Governments adopting trace-and-track apps to prevent the spread of the pandemic have raised questions about the ‘right balance’ between pandemic response and privacy considerations. James Nunn-Price and Manish Sehgal set out the risks and challenges for individuals and businesses
The sudden global outbreak of COVID-19 brought significant challenges to our day-to-day lives. In recent weeks, several countries have begun to ease their COVID-19 lockdown restrictions, yet pandemic-related cyber threats appear undiminished.
In the face of COVID-19, from healthcare to commerce, cybersecurity and privacy rights have never been more important. Even before the pandemic, the World Economic Forum’s publication of The Global Risks Report 2020 listed cyberattacks as the biggest global threat after environmental risks.
Overview of cyber challenges
While the focus is on the health and economic threats posed by COVID-19, cybercriminals around the world undoubtedly are capitalizing on this crisis. The impact of COVID-19 on cyber preparedness is broad, and ranges from a rise in COVID-19-related phishing and ransomware attacks, increased delays in cyberattack detection and response due to IT/security teams being spread too thin, and increased security risk from remote working/learning, to positive ones such as the cyber posture of organizations naturally improving as a result of the pandemic.
Heightened cyber challenges include:
- Rapidly implemented digital and cloud technologies to enable remote working, and digital channels that lack sufficient hardening and security controls;
- Malicious and inadvertent insider threats caused by disgruntled or displaced employees and contractors;
- Evolving compliance circumstances for regulated industries;
- Stretched IT and cybersecurity resources managing an increased attack surface;
- Complex requirements for identity and access management as roles and responsibilities change;
- Greater difficulty in maintaining compliance with data privacy regulations; and
- Privacy considerations around accessing and processing information.
Although many of these cyber and privacy challenges existed prior to the COVID-19 pandemic, they now pose an even greater threat as the size and scale of connectivity for remote operations expands and the deployment of technology that collects data on the virus increases.
Protecting privacy, ensuring safety
The pandemic has prompted governments, as well as public and private organizations, to adopt necessary measures to prevent the spread of the virus and mitigate the health crisis. Nations are using leading technologies as part of an overall response to combat the outbreak.
Often such measures include collecting and processing a large variety of information related to citizens and employees such as names, addresses, workplaces, travel histories, and health information, sourced from tracing and surveillance tools, both on mobile devices and physical assets.
This aspect of accessing and processing information (private and health-related) has raised questions around the globe about the “right balance” between pandemic response, recovery measures and privacy considerations.
Contact tracing of citizens
Tracing applications help to monitor and alert healthcare authorities about potential encounters with COVID-19. They have become highly recommended government tools, adopted by the public at large and used by health authorities trying to contain the pandemic.
Like most of the world, several nations in Asia-Pacific are working to flatten the curve. A common method is the active deployment of technology that collects data on the virus, including tracking and surveillance of those who have been infected.
Contact tracing applications being used in the region have diverse features including:
- Encouraged versus mandated use. Certain nations have issued advisories that recommend and encourage their people to use specific applications, while other countries have mandated the use of such applications;
- Consent-based usage. A few nations are offering a consent-based application to facilitate their tracing efforts;
- Use of scores and advanced technologies for identification. A few applications in use within the region generate a score based on contagion risk, and share that information with local enforcement agencies like the police. Additionally, advanced technologies are deployed for facial recognition to identify individuals, even when they are wearing a mask;
- Records of people in proximity. In select nations, citizens are using applications that collect the records of other people (via Bluetooth) who have been in their close proximity within the past 21 days;
- Publicly sharing versus limiting the access to collected data. A few nations are minimizing the spread of the virus by publicly sharing detailed information on the movements of infected citizens, while other countries are storing large volumes of personal and health data in a central repository with limited access for authorised personnel from health departments; and
- Travel and location monitoring. Some countries have integrated their national healthcare database with customs and travel records. This helps to track whether citizens are abiding by their quarantine orders through government-issued mobile phones. Similarly, a few countries are monitoring the location of individuals required to undergo home quarantine via cellular signals from their mobile phones.
The paramount interest behind all of these variations is the protection of human life, and privacy considerations may be seen as a big ask in a crisis like this. Nevertheless, there is a pressing need to maintain the right balance between the two extremes. Privacy may be easily compromised in the absence of rights checks and controls in such contact tracing applications. Consider these examples:
- Collection of personal and sensitive health data without providing clear and transparent privacy notices explaining the functioning of the application, tracking mechanism deployed, or whether advanced technologies such as facial recognition are used;
- Storage of personal data without adequate security safeguards increasing the probability of cyberattacks and leading to data access by intruders;
- Large-scale processing of personal data without adequate opt-in and opt-out consent mechanisms for individuals;
- Ignoring the principle of data minimization by collecting large volumes of non-anonymised personal data – its storage may not be necessary and proportional to the purpose for which the data are collected;
- Processing collected data beyond legitimate purposes for which collection is being done;
- Unclear guidelines relating to the duration of retaining and storing collected data; and
- Unsecure disposal and erasure of data.
