Remote working and distance learning: how to keep your data cyber-secure
by Sonia Intonti
It is unavoidable that a global health emergency has a very deep impact on our daily lives, particularly when it occurs at the intensity of the ongoing one caused by the Coronavirus.
No one knows what the signs of normality will be after the virus, but it’s also difficult to control the course of our lives even now that we are locked in our homes, and that we believe we have locked out any danger, regardless of those we naively let in through the window of our devices.
Although in some ways this period could be epitomized by the Latin proverb “facere de necessitate virtutem” (make a virtue out of necessity), since the restrictions that are being imposed on us to cope with the pandemic are putting us before an aut aut for which we either adapt or fall, on the other hand these skills that most of us are compelled to develop in order not to lag behind must be managed appropriately.
To this end, in the following paragraphs we will focus on the tools and behaviors to be adopted and the ones to be avoided when working and learning remotely and keeping your environment safe.
In fact, by the end of March, due to the increasing transition of work and education in the digital world, the FBI’s Internet Crime Complaint Center (IC3) has seen a significant increase in cyber risks. In many cases, in fact, the systems that are chosen for these purposes have been set up quickly in order to cope with the rise of demands, and therefore are often not taking into account security profiles.[1]
Remote working is smart working
1. Confidentiality is value: remember it when holding conversations or using a screen
Family environment and work environment need to be distinguished: pay attention to those with whom you share your home, whether they are family members or friends, when sharing confidential work information. Try to keep conversations where the others are less likely to overhear you and place your screen where it is less likely to be watched.
2. Distinguish personal and professional devices and/or physical repository
Especially if you have to work using personal devices, keep your organization’s data separate from your personal ones. Organize your work in a way that prevents accidental loss or deletion of data.
For this purpose, it’s recommended to create a specific user identifier for the business activities in order to separate the personal environment from the work environment.[2] Make sure you don’t keep your organization’s data longer than necessary, and when you get rid of it, make sure it’s not recoverable. Ideally, your organization should have provided you with a secure technology to work with, but alternatively make sure you use all affordable means of data protection: in particular, the EU Regulation 679/2016 requires to put in place appropriate technical and organisational measures [3] to ensure you process personal data securely and, among the others, it includes encryption. Especially if you store or share personal data, you should use encryption and ensure that your encryption solution meets current standards [4]. Use strong passwords: whether using online storage, a laptop or any other technology, it’s important to use passwords that can help your work remain secure (more advices in the notes)[5].
3. Be extra vigilant about opening web links and attachments
Don’t click on unfamiliar web links or attachments claiming to give you important COVID-19 updates. Detecting emails or fake messages that have criminal intent has become more and more difficult, which is why it is increasingly important to know what to pay attention to when receiving emails – especially when they seem to be trying to help you manage your emotions or your health at times of highest vulnerability such as this one. The National Cyber Security Centre drew up a list of elements to which it’s necessary to pay attention for this purpose[6].
However, while it may be boring and repetitive to discuss criminal attacks that may be lurking between e-mails, we should instead dwell a little longer on those that may arise when using video conferencing platforms. Thankfully, technology is helping us all stay connected through Video conferencing platforms and apps as new ways of doing business, holding staff meetings and keeping in touch with colleagues.
That’s why video conferencing technology must be transparent, especially in periods like this one when they are overused. We as users need to know how our data is processed, as well as having choice and control over it. For this reason it is crucial to read the privacy policy and make sure we understand what data of ours is processed, with whom it is shared, how long it is stored and for what purposes.[7] It is also important to know what tools we can implement to manage the security of our video calls: these can include restricting access to meetings using passwords, controlling when people can join the meeting or controlling who is allowed to share their screens. Moreover, it has been verified that one of the ways by which a cyber-attack is attempted is to offer the possibility to download software emulations, thus allowing the introduction of malware into systems and the interception of communications or even the control of devices. In order to avoid these attacks, it is important to double check the source of the offer, to make sure it is reliable and not to be misled by the fact that the product is free of charge or cheap.
Within this scenario, it has to be considered that the ‘live chat feature’ can be used by malicious people to spread phishing messages through links or attachments. That’s why is important to not to click on those you were not expecting or from meeting attendees you do not recognise.
