Technology
Wealth WFH: A Privacy Nightmare and a Hacker’s Dream – Part 3
As wealth managers are now forced to work from home, it raises questions about cybersecurity, protection of data and safety of clients' and firms' information. In the third and final part of a series, author Wendy Spires examines the issues.
Along with being our head of research, Wendy Spires is a
Certified GDPR Practitioner who takes a keen interest in all
things related to data privacy in wealth management.
This is the final instalment of a three-part feature examining
remote working risks, which offers practical tips from experts on
maintaining security and data protection compliance. (See the
first two instalments
here and
here.)
Having set out a range of data protection risks emerging from
remote working, we now turn to what the experts are advising so
that wealth managers can be both agile and compliant with their
data protection obligations under the GDPR and similar
regulations. Long-term, the COVID-19 cloud may have the silver
lining of having driven digitisation forward in great leaps for
many firms. But expedited digital change can of course bring
massive risks along with it.
As previously set out, the ideal of employees only using company
terminal equipment may not be achievable, so this should be the
first point of security triage.
“In the short-term demand for company laptops may well be
outstripping the company’s ability to supply them. In recognition
of this, the ability to enrol and securely manage employees’ own
devices, or any new ‘endpoints’, is a matter of urgency,” advises
Mark Roberts, partner for Defence and Cyber at Capita Consulting.
“And in doing so, organisations need to address thorny issues
like privacy, data ownership, acceptable use and vulnerability
and patch management.”
Roberts also urges firms to face the reality that if suitable
solutions for the new normal are not provided, “the natural human
desire to do a good job might result in people adopting their own
alternative solutions or workarounds”. As Part 2 of this feature
highlighted, video conferencing and instant messaging are areas
of particular danger.
Confront and quantify risks
Lest we forget, the Accountability Principle is at the heart of
the GDPR (and other data protection regulations modelled on it).
Data controllers are ultimately accountable for only using
trustworthy data processors to work compliantly on their behalf,
and to pay close attention to regulatory roles and
responsibilities in any multi-processor arrangements they enter
into. Time may be short, but firms forced to adopt
third-party (and even mass market) tools faster than they would
like must not neglect their due diligence (and ongoing
monitoring) obligations, ensuring that Data Protection Impact
Assessments are carried out where necessary. (In fact, best
practice dictates they almost invariably are so that potential
high risks to data subjects’ rights and freedoms are not
overlooked.)
A certain amount of heightened risk may be inevitable and, as
Roberts observes, “There is no such thing as risk-free or being
totally secure. Organisations need to be clear on how much risk
they are prepared to accept.” Rather than aiming to completely
eliminate risk (which would probably mean shutting up shop) the
onus rather has to be on recognising and managing it.
“Like everyone at present, wealth managers need to make pragmatic
decisions, so it’s about intelligent risk when working with new
suppliers,” says Sorcha Lorimer, CEO of Trace AI, a software vendor
for data protection compliance. “Make sure you know what risks
you are taking: read the terms, confront worst-case scenarios and
use a model to frame making informed decisions. We’re seeing a
lot of use of our smart processor assessment tools currently,
which is encouraging on this front.”
Don’t neglect documentation
As in other areas, collaboration and an acknowledgement that
compliance is a “moving target” are key, she continues: “Data
protection regimes intend to make compliance real and ‘alive’ as
a culture, so the authorities want to see key documentation like
Data Privacy Impact Assessments being iterative, discursive and
collaborative.
“It is also vital to update privacy notices, processing records
and consent documentation to take account of any new processing
operations and third-party technology. Data protection compliance
hinges on robust documentation: if it isn’t documented, it isn’t
done.”
Another vital GDPR concept is that of “privacy by design and by
default” (Article 25), which means careful risk assessments and
privacy champions being brought in before any new projects or
processing operations commence. Remediation may well be a current
reality for many, but firms can take heart from the fact that the
concerted efforts they evidence can serve as mitigation if
breaches do come to pass.
A significant barrier here will of course be the prevalence of
static documentation at even large organisations (for which, read
scores of disconnected Word files and Excel workbooks for things
like Article 30 Records of Processing Activity). As such, over
the long term, we can expect migration of data governance and
compliance to Software-as-a-Service tools to mirror that already
seen in activities like client onboarding, where multiple
handoffs between highly dispersed teams are also necessary.
