IT security specialists deal with threats everyday, this is part of their daily work in an ever-growing business. But with the recent, unprecedented move to employees working from home, are security teams focusing enough on the potential issues that employees can create while working remotely during this heath crisis? Specifically, are privacy issues being sufficiently reviewed before new technology is implemented?
Whether it’s HR, sales, finance, marketing, etc., employees in all departments expect to be able to continue their professional activities from the comfort of their own homes. As employees shift to working from home, organizational leadership expects IT teams to understand how any one of a number of privacy regulations apply when the workforce is no longer protected behind the proverbial corporate firewall. While remote/mobile workers are not new, the sheer scale caused by the COVID-19 pandemic is forcing IT teams to test the limits of many internal policies.
In healthcare, for example, where HIPAA and HITECH have long enforced protection of patient information, employees that previously would never have been allowed to work from home, are now safely ensconced in their home office with potential access to vital patient data. The Personal Information Protection and Electronics Documents Act (PIPEDA) in Canada regulates how Canadian organizations collect, use and disclose an individual’s personal information. The Payment Card Industry Data Security Standard (PCI DSS) regulates merchant or a service provider storing, transmitting, or processing cardholder data (especially with cash payment declining) in order to ensure card data remains safe. But now, with employees moving in droves to work from home, the scope of data for any of these compliance frameworks has been dramatically expanded and the methods of sharing this data are being stretched to their limits.
Information sharing is vital, especially with the workforce now spread across the globe. Everyone using any “sharing” tools, which includes social media, should consider whether business-sensitive or personal information is required for the conversation at hand. Security teams must also perform a thorough review of all sharing tools, including the review of data privacy policies as well as known application vulnerabilities, before deciding whether to implement the tool. In times like these, you can’t be too careful with personal information.