FBI’s Internet Crime Complaint Center (IC3) received more than 1,000 reports of online Coronavirus-themed scams, and the analysis that followed found that cybercriminals had conducted massive phishing attempts, DDoS attacks against government agencies, ransom attacks against medical facilities, and created deceptive websites.[8]
Distance learning and children’s rights
Balancing two fundamental human rights such as the right to education and the right to health is never easy and obvious, but if we change our way of looking at “balance”, and go a little further to get a broader picture, we realize that balancing is not choosing one or the other, but rather finding ways to ensure both in different ways. And here is exactly where balance should turns into intuition in order to establish a new balance when conditions change.
And at the time of the Coronavirus, when schools legitimately have closed their gates as a measure against the spread of the virus and for the protection of everyone’s health, even the youngest children’s right to education had to expand to other spaces. The cyberspace.
Especially within this scenario, Internet Service Providers (ISPs) have to keep in mind that children should be afforded enhanced protection when they are online, and the processing of their personal data is no different.[9] The GDPR, assuming that children are less aware about the risks hidden behind the processing of their personal data and so about the relevant consequences, requires more effective security measures, more transparent and comprehensible privacy information, and that “consent is given or authorized by the holder of parental responsibility over the child” [10] and tighter limits both for the storage and for the types of data processed.
In order to support both schools and families in choosing the most suitable platforms for online education, a list of distance learning options has been published by many governments [11]. In addition, UNESCO has also published a list of applications, platforms and educational resources that also consider the protection of children’s data.
In any case, children should be supervised when using Internet and any privacy and geolocation settings should be set in advance in the most protective way for the safety of children. Likewise, the cookie settings must also be adjusted in advance within the browser for this purpose.
Moreover, parental controls could help to block or filter upsetting or inappropriate content. You can install parental control software on your child’s and family’s phones or tablets, games consoles, laptops and your home internet.
Nevertheless, the technical settings of the devices that children are asked to use not only for entertaining but also for educational purposes cannot replace family education on how to surf the Internet.
Bibliography
[1] Gazzella Stefano, “Coronavirus, anche l’FBI lancia l’allarme sui cyberattacchi”, Infosec News, 10 Aprile 2020 https://www.infosec.news/2020/04/10/news/sicurezza-digitale/coronavirus-anche-lfbi-lancia-lallarme-sui-cyberattacchi/?fbclid=IwAR1U7NuRXbj1dyh0dChjCYkQ8_ecvI3Bg-8-mybH12lG3Wa6TSdLBNfVU5c
[2] ICT Cyber Consulting, Stay Home – Stay Cybersecure, April, 23rd 2020 https://www.ictlegalconsulting.com/2020/04/23/stay-home-stay-cybersecure/.
[3] Article 32 par. 1 GDPR “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
[4] Information Commision Officer (ICO), “How should we implement encryption?”, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/encryption/how-should-we-implement-encryption/.
[5] One of the easiest and most recommended method suggested by National Cyber Security Centre consists in creating passwords using three random words. For example, “traintablewater”. “Maths is great, but not at the expense of the users. It is really, really hard for a user to remember lots of complex, unique passwords. What happens is that we come up with coping mechanisms which are well known to cyber-criminals, and which they can and do exploit in order to attack our accounts. […] Three well-chosen random words can be quite memorable but not easy to guess. It provides a good compromise between protection and usability”. https://www.ncsc.gov.uk/collection/passwords.
[6] The National Cyber Security Centre, “Phishing attacks: dealing with suspicious email and messages” https://www.ncsc.gov.uk/guidance/suspicious-email-actions#section_3.
[7] Irish Data Protection Commission (An Coimisiùn um Chosaint Sonrì), “Data Protection Tips for Video-Conferencing”, 3rd April 2020 https://www.dataprotection.ie/en/news-media/blogs/data-protection-tips-video-conferencing?fbclid=IwAR3yWBlcebID4eK8fqojTXol2FLTGJ22eYM19LWg_c8XCggUDjvLXY7N_0M.
[8] Federal Bureau of Investigation (FBI), “FBI sees rise in fraud schemes related to the coronavirus (covid-19) pandemic”, March 20, 2020 https://www.ic3.gov/media/2020/200320.aspx.
[9] Matthew Gilhooly, “Children and the GDPR”, 2018. https://www.addleshawgoddard.com/globalassets/insights/retail-and-consumer/retail-consumer-newsletter-feb-2018-children-the-gdpr.pdf.
[10] Article 8 GDPR par. 2 “The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.”
[11] The Italian Government published a list of recommended distance learning platform here https://www.miur.gov.it/web/guest/-/la-piattaforma-scuolab-per-la-didattica-a-distanza.
Autore
