IP/IT Law: Coronavirus: Country Lockdown – Working from Home

All businesses that allow their employees to work from home are responsible to ensure that they have implemented appropriate technological and organisational measurements to avoid and mitigate information security risks.

When working from home, employees will either be using devices as issued by your organisation or their own personal devices to access the company information system/network remotely through their own personal networks to transmit data and information and to process your business data (including the business customer data).

On a daily basis, we assist clients to implement appropriate technological and organisational measurements to limit possible risks associated with technology and information.  A Vulnerability in your business measurements during these times may result in damages and losses to your organisation, something that no organisation can afford now.

Here are some guidelines:

Technology measurements (not limited to):

1. Home equipment: Your business should ensure that the employee’s home router is secure, that it does not use a generic default password and change the default password accordingly and has its firewall switched on.
2. Passwords: Ensure all your devices have been changed from their default passwords and that any available security measures are enabled.
3. Ensure you’re using encryption. Webmail or private email is unencrypted, leaving your devices at significant risk of compromise via interception or “man in the middle attacks,” and can make your home network vulnerable to compromise as attackers may piggyback on you to compromise an otherwise secure environment. Employees should only use the mail applications as made available by your organisation for business purposes.
4. Virtual Private Networks: Supplement encryption with a Virtual Private Network. For an extra layer of web security and encryption, always use a VPN. Most workplaces now have these installed on workplace or business machines and these should be used when available. Simply put, a VPN provides an additional layer of security by i) encrypting data transfers in transit; ii) hiding the user’s IP address and iii) masking the user’s physical location.
5. Cyberattacks: Be aware of increased phishing and other forms of cyberattacks through electronic communication. With many people self-isolating and working from home there will be a significant appetite for news on COVID-19 developments. However, employees must be aware that this is almost certainly not going to be delivered via any unsolicited electronic communication. Do not click links or attachments in any unsolicited communications offering help or advice, particularly relating to COVID-19 (or really any other significant global events that may be occurring). Stay up to date using reputable news providers and trustworthy government websites for informed and credible updates.
6. Wi-Fi Networks: Although employees should only work from home, some employees may want to make use of their devices while travelling to grocery shops, the hospital or pharmacies (as restricted places to go to). Employees should not utilise public Wi-Fi networks; they should be set-up to work from home.  These networks are, as a general rule, not secured and are prime spots for malicious parties to spy on internet traffic and collect confidential information.
7. Cloud Services: as far as reasonably possible, try to avoid confidential information of your business to be saved locally on the device, but rather utilise reputable cloud service providers. This will ensure that if the device is stolen or otherwise unlawfully accessed, confidential information will not be at risk of exposure. However, it is imperative to verify the cloud service providers and carefully consider the cloud service providers customer agreement, service level agreement, acceptable use policy and privacy policy before utilising their services (our IT law professionals can assist you in verifying the level of assurance when engaging a cloud service provider).
8. Security at the organisation: Your organisation should ensure that appropriate security mechanisms, such as virus checkers, firewalls and device encryption tools are up-to-date, installed and active on any device being used for work purposes.

Organisational measurements (not limited to):

1. Mobile Device Policy: For all employees that have been issued with company devices, the organisation should ensure that each employee receives and understands the Mobile Device Policy. A Mobile Device policy should address topics such as:
   1. Responsible Parties and duties
   2. Acquisition approval and registration of mobile devices
   3. Mobile device usage
   4. How to deal with lost and/or stolen devices, etc.

2. BYOD Policy: Secondly, some employees may agree to use their own devices during this time to process data and connect to your organisation’s network/information system. For these purposes, we strongly recommend that your organisation implement a Bring Your Own Device Policy (BYOD Policy), which policy should address topics such as:
   1. Approval, registration and de-registration of devices and which employees are permitted to use their own devices.
   2. Information security standards to apply.
   3. Prescribed software and tools.
   4. Reference to relevant policies, i.e. IT Security policy and Data Protection Policy.
   5. Requirements to access organisation network.
   6. Device security and protection of personal information.
   7. Monitoring communications and the right to examine.
   8. Technical support responsibility matrix.

3. Password Policy: When it comes to the security of devices and with that, ensuring information security, companies should, at the very minimum, impose strict rules to ensure that such devices are password protected (in this regard, a Password Policy is strongly recommended) and should require that anti-virus software be installed thereon.
4. Electronic Information and Communication System Policy: If your organisation does not have this policy in place yet, then now is the time to implement same for the simple reason that before working from home your organisation’s information security risks were limited to a limited environment, i.e. between devices on premises, connected to the business network and the business server(s).  With employees now going to work from home the scope for possible information security risks will increase, now including public internet, consumer security systems and possible third parties that are not subject to physical access controls policy of your organisation.  The Electronic Information and Communication System Policy address topics such as:
   1. Inform and educate users on the access to and acceptable use of Communication System and Equipment.
   2. Create rules for the access to and use of Communication System and Equipment.
   3. Provide for the Interception of Communications.
   4. Provide for disciplinary action against Users who fail to comply with this Policy.
   5. Ensure and maintain the value and integrity of the company’s equipment and network(s).
   6. Email legal notice and email signature standards.
5. Incident Management Policy and Procedure: Your organisation should be ready to deal with an incident if it happens. Not only to identify an incident or an unauthorised or unlawful event but also to understand how to deal with it, who to involve in the resolution of said incident and who to report to and what procedures to follow.  The use hereof will ensure effective and consistent management of security incidents involving an organisation’s information and/or information technology resources.
6. Education, Training and Awareness Programs: We cannot emphasise this enough. It is not sufficient to forward your employees a policy and expect that all risks will be mitigated.  People remain the weakest link when it comes to cybersecurity.  It is imperative to continuously educate your employees about the risks in terms of information security.  This includes, as an example, education around being aware of phishing emails, particularly at this time where it is anticipated that attempts to subvert security using phishing attacks are likely to increase. Employees should be particularly reminded to avoid clicking links in emails from people they do not know, and installation of third-party apps should be confined to bona fide app stores, even on personal devices.  For more information on phishing attack campaign and training, you can contact our IT Law Department, that has now teamed up with IT Forensic experts to provide a practical campaign and training on phishing attacks and associated cybersecurity risks.

How threat actors are sowing chaos and profiting from a lack of Cyber Awareness

In times like this, there are heightened opportunities for increases in cyber-attack leveraging the global talking points such as the COVID-19 pandemic:

• COVID-19 is being used as a phishing lure by cybercriminals and nation-states.
• We expect to see an increase in exploits related to COVID-19 as publicity around the virus increases.
• Cybercriminals are using trusted brands, like the World Health Organization (WHO) and National Institute for Communicable Diseases (NICD), to build credibility and entice users into opening attachments.

The government, under the leadership of President Mr Cyril Ramaphosa, has implemented certain measures to protect its citizens from the COVID-19 virus.  It is your responsibility, as a business leader, to protect your organisation’s information and more importantly your customers’ information from cyber viruses and criminals.

For more guidelines and assistance with the above deliverables, you can contact Mr Gerrie van Gaalen (IT&IP Law Department) on gvgaalen@dkvg.co.za.

This article is for general information purposes and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us At DKVG Attorneys for specific and detailed advice.