organisations this unique event can be used as an opportunity to improve their cyber resilience.
With most of our business process workforce currently working from home, Peter highlighted that we are effectively flipping the concept of “BYO device” on its head. Larger, well-resourced organisations will likely have already had some IT security infrastructure in place to assist with this change; secured laptops running locked down standard operating environments, VPNs for connection through home wifi and multi-factor authentication requirements for critical systems. While smaller and less well-resourced organisations may not have had these systems in place and will struggle to implement them in the current environment, leaving them at significant risk of serious IT security incidents.
It logically follows that the work from home arrangements we have had over the last couple of months have substantially increased the risks of organisational data and records spreading into the “shadow IT” environment, such as personal computers and USB devices, cloud storage accounts and the like.
Peter stressed that while storing sensitive internal or client data on personal devices should clearly be ruled out in any appropriately worded Acceptable Use of Technology policy, organisations have to meet their employees half-way in this endeavour by providing secure, functional and easy-to-use devices and applications to conduct their work. Insisting employees utilise clunky, inefficient or otherwise broken “approved” technology is just asking for trouble.
As has been reported widely in the press, organised cyber-criminals and other groups are very effectively utilising the COVID-19 pandemic to supercharge their activities – with the possible exception of the call-centre scams, quips Peter, who are also apparently struggling with the whole work from home thing as well.
He reminded all participants that cybercriminals generally exploit one or more of our negative attributes when they use social engineering to trick us into clicking on something we shouldn’t – whether it is greed, fear or ignorance – and the current environment has plenty of those things going around, so it unsurprising we have seen so much phishing activity of late.
Cybercriminals can deploy authentic looking websites, applications, emails and SMS broadcasts, even quicker than the official channels – scam emails and SMS messages about accessing government payments were in the wild within a day of policy announcements – which should be the biggest tip off as the government would never move that quickly.
Peter highlighted that while many of these attacks are aimed at private individuals, they are equally effective at compromising the personal devices of employees that are trying to work from home with insufficient technology resources.
Apart from deploying ransom-ware and other malicious software, once access has been obtained an attacker may just quietly monitor an employee’s emails, waiting for an opportune moment to launch a high value “man in the middle attack” or just siphoning off sensitive data.
It’s easy to get caught up and overwhelmed in the doom and gloom of IT security risks, especially when they are exacerbated by the rapid changes we have seen in the last few months. However, Peter spotlighted that many organisations and many employees have demonstrated a lot more flexibility and capacity to change than would have been guessed at pre-COVID. He’s hopeful that organisations can use this experience as a platform for implementing improved security of their data, bringing employees along for the journey by clearly showing the need for things like anti-phishing programs and restrictions on the use of non-vetted applications and devices in the light of the increased cybercrime activity while we have been battling COVID.
If you would like to listen to the full discussion you can access a recording of the session here.