Reinforce the “weakest link”
Despite - and in fact because of - the very alarming security
threats facing wealth managers, Roberts urges firms to strike a
careful balance between strict protocols and maintaining a caring
tone with employees. “Reinforce a security culture where everyone
knows what they should do and recognises its importance, but
where staff also feel supported and assisted in the new working
environment,” he says. “Minimising the threat to your
organisation depends on taking immediate action in the event of
an attack or lapse of judgement. This situation is difficult for
everyone and it’s vital that personnel don’t feel hesitant about
alerting their manager or IT team if they’ve made a mistake.”
Today’s tortured circumstances create acute vulnerability to
social engineering cyberattacks which bad actors are jumping to
exploit. Penetration testing and corresponding training covering
spear-phishing should have already been part of the technical and
organisational measures taken to ensure compliance with the
security obligations under Article 32 of the GDPR. But now
“smishing” (the mobile version) is now on the rise, creating
further alarm around the use of employees’ own devices and novel
communication channels. Pertinently, the French Data Protection
Authority, the CNIL has taken the view that employers are
responsible for the security of company data stored on devices
that are not their own, including an employee's personal
device.
Now is the time to consolidate employees’ understanding - and
update policies - to take greater account of remote working, the
experts say. “Our people are our weakest link, so start with
immediate interventions here,” says Roberts. “Remote working
policies need to be clear and include easy-to-follow steps that
let employees make their home-working environment secure.” As
Part 2 of this feature explained, the dangers are many, spanning
technical, physical and human weaknesses.
The world being temporarily “on pause” may in fact present a
perfect opportunity to sharpen staff up on data protection. “It’s
so important to keep engaging staff when working remotely; we
just need to find new ways of doing that,” says Lorimer. “With
data protection issues in the headlines every day, there might be
no better time for creating interactive policy suites and rolling
out customised online learning programmes.”
Technical measures
IT security teams must have their hands particularly full at
present, but much depends on them rapidly evolving existing
measures and introducing new ones to take into account mass
remote working. It is easy to miss things in challenging times
and here Darren James, technical lead at Specops Software,
advocates the following as the start of a data protection
checklist.
“First is ensuring only the right people are given access to the
data. This sounds simple, but mistakes are often made here.
Second is where data is accessed from, particularly if employees
are stranded away from home. Cross-border transfers can present
huge compliance risks where certain countries are concerned, so
conditional access and geo-blocking some locations may be
wise.
“Third, choose carefully how employees access data, whether that
be via a Virtual Private Network, a remote desktop or cloud, and
with the latter be especially careful to ensure service providers
meet your standards.
“Lastly, consider how you allow data to be handled and don’t
neglect physical dangers. Will you allow printing or screenshots
to be taken? Are privacy filters provided to shield data from
prying eyes?”
As a password specialist, James also highlights under-appreciated
dangers here. “Users also face genuine problems with password
expiry and notification of password expiry - especially with
their corporate active directory accounts [those providing access
to network resources]. Native tools don’t really give
administrators a lot of options, so a user’s risk of being locked
out of their accounts for an extended period of time is much
greater than in the past.” Data protection is as much about
accessibility for those authorised as it is keeping those with
nefarious intent out.
A holistic view of data protection
Unpleasant though it may be, with great uncertainty ahead thought
must also be given to the suspension or termination of
employment. “If someone does leave the organisation then their
access must be removed in a timely manner, and any company
devices that they may have should be securely wiped,” James
cautions. “That is of course complicated by remote working in
itself, but also by the Bring Your Own Device scenario, in
particular global wipe versus selective wipe.”
Best practice in data protection calls for thinking that
encompasses the entire lifecycle of the information the
organisation handles. Just so, the adaptation of policies and
practices for a new working from home paradigm calls for a
holistic view of the technical, physical and human factors
involved, and on a whole lifecycle basis too.
This piece has only scratched the surface of the dangers and
safeguards that wealth managers should be thinking hard about
during this most challenging of times. It is to be hoped that
robust data protection and information governance are already in
place and need only to be adapted and built upon. With all the
other pressures institutions and their employees are under, this
is certainly no time to be starting from scratch.