Remote work: cybersecurity challenges
The adaptation of work to the remote model presents great opportunities and benefits for both companies and their employees. However, this new way of working is not risk-free, and the security of the information and data used by workers is particularly relevant.
Mexican labor legislation establishes an obligation of employers to implement mechanisms to preserve the security of information and data that are processed by workers who are in the modality of remote work or teleworking.
However, what could these mechanisms be or what criteria should be followed for their selection? Everything will depend on the type of information and data being processed, the risk to which the information is exposed and the consequences that could result from its violation. The consideration of these factors is mandatory in determining the security measures to protect personal data.
To this end, the relevant regulations provide for the preparation of an inventory of personal data and the assets involved in their processing and storage (e.g., personnel, processes, hardware, software, networks, telecommunications, etc.), as well as a risk analysis thereof, in order to select and implement security measures to mitigate any incident, considering the measures already in place against those that would be convenient or necessary to implement.
Among the actions foreseen to establish and maintain the security of personal data, the establishment of internal policies and the training of employees are contemplated, so that they are aware of the guidelines and criteria applicable within the company with respect to information security.
To put the above in a more graphic context, we will address the use of the employee’s own devices for the performance of their work (e.g., smartphones, laptops, tablets, etc.), either to read and answer institutional emails, access company databases, interact with customers and suppliers, etc. This practice is increasingly common and is known as Bring Your Own Device (BYOD).
Notwithstanding the advantages offered by this practice, it is important to consider and manage the risks involved in the security of the company’s information, such as the loss of information due to viruses, damage, or theft of the device, or even the eventual termination of the employment relationship.
In this sense, it becomes relevant to design and implement a BYOD policy that regulates access to company resources through workers’ personal devices. These policies usually include the installation of minimum elements, such as passwords, antivirus or database encryption, actions to be taken in case of lost or stolen devices, among others.
It is also advisable to have procedures for encrypting and encoding information. Encryption makes it possible to encode information in such a way that it is neither intelligible nor manipulable by third parties. This is especially suggested in the treatment of sensitive personal data (religious beliefs, health status, sexual preferences, etc.).
Other procedures that are considered indispensable are those related to the use of technological resources and incident notification. The first aims to regulate the proper use of equipment, institutional e-mail, internet, cloud computing services or any other company resource; and the second seeks to establish a protocol for action in cases of security breaches.
The implementation of a comprehensive security management system not only allows companies to comply with their labor and personal data protection obligations, but also to mitigate risks inherent to their operations and thus guarantee the continuity of their business in the event of possible incidents.
Related News: Cyber frauds
On October 26, 2022, the National Guard published the most common fraud modalities in order to alert the population, namely: free subscriptions with malicious codes; false communications with the aim of confusing users; alarming emails to obtain personal or financial information; free services (smishing) that offer prizes when entering a fraudulent link; spam emails with malicious files; attractive offers that are often unrealistic and can lead to theft; and apocryphal pages (phishing) that request donations or information.
In order to avoid being victims of online fraud, the National Guard recommends the following measures, among others: use cards exclusively for online purchases; navigate through secure connections and sites; update devices used for banking operations and keep antivirus installed; validate the description of the products or services to be purchased; use your own devices to make online purchases; purchase on recognized or reputable websites; provide only strictly necessary data; and activate bank card purchase notifications.
________
TMT Area ECIJA Mexico