Do flexible and remote working arrangements constitute a cybersecurity threat?

With an increased reliance on technology due to remote working arrangements, companies may be faced with cybersecurity challenges including cyber-attacks and cyber-related fraud. Despite cyber security software that may be available to employees, there is an added inherent risk in accessing a company’s network from any location other than the workplace. Employees who work remotely and use public networks whilst doing so, such as the free WIFI available in cafés or airport lounges, are therefore vulnerable to the increasing threat of cyber-attacks.

The most common forms of cyber-attacks include the interception of email correspondence and phishing scams. This often occurs when cybercriminals monitor the servers of either the sender or recipient of an email communication and strategically intercepts the communication by posing as a sender.

Employees should also be aware that there has been an increased number of reported phishing scams on email related to the COVID-19. There are reports of fraudsters impersonating agencies such as the World Health Organization, a company’s human resources department or other government agencies enticing people to open up attachments or to click on links with information regarding COVID-19. Attackers are then able to push malware, ransomware and attempt to gain access to a personal information and passwords.

Email interception, hacking, identity fraud and computer related extortion are recognised as offences under the Electronic Communications and Transactions Act No 25 of 2002 (ECT Act), and the maximum penalty is a fine (unspecified) or imprisonment for a period not exceeding 12 months. The Cybercrimes Bill [B6 of 2017] will, once effective, create a variety of new offences which do not currently exist in South African law and afford companies with a degree of comfort relating to the prosecution of cybercrime offences.

Although South African law currently does not specifically impose a duty to implement cybersecurity measures in an organisation, the Protection of Personal Information Act No 4 of 2013 (POPI Act) (the substantive provisions of which have not yet commenced) does contain obligations on responsible parties (data controllers) to implement reasonable technical and organisational measures to safeguard personal information in their possession or control against unauthorised access, which will likely include adopting cybersecurity measures.

According to the latest annual Cost of a Data Breach Report, conducted by the Ponemon Institute, the average cost of a data breach in South Africa is approximately R43,3 million. As a result, flexible and remote working arrangements may pose a substantial and costly risk to employers from a cyber security perspective.

Against this backdrop, it is imperative for business to review and adopt an information security policy which employees must adhere to. Employees should be encouraged not to connect to unsecure or public WIFI and utilise, where applicable, VPNs to protect their company’s proprietary information. Common sense should also prevail, employees should check URL’s before clicking on any links and beware of suspicious emails. With an increased use of teleservices such as Skype, Microsoft Teams, Zoom and the like, employees should ensure that meeting requests are legitimate prior to joining any meeting and refrain from taking ‘shortcuts’, such as sending documents to colleagues via unsecured instant messaging services, discussing confidential work matters on public chat platforms, saving documents to their desktop instead of on secure locations and using unencrypted personal devices for work matters. Any work should occur via the employer’s designated channels for remote working, such as VPN’s or servers.

Companies should insist that any remote working arrangement should occur via its designated digital channels for remote working, such as VPN’s or servers.