REMOTE WORKING: A RISKY BUSINESS?

REMOTE WORKING: A RISKY BUSINESS?

06 April 2020 / Paul SchwartfegerCategories: Features , Covid-19 , Data protection ,Profession

 

COVID-19 has forced a new way of working onto many of us, but in the rush to adapt the additional cybersecurity risks should not be ignored, says Paul Schwartfeger

  • Given the present uncertainties, we should be asking ourselves whether a particular communication tool or channel is appropriate for sharing information of an especially confidential kind.
  • Before we share it we should also consider what steps we have taken to minimise the risks of a cyberbreach.

When the current lockdown began on 23 March, people were instructed by the state to work from home wherever possible. Many workplaces closed their doors in response, leaving us to hastily find new ways of working, meeting and keeping in touch from our homes. Usage of videoconferencing, online collaboration tools and chat systems surged as a result. However, the increased use of these tools has brought with it cybersecurity risks.

Warnings of these risks were further amplified last week, following UK Prime Minister Boris Johnson’s tweet of himself participating in a virtual cabinet meeting via the videoconferencing app ‘Zoom’. The image he shared was intended to demonstrate how the Prime Minister and his cabinet are complying with COVID-19 social distancing rules. However, the image is now being touted as a security concern, as the Prime Minister’s meeting ID number is clearly visible in the shot. Unless password protections are enabled, this ID number is all that is needed for anybody to join the Prime Minister’s Zoom meeting. Indeed, the Internet is awash with reports of Zoom meetings that have been ‘zoombombed’ by uninvited guests who connect to a meeting after obtaining or guessing its meeting ID number and then display pornographic, racist or other offensive materials to the meeting’s legitimate participants. 

This issue comes alongside other security concerns with Zoom’s videoconferencing services. Ministry of Defence employees were recently instructed that use of Zoom was being suspended while its security implications were investigated, and a Zoom spokesperson has admitted in recent days that it is currently not possible to enable end-to-end encryption for Zoom video meetings. It appears that purportedly ‘private’ meetings can be intercepted and accessed by Zoom—as well as (potentially) any hackers that gain access to Zoom’s servers. As a US service provider, communications passing across Zoom’s networks may also be susceptible to routine monitoring by US government agencies. It should be noted that these issues are not necessarily unique to Zoom; some other popular videoconferencing applications do not make full use of end-to-end encryption as a matter of course either.

While zoombombing may be dismissed by some as simply insidious or antisocial behaviour, the possibility that our video calls and virtual meetings could be eavesdropped on should ring alarm bells. Zoom and related technologies are used to host commercially sensitive company meetings, conduct virtual medical consultations with patients, hold private discussions with family and friends, and even to run countries (as Mr Johnson has shown). Highly sensitive business and personal data flows across these networks every second of the day and is at serious risk if these technologies fail.

Problems & remedies

Who is responsible for any cybersecurity problems and what remedies may be available in the event of a breach, however, is a complicated issue.

In respect of Zoom, the company is based in California in the US. Jurisdictional issues would therefore arise for any UK parties who contemplated action against them in the event of any security breach. Furthermore, Zoom’s terms and conditions state that the company makes no warranties in respect of the fitness of its product for any purpose, and that users are responsible for any damage resulting to them from their use of Zoom’s services. Zoom also rejects any liability for damages in contract or tort, et cetera. This liability waiver may add complexity to any action brought against Zoom in the event a party suffers a data breach.

In a European legal context, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR 2003)—as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)—affords users some rights and protection. This applies to providers of electronic communications services. The definition of a provider of such services is given in Regulation 5(1) PECR 2003 as one that provides “a public electronic communications service”, and in the Communications Act 2003 as one providing “a service consisting of, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except in so far as it is a content service”. In other words, it applies to those that transmit speech, sound and visual images, et cetera, although not where the service is a content service, such as an online newspaper or broadcaster. 

Companies that provide videoconferencing services appear to fit neatly within the definition of providers of electronic communications services under both PECR and the Communications Act, and in C-142/18 Skype Communications Sarl v IBPT  the ECJ held that SkypeOut, an internet calling service, was an electronic communications service. Further amendments to these regulations planned for this year will expressly specify their inclusion as “over-the-top’ services.”

