HDPA’s Guidelines on Secure Teleworking: Safe Work from Home

/in , /by
Warning: count(): Parameter must be an array or an object that implements Countable in /home/seelegal/public_html/wp-content/plugins/team-showcase/tshowcase.php on line 3993
keyboard

HDPA’s Guidelines on Secure Teleworking: Safe Work from Home

Authors: Irene Kyriakides, Elina Georgili, Natalia Soulia, KG Law Firm

Following the rapid outbreak of coronavirus in Europe and while governmental and health authorities are struggling with its wildfire spread taking tight measures amidst this state of emergency (raging from meticulous social distancing to massive non-essential business lockdowns), companies are also facing unprecedented challenges in their day-to-day operation. Prioritising the safety and wellbeing of their employees, while at the same time aiming to preserve business continuity and soundness, most businesses are undergoing a seismic shift towards remote working arrangements. Although necessitated by the circumstances, this massive transition of employees from corporate networks to largely unmonitored and vulnerable private networks outside the reach of perimeter-based security tools finds most companies unprepared and, thus, exposed to greater cyber threats as compared with on-premise work.

In response to the drastic influx of employees working remotely and while hackers have already begun to launch coronavirus-themed cyberattacks, the Greek Data Protection Authority (HDPA) has issued guidance on best practices for teleworking securely. In line with the recent relevant ENISA recommendations, the HDPA discusses useful techniques that can help companies and employees harden their IT resources, networks and devices and hence mitigate cybersecurity and data privacy risks associated with remote working.

Τhe key recommendations set out by the HDPA, addressed to employers acting as data controller or data processors as well as to employees are the following:

I. Recommendations for Employers

  • Establish robust security policies and articulate clear remote working procedures;
  • Organise cybersecurity awareness trainings, mostly with the support of the DPO and ensure that all applicable internal security policies are circulated amongst employees and assist them with their implementation;
  • Allow remote access to their IT systems and internal networks only via encrypted communication channels (SSL VPN, IPSec VPN) and subject to authentication requirements (e.g. two-factor authentication);
  • Enable employees’ access to their IT systems on a need-to-know basis and to extent absolutely necessary;
  • Implement enhanced security controls, such as encryption of the device and the data present on it, especially when it comes to sensitive or confidential information;
  • Perform regular back-ups;
  • Use auto-lock feature as a default setting;
  • Use software solutions that allow them to distinguish between private and business use of the device;
  • Provide employees with secure video conferencing tools with end-to-end encryption;
  • Ensure that they always comply with data protection laws and that they respect their employee’s right to privacy, for example in relation to monitoring the use of devices, having regard to the higher expectations of privacy the employee has when working remotely.

II. Recommendations for Employees

  • Take care that they protect their Wi-Fi network, using WPA2 encryption and a hard-to-guess password;
  • Keep personal and work files separate;
  • Avoid uploading corporate documents in cloud-storage accounts;
  • Refrain from exchanging corporate information through possibly insecure connections (e.g. via personal email or instant messaging applications);
  • Apply all normal security baseline controls to their devices, such as regularly installing updates as well as using firewalls, anti-virus and anti-malware tools;
  • Do not share the virtual meeting URLs on social media or other public channels.

With the advent of coronavirus, as work norms change and teleworking strategies become a centerpiece of the battle against the evolving health and financial crisis, cybersecurity has become a vital issue for building business resilience. Companies, on the one hand, are urged to take into consideration the increased risks the remote work environment poses to their data, systems and networks and invest heavily in IT security. Employees, on the other hand, are encouraged to carefully follow all IT security guidelines, stay alert to security incidents and be vigilant with phishing attacks. Should the world of work take advantage of this changing workplace paradigm to develop new work culture, things will be probably really different when we return to normalcy.

Authors: Irene Kyriakides, Elina Georgili, Natalia Soulia, KG Law Firm

Following the rapid outbreak of coronavirus in Europe and while governmental and health authorities are struggling with its wildfire spread taking tight measures amidst this state of emergency (raging from meticulous social distancing to massive non-essential business lockdowns), companies are also facing unprecedented challenges in their day-to-day operation. Prioritising the safety and wellbeing of their employees, while at the same time aiming to preserve business continuity and soundness, most businesses are undergoing a seismic shift towards remote working arrangements. Although necessitated by the circumstances, this massive transition of employees from corporate networks to largely unmonitored and vulnerable private networks outside the reach of perimeter-based security tools finds most companies unprepared and, thus, exposed to greater cyber threats as compared with on-premise work.

In response to the drastic influx of employees working remotely and while hackers have already begun to launch coronavirus-themed cyberattacks, the Greek Data Protection Authority (HDPA) has issued guidance on best practices for teleworking securely. In line with the recent relevant ENISA recommendations, the HDPA discusses useful techniques that can help companies and employees harden their IT resources, networks and devices and hence mitigate cybersecurity and data privacy risks associated with remote working.

Τhe key recommendations set out by the HDPA, addressed to employers acting as data controller or data processors as well as to employees are the following:

I. Recommendations for Employers

  • Establish robust security policies and articulate clear remote working procedures;
  • Organise cybersecurity awareness trainings, mostly with the support of the DPO and ensure that all applicable internal security policies are circulated amongst employees and assist them with their implementation;
  • Allow remote access to their IT systems and internal networks only via encrypted communication channels (SSL VPN, IPSec VPN) and subject to authentication requirements (e.g. two-factor authentication);
  • Enable employees’ access to their IT systems on a need-to-know basis and to extent absolutely necessary;
  • Implement enhanced security controls, such as encryption of the device and the data present on it, especially when it comes to sensitive or confidential information;
  • Perform regular back-ups;
  • Use auto-lock feature as a default setting;
  • Use software solutions that allow them to distinguish between private and business use of the device;
  • Provide employees with secure video conferencing tools with end-to-end encryption;
  • Ensure that they always comply with data protection laws and that they respect their employee’s right to privacy, for example in relation to monitoring the use of devices, having regard to the higher expectations of privacy the employee has when working remotely.

II. Recommendations for Employees

  • Take care that they protect their Wi-Fi network, using WPA2 encryption and a hard-to-guess password;
  • Keep personal and work files separate;
  • Avoid uploading corporate documents in cloud-storage accounts;
  • Refrain from exchanging corporate information through possibly insecure connections (e.g. via personal email or instant messaging applications);
  • Apply all normal security baseline controls to their devices, such as regularly installing updates as well as using firewalls, anti-virus and anti-malware tools;
  • Do not share the virtual meeting URLs on social media or other public channels.

With the advent of coronavirus, as work norms change and teleworking strategies become a centerpiece of the battle against the evolving health and financial crisis, cybersecurity has become a vital issue for building business resilience. Companies, on the one hand, are urged to take into consideration the increased risks the remote work environment poses to their data, systems and networks and invest heavily in IT security. Employees, on the other hand, are encouraged to carefully follow all IT security guidelines, stay alert to security incidents and be vigilant with phishing attacks. Should the world of work take advantage of this changing workplace paradigm to develop new work culture, things will be probably really different when we return to normalcy.

You might also like
Coronavirus: The Pandemic’s Impact on the Turkish Judicial System
Impact of COVID-19 on Holding the General Shareholders Meetings in Romania – New Temporary Measures for Non-listed…
A GDPR Perspective on Scientific Research in Times of a Pandemic
EDPS Issues Orientations on Temperatures Checks by EU Institutions
Continuing the Business under State of Emergency – Interacting with the Romanian Trade Registry
Amendments of the Provisional Measures Concerning Judicial, Administrative and other Public-Law Affairs