In response to the COVID-19 outbreak, the Czech data protection authority, i.e. the Office for Personal Data Protection (the "Office"), published a list of ways to avoid cyberthreats while working remotely. As it seems home office will remain popular even after the anti-coronavirus measures have been relaxed, it is worth summarising the Office's basic IT security recommendations. Although most of the rules are intended for employees, employers should also read them to check that at least basic IT security measures have been adopted in their organisation.
Deceitful attachments, hyperlinks and macros
The Office warns that deceitful emails often contain attachments or hyperlinks that give the impression of containing important information about the coronavirus. It is no longer true that deceitful emails can be easily recognised because of imperfect Czech. The Office highlights that even the sender address can look perfectly trustworthy. An attachment itself can contain false information that a document is in an older version of a text editor and that macros need to be permitted to view the content of the document. In fact, the permission of macros triggers the installation of the virus. Phishing emails with suspicious hyperlinks also remain popular.
Suspicious attachments should never be opened. The purpose of these attacks is to gain funds or access to IT systems, e.g. to collect ransom money.
The Office warns to never click on a suspicious hyperlink using the left mouse button. Instead, use the right button, select the option "Copy Hyperlink" and copy the hyperlink into Notepad to see where the real link leads.
Working device not to be confused with personal one
When working remotely, employees can be tempted to access websites that they would never access in the office. The Office warns against the increased risk of a malware infection. Not only can the device itself be infected, resulting in a loss of data stored on the device, but also the whole IT system of the organisation can be endangered once the device is reconnected. Generally, a higher degree of caution is to be applied when a private device is used to remotely access the employer's IT system.
Public Wi-Fi networks to be avoided
Without further precautions, personal data and other sensitive information can never be transferred via public Wi-Fi networks. Mobile data or VPN are much more secure. The Office recommends verifying the reputation, registered office and applicable regulations before using a third-party VPN.
The Office notes that employees should never use the same passwords for private and working devices. It is especially true in case of passwords for remote access into the employer's systems. If a home computer is attacked, it is often easy to obtain login data from browsers and email clients.
Physical safety of devices
After switching on the computer, a verification should be required (e.g. a password or a biometric authentication). The Office also recommends a hard-disk encryption to lessen risks connected with the theft.
The Office highlights that family members should not have access to a working device. This is especially true for children who might unwittingly activate the above-mentioned risks.
In case of any abnormal device behaviour (e.g. documents were replaced by new ones with unknown filename extensions, information about recovering files after a ransom payment occur in files / on a wallpaper, etc.), the employee should contact the employer's IT experts.
In emergencies, the employer should be able to turn off data backups without the assistance of an administrator. The administrator does not have to be accessible, whereas backups are often done by copying files into other locations in regular time intervals. Timely interruption of the process can be crucial to protect the backups. Also the recovery of previous file versions should be possible (e.g. by means of incremental backups).
In case of infection, the Office highlights that each minute is important. The attacked device must be turned off as soon as possible and the administrator, the data protection officer or persons responsible for compliance should be informed. The employer should describe the relevant procedure in its internal documentation dealing with security incidents.
Data breach notification duty
If the conditions of Article 33 GDPR are triggered, the employer must report the data breach to the Office. In more serious cases, where the data breach represents a high risk for natural persons, the employer as the data controller must inform the affected natural persons (data subjects) in line with Article 34 GDPR. Even if the notification duty is not activated (the attack was stopped in time, the attacker did not gain access to personal data and data were recovered from backups), the employer is still obliged to document the data breach under Article 33(5) GDPR.
The Office's recommendations for remote work were published on 3 April 2020 and can be accessed here (in Czech only).
Authors: Eva Bajáková and Ivana Novakovská