24 December 2020
The COVID-19 pandemic has seen workplaces, universities, and consumers move online. Now more than ever, consumers are placing their trust in online businesses. And businesses are finding new challenges in conducting more of their operations online.
Perhaps unsurprisingly, cybercriminals are finding ways to exploit the situation, and there has been a significant increase in threats to personal and sensitive information.
It's now more important than ever to ensure you're properly protecting customers' privacy and your company's security.
Let's look at some of the online threats we've seen emerging during the COVID-19 pandemic.
Phishing is a common type of online scam that involves tricking people into giving up personal or sensitive information, typically account credentials or payment card details.
IT security firm KnowBe4 reports that there has been a staggering 600% rise in phishing scams, attributable in part to a widespread fake message purporting to be from the Center for Disease control about COVID-19.
The U.S. Treasury is encouraging people to report COVID-19-related scams.
Computer viruses have long represented a threat to business. But viruses are just one type of malware (malicious software), including ransomware, spyware, and bots.
Antivirus company Bitdefender has published data suggesting that malware developers are busier than ever, using COVID-19-themed messages to trick people into installing malware.
Staff working from home are particularly vulnerable to malware, which can go undetected if on any device without adequate anti-malware software installed.
With governments developing potentially-invasive COVID-19 "contact tracing apps," with or without Apple and Google's involvement, public concerns about online privacy are at an all-time high.
Now is the opportunity for you to implement the very best security practices, and to create policies that will demonstrate your commitment to your customers' privacy.
Let's look at some of the practical steps you can take to do this.
The first step to improving your company's privacy and security practices is to understand what laws apply to you.
Depending on where your company is based, and where your customers are based, there may be several privacy and security laws you need to comply with.
Here are some examples:
You must understand and be accountable under whatever laws apply to your company. If you suffer a data breach or security incident, you will need to demonstrate what steps you have taken to achieve legal compliance.
Safeguarding personal and sensitive within your company requires a solid administrative foundation.
You should designate an employee (or, if appropriate, hire a contractor) to oversee and be accountable for, your company's data privacy and security practices.
Designating a person to act as your company's Privacy Officer, IT Security Officer or Data Protection Officer will help ensure your company approaches privacy and security in a more methodical and organized way.
There are several privacy laws that require companies to designate an accountable employee.
GDPR: Appointing a Data Protection Officer is mandatory for any GDPR-compliant organization which:
These laws have different requirements for the accountable employee's roles and responsibilities. Typically, these will include:
Protecting personal and sensitive information requires a comprehensive understanding of where threats are likely to arise. This means continually assessing risk.
Risk assessment can be a two-stage process:
Some laws have a specific set of requirements for carrying out a risk assessment, such as the GDPR Data Protection Impact Assessment.
Risks can be internal or external.
You may be open to risks through the negligence of your employees or contractors.
You may also be at risk from malicious actors, either from inside or outside of your company.
It's not possible to list all the possible risks to your company's privacy and security. For example, any of the following scenarios could be a risk to privacy and security:
Create a list of potential security risks in your company. Here are some ways to identify risks:
For each risk you have identified, consider:
Using this assessment you can rank risks according to their overall risk level.
You must have a robust set of internal and external policies. This helps to ensure that everyone in your company is on the same page. It allows you to act quickly in the event of a security incident or data breach. It also allows you to demonstrate accountability to the authorities.
A Privacy Policy is a public-facing document that explains all aspects of your company's privacy practices.
Almost every business is required to have a Privacy Policy, regardless of size or industry. Even if your business is not customer-facing it is likely to need to have a Privacy Policy.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
The contents of your Privacy Policy will vary depending on the region in which your company or customer base is located, your industry, your company's size, and the ways in which you process personal information.
Here's a breakdown of some of the privacy laws you might need to obey when creating your Privacy Policy.
Country | Privacy Laws |
United States | All commercial websites or apps accessible in California must comply with aCalOPPA. This law requires website operators to maintain a Privacy Policy detailing:
|
European Union | The GDPR requires all data controllers to maintain a Privacy Policy detailing, at a minimum:
|
United Kingdom | The UK still follows the EU's GDPR. Therefore, the UK's Privacy Policy requirements are the same as in the EU. |
Canada | PIPEDA requires private sector organizations to maintain a Privacy Policy detailing:
|
Australia | The Privacy Act 1988 requires every covered business to maintain a Privacy Policy detailing:
|
You should ensure your Privacy Policy is easily accessible via your company's website and/or app.
A Data Protection Policy in an internal document that sets out the standards for handling personal and sensitive information.
Typical sections in a Data Protection Policy may include:
An IT Security Policy is helpful if your staff access personal or sensitive information across many different devices. It helps ensure that all employees are maintaining a reasonable standard of information security at all times.
An IT Security Policy might contain some of the following sections:
If you are meeting certain standards, such as ISO 20071, your IT Security Policy will need to be created around these.
Once you have identified the risks to personal or sensitive information in your company, you should put safeguards in place to protect it.
As a matter of good practice, always apply the following principles:
Technical safeguards are the methods by which you can strengthen your IT and network infrastructure to safeguard any personal or sensitive data you hold in electronic form.
Installing anti-malware software on all staff terminals is essential. Make sure:
Do not allow staff to access company materials unless they are using a device protected by anti-malware software.
In the current circumstances, you may also wish to consider setting up a company Virtual Private Network (VPN) for home-working employees.
Poor password habits lead to data breaches in a significant majority of cases.
Using password manager software is a good way to ensure that staff employ strong passwords, change them regularly, and store them securely.
Popular password manager brands such as LastPass, Dashlane, and 1Password have enterprise packages that will help you manage your staff's passwords remotely without ever compromising their privacy.
Physical safeguards protect your equipment and premises, both from attacks and hazards.
As well as cyberattacks, your company needs to be able to detect, prevent, and respond to intrusions on its physical premises.
Consider whether any of the following measures would be appropriate for your company:
You should conduct regular audits, checking that keys, security passes, and access permissions are up to date. Ex employees and contractors must return any passes or ID badges.
When you no longer need personal or sensitive information you must delete or destroy it. Data retention periods can be detailed in your Data Protection Policy.
Physical safeguards cover information stored on paper and on hardware.
Paper files should be shredded and disposed of via a reputable contractor.
There are several options for disposing of information stored on hardware.
The COVID-19 pandemic represents an opportunity for your business to improve its privacy and security practices.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.