Maintaining Privacy During A Global Crisis

This article could have just as easily been titled “Maintaining Privacy Beyond 2020.” From the threat of advanced phishing attempts to geopolitical cyber threats, it feels as if our digital safety is in a constant state of jeopardy. The introduction and global spread of COVID-19 has only exasperated that  problem. From the switch to having to remote work seemingly overnight, which has put IT teams under extreme stress, to individuals compromising their personal health data for the greater good of medical research, I’m certainly not alone in noticing that our information doesn’t feel safe. In fact, 70% of Americans believe that their personal information is more vulnerable now than in the past.

From a business standpoint, it’s unclear how many companies had a real pandemic playbook, and COVID-19 forced those same companies to acknowledge that if they didn’t have plans, they now needed them. And if they did have plans, they probably weren’t comprehensive enough or they needed to and continue to need to be updated. 

There have always been technology threats to privacy. This is something responsible technologists are prepared to address. But instead of preparing for a particular type of risk, in this case COVID-19, an organization should be focused on implementing best practices so that systems are resilient in all situations. Firms need to think out of the box to prepare for risk complexity. While, COVID-19 has exposed weaknesses in which hackers are using the current circumstance for nefarious purposes, this won’t be the last crisis we must be concerned about. 

Cybersecurity

Internationally, cybersecurity concerns are on the rise. In a recent Cyber Risk Perception Survey, 79% of respondents ranked cyber risks as a top five concern for their organization, which is up from 62% in 2017. While there is no formal playbook to ensure safe practices for the masses and we aren’t holding our breath, a few regulated entities used this particular crisis as a time to impose reporting obligations which leaves way for guidance to mitigating cybersecurity risks. In March, the Cybersecurity and Infrastructure Security Agency issued an alert urging businesses to adopt a heightened state of cybersecurity as they transition employees to remote working options. CISA has recommended alerting employees of increased coronavirus-related phishing attempts and pointed IT professionals to a July 2016 guide on telework security issued by the National Institute of Standards and Technology. 

Linking to a guide from 2016 feels a little dated, no? Luckily within the same week, the Federal Trade Commission issued cybersecurity tips for remote working during the pandemic, which urges individuals to follow their employer's security practices, and provides advice for securing home networks, disposing of sensitive data securely, and ensuring devices are protected with strong passwords.

Data Privacy 

Even before the pandemic, data theft was of great concern. In the World Economic Forum 2019 Global Risks Report, business leaders ranked cyber attacks and data theft among the top five risks most likely to occur. 

From breeches to hijacked Zoom meetings, it turns out only 52% of companies have security standards in place regarding third-party vendors and contractors. And if we zoom out (pun intended) even further on the situation, something that should be of concern to business leaders: 72% Americans say they benefit very little or not at all from the data collected about them by companies.

While there’s no quick fix and no roadmap to make a business immune to attack, here are a few things leaders can do to safe-guard their operations:

• Take immediate steps to mitigate heightened cybersecurity risks arising from the surge in remote work and ensure response and business continuity plans account for the current conditions.
• Stay current with evolving cybersecurity data privacy guidance relating to the pandemic to reduce risk. 
• Data controllers should be as transparent as possible. If your team is collecting data, ensure the collection, processing and possible sharing of personal data serves the interest of the reason it’s being collected and is consistent with societal and ethical values, as well as the expectations of individuals. 

A final note I want to add is on the role of leadership during this time: while a leader’s support for teams must be structural, it must also have an emotional component. You can’t just lift people from what they’ve always known, displace them into a foreign work setting while the world crumbles, and expect things to go on as normal. Along with pushing teams, leaders also have to do the work to increase their own empathy, create space for a work-life blend, and be open.

During this pandemic, we’ve learned the value of fast after-action reflection. While IT at many organizations are still reacting today, those that will pull out and ahead of this are those working to shift towards a proactive readiness for future crises. COVID-19 is one of many crises that is set to uproot our technological security as we know it. Is your team ready?