Cybersecurity and Data Privacy in the Time of COVID-19

By April Doss

Cybersecurity is never just an IT issue. It is always about the combination of people, processes, and technology. In this pandemic, the people part of the equation has added significance and jeopardy. Unfortunately, but not surprisingly, at a time when people and organizations are most vulnerable, we are seeing sophisticated hackers try to take advantage. Some are sending emails claiming to be from the CDC and other trusted organizations, and including links to malware with come-ons like “click here for coronavirus cure” or “COVID-19 tax refund.”

People who feel overwhelmed and distracted are more likely to take the bait. Or to take shortcuts around proper security procedures so they can save a few minutes during their fast-paced days. It is tempting to take shortcuts, especially if there are no policies at your financial institution that forbids them. So if you do not have formalized policies that forbid forwarding work emails to a private account, using USB sticks, and other practices that have proven to be dangerous time and again, I would advise you to create and communicate them to your employees. Policies are a low-cost and effective way to shore up the “people and processes” portion of your cybersecurity framework. Also, consider using VPN technology for work-from-home employees.

A note about forwarding work emails to a private account: It is tempting because it can be convenient. But it creates a lot of issues. For instance, by signing up to use Gmail, a person has given consent to Google to scan the content of emails so it can mine them to send targeted advertisements. Many users are aware this happens, but may not think about the ways that this could pose a security threat for your organization.

Something to watch for: Often the greatest users of shortcuts are officers and senior management, who may feel more pressed for time and under pressure than others.

The exploits to watch change constantly even in the best of times, so we can probably expect that to be the case in this pandemic as well. Unfortunately, there is not one single repository to find all the latest information on the exploits that are circulating.  The FBI puts out regular alerts about upticks in cybercrime, including one recently on the new phenomenon we now know as Zoom bombing. The agency suggested steps to prevent someone from hijacking meetings. But the FBI alerts don’t cover everything. To get a complete view, also refer to technology-related news websites, sign up for cybersecurity email updates from major news organizations, and consider becoming a member of information sharing consortia like the Financial Services Information Sharing and Analysis Center.

Like always, third parties—and your agreements with them—are a key concern.  Make sure you have legal protections regarding those relationships. Are you requiring your business partners to have sensible cybersecurity and privacy measures in place, and to indemnify you for any costs that you incur as a result of a cybersecurity error or omission by them? Does your IT vendor have limited liability that would allow it to avoid paying a fair share of damages? Have your vendors given access to your systems or data to their own third parties? This is something you must know and have a handle on.

If you don’t have a cyber insurance policy, now is an opportune time to consider getting one. Be mindful that coverages can vary greatly, and it’s important to make sure you understand how your cyber coverage fits in with your overall insurance portfolio.

When people are working from home, it’s especially important to be clear about which kinds of information may be subject to special limitations on access, use and disclosure. These restrictions could come from privacy laws, other kinds of regulations, or contractual obligations to keep certain information confidential; it’s also important to be able to identify internal trade secrets or other sensitive intellectual property. One way to make these distinctions clear is to implement a data classification scheme that can be used to control access and limit use and disclosure of data.

When it comes to protecting data, classify it and its access in terms of how sensitive it is and whether any specific data protection obligations apply to it. The more sensitive the data, the fewer people who should have access. It should also be encrypted. By classifying data by sensitivity, if something is breeched, it will be easier to determine quickly how sensitive it was. Data governance can be complex and multi-faceted, but if your organization is implementing this for the first time, you can consider using just three classification tiers. Public, which is what it sounds like, is information that is open to everyone. Think press releases, marketing information, and the like. Then there is non-public business information, which includes information related to routine operations—such as an internal company directory—that you would not want to be public, but it would not be harmful if it were disclosed. Then there is confidential information which can be a single category or can include sub-categories for different kinds of information.  The simplest approach is to create two sub-categories: the first is confidential business information, such as internal strategy documents, budgets and growth projections, intellectual property, risk assessments, and anything else that could put your institution at a competitive disadvantage if it were known outside the organization. The second is confidential personal information, which includes anything protected by data privacy laws and regulations, such as personally identifiable information (PII)performance reviews, and customer account information. With a simple three-tiered approach like this one, it’s easier to make and implement sensible decisions about which personnel have access to which classifications of data.

This is a historically difficult time. The good news is, long term, the lessons institutions and their employees are learning now about working in remote environments can benefit us in the future. Much has been written about how the pandemic could cause a huge shift in the numbers of people who work from home.

If that occurs, from a cybersecurity and data privacy point of view, we will be prepared.  

How the World’s Biggest Lenders Use Machine Learning

Read More

Community Banks and Fintech: A Complex Relationship

Read More

Key Takeaways from GCOR XV

Read More

comments powered by Disqus