In the UK, where a personal data breach occurs in respect of an electronic communications service provider, the provider is obligated to notify the Information Commissioner’s Office (ICO) of the breach within 24 hours of its detection, and the time limit must be strictly observed. The regulator has the power to fine service providers where they fail to properly comply. In TalkTalk Telecom Group Plc v Information Commissioner [2016] UKFTT 110 (GRC), it was held that it would be wrong to read into the regulations a requirement that there should always be a period of investigation before notification.

If the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider must also notify the individuals concerned of the breach without undue delay.

Regulation 3 of the amended 2011 Privacy and Electronic Communications Regulations provides a broad definition of a personal data breach, defining it as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”. 

On the basis of this definition, a personal data breach may occur when a party unlawfully accesses a Zoom (or other provider’s) video meeting, whether by means of zoombombing or another form of computer hacking. This could give rise to the notification obligations, as set out above. Under the related provisions of the General Data Protection Regulation 2018 (GDPR), a victim may also be able to claim compensation from a service provider if he or she has suffered damage as a result of that provider breaking data protection laws.

However, there are some caveats.

Firstly, providers are not obliged to notify individuals affected by a security breach if the Information Commissioner confirms that he is satisfied that the information was properly encrypted when the breach occurred (regulation 5A(6), revised PECR 2003). However, there is no strict definition of what constitutes ‘proper encryption’.

Zoom’s service, for example, is not without encryption. Rather, its service does not presently include end-to-end encryption. Video and audio from your meeting are encrypted on their journey from your computer to Zoom’s servers. These data are also encrypted on their way from Zoom’s servers back out to the other participants in your meeting. The problem is that these data are not encrypted while they are being handled by and processed on Zoom’s servers. Zoom would undoubtedly say that it has other measures in place to ensure the security of the unencrypted data whilst these are on its servers. Whether or not the Information Commissioner would agree is uncertain, which muddies the issue of whether or not a victim of a data breach would have any right to notification or a remedy.

The second caveat is that a data breach may not be the fault of the videoconferencing provider at all. It is possible, for example, for someone to join certain Zoom meetings with just the meeting ID number. The end-users of a product often play a significant part in data breaches, by exposing their credentials or by failing to maintain adequate and up-to-date antivirus and malware protection on their devices, thereby allowing them to become compromised. If a meeting member publicly shares the meeting ID number for their Zoom meeting, as the Prime Minister did, and unwanted guests join their videoconference as a result, the user will have an uphill battle demonstrating to the courts that the service provider enabled this cyberbreach.

However, as employees, patients and the like are unlikely to have played a part in choosing the videoconferencing technologies their employers and medical consultants (et cetera) use, they may be able to take action against their employer or consultant under the GDPR in the event of a data breach that wasn’t of their own making.

Stepping through the relevant parts of the GDPR in the context of an employment example:

  •  A video conference by its very nature contains “personal data” as per Article 4(1) of the GDPR. That is, information relating to an identified or identifiable natural person.
  •  When employees participate in a videoconference, their personal data can be subjected to “processing’”(Article 4(2)).
  • An employer that determines the purposes and means of processing of employees’ personal data, for example by mandating the use of Zoom for virtual meetings, is the ‘controller’ under Article 4(7).
  • The controller is responsible for ensuring, inter alia, the integrity and confidentiality of their employees’ personal data.

An employee that suffers material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation under Article 82(1). Consequently, an employee whose personal data is exposed by means of a third-party breaking into or unlawfully monitoring a work videoconference may be able to claim against their employer for its failure to ensure the integrity and confidentiality of their data.

Article 82(3) may provide the employer some protection, in that a controller shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. However, the need for the employer to prove that it is not in any way responsible is a high bar to clear. Certainly, it would be highly relevant and very important to an employer’s defence if the breach occurred on (say) Zoom’s servers. That said, whether any hardware (that is, the computers or other devices employees use) that an employer provides to its employees is of sufficient technical specification to operate securely may also be relevant. Older devices may not support the latest encryption standards, for example, and can thereby be vulnerable. Whether or not antivirus and malware software was provided by the employer to minimise hacking and snooping by third parties may also be subject to scrutiny, as may be staff training and related procedures that warn employees how to stay safe when working online or from home.

In the first instance, the cybersecurity risks that arise from the use of videoconferencing, online collaboration tools and chat systems for home-working need to be tackled by users and in particular employers. Zoom and its counterparts have roles to play, but we can all take steps to increase privacy and security when working from home. For example, by password-locking our computers when we’re away from them; enabling software that allows devices to be remotely wiped or disabled in the event they’re lost or stolen; and by ensuring that we do not tweet photographs of ourselves using videoconferencing software where our meeting IDs or any other part of our security credentials are visible.