To avoid compromising a user’s privacy, contact tracing applications should consider privacy principles such as “privacy by design” and “privacy by default” during the design and refresh stages. Before releasing for public use, it is recommended to perform a comprehensive data protection impact assessment (DPIA) to identify the potential impact on a user’s privacy, and address it. During the use of such technologies, simple to comprehend privacy notices should be provided for users to understand: (1) how the data entered by them, and collected via tracing features, will be used; (2) with whom the data will be shared; (3) why data are being collected; (4) how long will data be stored; and (5) where data will be stored.
In addition, all processing of personal data should be proportional to the purpose of tracking the disease trajectory and safeguarding public health. Security controls including encryption and anonymization should be implemented to secure the data, and to avoid any data leaks or manipulation by non-trusted third parties. After the purpose is met, and in accordance with local laws, data collected and processed should be securely disposed of.
The use of tracing apps and digital technologies seems to be promising to monitor and curtail the virus’ spread rates, especially once lockdown measures are lifted. However, just like many emerging technological advancements, these tools may bring privacy and security concerns, which need to be carefully managed to ensure optimum results in the battle against the coronavirus.
Remote working: the next normal?
Almost overnight, organizations worldwide found themselves in shut-down situations, where workers had to shelter and work from home. Prior to the COVID-19 outbreak, 27% of users globally worked remotely on the average weekday. Estimates as of 31 March 2020 suggest that now more than 60% of users work remotely.
In this new environment of remote working, many professionals are using personal devices versus company-issued machines to access organizational networks and systems. Here we highlight a few key cyber vulnerabilities of a remote workforce, and how to help mitigate the risks.
“Bring your own device” explosion, and collaboration tools. Many workers do not have company-issued laptops for home use. This means they are accessing corporate networks and systems on devices that may have vulnerabilities, or already be compromised. Likewise, workers are relying heavily on web conferencing and collaboration tools to do their jobs, which can be compromised by threat actors (“Zoom-bombing” being the most prominent but not the only example).
The use of such devices by employees working from home leads to a significantly increased risk of cyber adversaries accessing internal infrastructure where data and intellectual property can be accessed. Personal devices may not have the latest security patches, anti-malware tools, or a VPN connection to ensure a more secure connection to the business environment. Deloitte research indicates that 1,000-plus insecure personal devices connect to enterprise networks every day in 30% of US, UK and German companies, without IT’s knowledge.
Steps to consider
- Ensure IT teams develop and implement corporate security policies and guidelines for “bring your own device” (BYOD), and require that corporate security software is installed on employee devices before such devices can be used to connect;
- Review and establish corporate firewall capacity and rules for remote access, “user and entity behaviour analytics” (UEBA), and file integrity monitoring for effective implementation for remote employees;
- Restrict unapproved personal devices from your corporate network and limit personal device access to only required corporate cloud services that are needed for critical business operations;
- Ensure discussions over popular free global cloud video conferencing platforms are not sensitive. If they are, switch to an alternative paid-for enterprise platform with additional security and location controls; and
- Secure meetings on collaboration tools with one-time passwords at the individual meeting level, or at the user, group or account level for all meetings and webinars, and lock meetings once they begin, to prevent additional attendees.
Increased volume of phishing targeted at employees and senior executives. The economic impacts of COVID-19 have spurred a series of wage subsidies and cash drives. As employees receive many communications from government entities and their employers, it is critical that they avoid phishing campaigns, for example ones disguised as relief payment plans.
Between 13-26 March 2020, there were more than 400,000 incidents of spam emails pertaining to COVID-19. Chief financial officers, in particular, have been targeted through campaigns to gain access to, and take over, their email accounts (e.g., via cloud API keys) in order to approve payments without their knowledge.
Suggested top actions
- Raise awareness among employees who may be receiving a relief payment about malicious phishing campaigns, and be specific on what will be shared by your organization (format, timing, etc);
- Bolster threat detection and response to promote proactive identification of malicious activity; and
- Ensure that your organization has a crisis response plan, and has informed employees to avoid the spread of misinformation.
These and other cyber challenges are causing organizations to rethink their digital transformation initiatives. Organizations will rebound at varying speeds as they seek to include remote employee enablement and productivity into their plans and prepare for the “next normal”.
How we work will be one of the most pronounced changes, as many enterprises experience the morale, cost-saving and productivity benefits of a remote workforce. Flexibility will become the new norm – both from employer and employee perspectives.
COVID-19 will change our lives forever. New styles of working, new cyber issues, and new proposed policies and regulations will have a permanent impact. As organizations align their strategies and workforces around COVID-19, there are several cyber and privacy considerations to think about.
For the privacy of individuals, it is imperative that the right balance between pandemic response, recovery measures and privacy considerations is achieved. From a cyber perspective, the cyber posture and security hygiene of an organization will naturally improve as a result of the pandemic, as companies adopt newer technologies and digital processes, with cyber embedded everywhere.
The key is for leaders to use their responses to the pandemic as an opportunity to grow, shaping future ways of working that are more efficient, effective and collaborative, with confidence that cyber risk is being managed effectively.
James Nunn-Price is the Asia-Pacific cyber leader and Manish Sehgal is the Asia-Pacific privacy and data protection leader at Deloitte