A UK government spokesperson stated earlier that National Cyber Security Centre guidance shows there is no security reason for Zoom not to be used for government communications with staff and for cabinet meetings, and UK officials have also added that the risks of not communicating in the middle of fast-moving events far outweigh the possible security risks of using such a system. However, given the present uncertainties, we should all be asking ourselves whether a particular communication tool or channel is appropriate for sharing information of an especially confidential kind, and before we share it we should also consider what steps we have taken to minimise the risks of a cyberbreach.

 Paul Schwartfeger is a Barrister with 

Cybercriminals targeting critical healthcare institutions with ransomware

Cybercriminals targeting critical healthcare institutions with ransomware

INTERPOL assisting member countries to mitigate and investigate attacks against hospitals

SINGAPORE – Hospitals and other institutions on the front lines of the fight against the coronavirus facing unprecedented physical dangers are now also facing another threat from cybercriminals.

INTERPOL has issued a warning to organizations at the forefront of the global response to the COVID-19 outbreak that have also become targets of ransomware attacks, which are designed to lock them out of their critical systems in an attempt to extort payments.

INTERPOL’s Cybercrime Threat Response team at its Cyber Fusion Centre has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.

To support global efforts against this critical danger, INTERPOL has issued a Purple Notice alerting police in all its 194 member countries to the heightened ransomware threat.

INTERPOL’s response

In response to this growing danger, the Cybercrime Threat Response team is monitoring all cyberthreats related to COVID-19, working closely with private partners in the cybersecurity industry to gather information and provide support to organizations targeted by ransomware.

It is also assisting police with investigations into ransomware cases in affected member countries as well as analysis of cybercrime threat data to help law enforcement agencies mitigate the risks.

“As hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cybercriminals who are looking to make a profit at the expense of sick patients,” said INTERPOL Secretary General Jürgen Stock.

“Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths. INTERPOL continues to stand by its member countries and provide any assistance necessary to ensure our vital healthcare systems remain untouched and the criminals targeting them held accountable,” added the INTERPOL Chief.

INTERPOL is also providing first-hand technical support to member countries, as well as mitigation and protection advice to help safeguard their critical medical infrastructure.

Additionally, INTERPOL is collecting a list of suspicious Internet domains related to COVID-19 and undertaking further analysis and evaluation, and will work with the relevant countries to take action.

Prevention and mitigation are key

At this point, the ransomware appears to be spreading primarily via emails – often falsely claiming to contain information or advice regarding the coronavirus from a government agency, which encourages the recipient to click on an infected link or attachment.

In this regard, prevention and mitigation efforts are key to stopping further attacks, particularly for frontline organizations like hospitals which are facing the highest risk.

To minimize the risk of disruption in the event a ransomware attack does occur, INTERPOL encourages hospitals and healthcare companies to ensure all their hardware and software are regularly kept up to date. They should also implement strong safety measures like backing up all essential files and storing these separately from their main systems.

Protecting your systems

There are a number of steps hospitals and others can take to protect their systems from a ransomware attack:

  • Only open emails or download software/applications from trusted sources;
  • Do not click on links or open attachments in emails which you were not expecting to receive, or come from an unknown sender;
  • Secure email systems to protect from spam which could be infected;
  • Backup all important files frequently, and store them independently from your system (e.g. in the cloud, on an external drive);
  • Ensure you have the latest anti-virus software installed on all systems and mobile devices, and that it is constantly running;
  • Use strong, unique passwords for all systems, and update them regularly.
COVID-19 Surveillance – Implications for a post Covid-19 Future

COVID-19 Surveillance – Implications for a post Covid-19 Future

Legal Advice can change and be updated – please visit the 36 Commercial COVID-19 Assistance Hub for updates

Surveillance implications for a post COVID-19 future

Yuval Noah Harari took the opportunity in last weekend’s Financial Times to write an essay on modern surveillance methods, perhaps justifiable in the fight against COVID- 19 but which might remain as permanent features of life afterwards. Harari argues that in order to halt the epidemic entire populations are required to comply with certain guidelines. This involves the government monitoring people and punishing transgressors. Fifty years ago, the KGB had no way of following 240 million Soviet citizens 24-hours a day; but this is no longer the case. Already in China the authorities are monitoring individuals’ smart phones, making use of hundreds of millions of face– recognising cameras and obliging individuals to check and report their body temperatures. This way, the Chinese authorities can identify suspected carriers, track their movements and identify their contacts. Israel is using similar technology, originally designed to track terror suspects.

Surveillance technology is advancing incredibly fast and a biometric bracelet monitoring heartbeat and body temperature might not be so far away and, together with technology already available, enable the authorities to know what news media you follow, who makes you angry and who you laugh at. Imagine, asks Harari, such technology in hands of the North Korean regime.

Harari’s concern is that rules making this kind of extreme surveillance legal, have the habit of outliving the emergency they were designed to meet. His example is Israel’s state of emergency declared during its 1948 War of Independence which has never been declared over. Hilariously, in terms of that state of emergency, special regulations for the making of puddings were introduced. Even more hilariously, they were only abolished in 2011.

All of this means that civil society will need to be extremely vigilant and activist to ensure that all the invasions of privacy that will inevitably be inflicted on society in order to defeat COVID-19 do not outlive the pandemic and become the norm. This will involve litigation to return us to our old freedoms and rights and this can only be successfully achieved if that litigation establishes a general law of privacy, which the UK at present does not have.

John Campbell

36 Commercial

https://36group.co.uk/commercial

36 Commercial COVID-19 Assistance Hub

36 Commercial COVID-19 Assistance Hub

The rapid spread of the novel coronavirus disease 2019 (COVID-19) is a global public health crisis.  While governments around the world act quickly to save lives and preserve jobs, the one thing we know is that the full impact of this pandemic has yet to be felt and understood. 

36 Commercial has set up a dedicated portal to help its clients protect themselves and their businesses through the next few weeks so that they can best position themselves to help rejuvenate the global economy quickly once the worst is over.

This portal is designed to help 36 Commercial’s clients, their businesses and their employees to survive and protect themselves as the entire planet navigates its way along the curve of this terrible pandemic. These pages will be constantly updated by members of the group in response to the rapidly-changing contours of the legal, political and economic landscape.

Access the best Legal Assistance hub by clicking HERE: https://36group.co.uk/covid-19-hub

Your Security Journey, more for less during the COVID-19 pandemic

Your Security Journey, more for less during the COVID-19 pandemic

Thank you to our Head of Client Development ADVENT IM, Derek Willins.

The Original Article on the ADVENT-IM site can be accesses by clicking on the Logo:

As we endure societal lockdown in an effort to control the spread of COVID-19, thoughts turn to imagining what will change when it’s beaten. I suspect that business continuity, business resilience and risk management will be high on most agendas for a while, alongside the financial restrictions that will decide what gets done and when. Supply chains will be overhauled, as will working from home policies, and mobile equipment. Digitisation will increase, as will automation and complexity. Quite what all the ‘new normals’ will be in two or three years is too hard to call, but it will look different from today.

There is one certainty though. Online crime will continue to grow. Criminal activity has stepped up during the crisis with sophisticated health and virus-oriented phishing and ransomware campaigns; as well as heartless physical attacks on ambulances, and thefts of hospital oxygen cannisters. Our enemies are merciless and cruel. Unified and better-constructed security defences have to be part of the inevitable reviews which will happen. However, I suspect the usual objections to change will centre around finance (specifically ROI) and, how do we get more from less. This latter issue I want to address.

Advent IM’s long held philosophy has always been, that holistic security (one-team, information, IT, physical) is more efficient and effective than unconnected silo’s, and that excellence can be achieved with modest budgets.  Underpinning this philosophy is that people and process are the master, and technology is the servant. All too often in the search for quick solutions, the lure of expensive technical security solutions (without good people and process around it), has usually failed to deliver on expectations. A more balanced approach of people and process with technical support is the strategy which brings affordable effectiveness. It was a pleasure therefore, to discover some data which supports Advent IM’s philosophy.

A few months ago, a new report* was published, which caught my eye.  It’s a document providing us with a view of the current state of Information Security including current risks and trends, organization structures, and budgets.

There is an analysis of the respondent’s security budgets (as a % of their IT spend) and their security maturity status (based on 0-4: 4 being optimal). Each respondent is then put into 4 quadrants. The two axes are, the (group average) budget, versus the (group average) security maturity.

Advent im security spend vs maturity

Conclusions from the report;

  1. There is absolutely no correlation between security spend and security maturity.
  2. There are high security spenders, but with a low security rating (B), and some low-spenders with a high security-mature (A).
  3. The A group with strong maturity and low expenditure, are spread across different industries, and represent about 11% of organisations in the sample.

At face value then, the report tells us that security maturity (excellence, resilience) can be achieved, without massively high investment (less than 7.2% of IT budget). Clearly these organisations have something to teach everyone. Sadly, the analysis stops short of identifying their common attributes.  However, there are some inferences that can be made.

The security maturity measure starts at 0 (Non-existent) to 4 (Optimised. i.e. business enabler). On average the sample scored 2.06. This puts them in the ‘Defined’ level which means they have defined security formal process, roles and responsibilities and its all communicated. So far so good.

The next level up (3) is where the A group are getting close to. This means they measure and test that process is working effectively, KPIs are set, some automation is used, and regular reviews and audits are conducted. In short, the A group ensure their way of working is effective and adjust as they go – and all done at below the average expenditure of 7.2% of the IT budget. In our experience, only people and process supported by the right technology, make this happen.

Our experience tells us that most organisational leaders are satisfied that their security operation is currently fit for their purpose. It’s also true that the same people want security to be a bigger part of their business culture, but rarely have a plan to make this happen.  However, the evidence is clear that more can be achieved with reduced expenditure, and that all organisations, however confident, should be constantly reviewing and testing what they do. Partly because threats are constantly changing, and partly because great security is an enabler of innovation and productivity.

The financial circumstances post COVID-19 will demand that operational improvements are made. More cloud, more automation, more devices, more data, more risk. Security by design and default, means that planning for a more affordable and more effective security function in a post COVID-19 world starts now.


*Source; Capgemini Information Security Benchmark 2019. Based on 105 companies in EU across 4 large Private channels (Utilities, Finance, Consumer, Manufacturing). CISO’s and CIO’s views.

Contact the ADVENT-IM team by clicking below:

SIA Comment on security staff as critical workers

SIA Comment on security staff as critical workers

26 March 2020

- this link opens in a new window

On Monday, 23 March the Prime Minister announced further instructions to the British public to combat the spread of Coronavirus (COVID-19). His announcement can be viewed here. It places further restrictions on when people can leave their homes and limits travel for work to essential roles only.

- this link opens in a new window

I am able to confirm that the current definition of critical worker DOES include regulated (licence holding) security professionals, essential to national infrastructure, operating in roles under the 8 broad headings listed. This status is only directly relevant to the ability to access the school and childcare systems at this time. This critical worker definition does not affect whether or not you can travel to work – if you are not a critical worker, you may still travel to work where this absolutely cannot be done from home.

To prioritise pressure on the schools system, it does NOT extend to all licence holders. It is role dependent. The list may change over time.

Government advice is to stay at home whenever possible. It is to keep your children at home whenever possible – even if you are a critical worker. If, and only if, you are undertaking an essential role, supporting the nation’s COVID-19 response, which you can only do by accessing the school or childcare systems, should you do so as a critical worker.

This definition covers, amongst other areas, security provision in hospitals; schools; social care; courts; government estate; supermarkets and the food supply chain; the transport network; national infrastructure and utilities. If you are providing essential security to a service which itself remains critical and functioning, which attracts critical worker status, then you are likely to be covered. If in doubt, check with whoever contracts for your services.

Roles essential to supporting law and order, with the potential to reduce demand on policing, also meet the critical worker definition. This would include, amongst other areas, the guarding of empty or closed commercial, retail or office premises; the monitoring of similar through CCTV or other remote means; and the provision of alarm response centres including mobile units.

If your role does not clearly fall under the headings above then you may still travel to work, if that work absolutely cannot be done from home. Your aim should be to stay at home whenever possible. If this is not viable then assess whether you can deliver more services remotely e.g. through CCTV. If a physical presence is required then you should seek to minimise the number of staff deployed to the lowest safe level and ensure social distancing is applied.

Note that in any circumstance, critical worker or otherwise, the Prime Minister has been very clear that ensuring social distancing remains the responsibility of the employer.

These are difficult questions in unprecedented times. They are not easy and no-one else can answer them for you. You will need to apply judgement, with the aim of minimising social contact where possible. The words to focus on are ‘necessary’, ‘critical’ and ‘essential’, otherwise please stay at home and minimise the transmission risks for the benefit of your health, your families, the general public and the NHS.

Ian Todd
Chief Executive

Please access the SIA Site Here: https://www.sia.homeoffice.gov.uk/Pages/Coronavirus.aspx