GTN Global Mobility Tax Blog - News and Notes

Data Privacy and Security in Global Mobility

Written by Craig Dexheimer | September 17, 2020

With many employees now working remotely or working from home, is your organization ensuring the same level of data security that you would enforce if employees were working in a physical office location? The COVID-19 pandemic has caused major business disruption and forced many companies to shift their culture and move towards a new way of working. With that has come new procedures for business continuity and recovery planning that may not have been considered before.

Sudden business disruption and the impact on data privacy and security

In a recent article by CNN, between 2017 and 2018, less than 30% of workers had the option or ability to work from home. But now, despite the relaxing of the stay at home orders that were enacted in March 2020, more of the workforce is still working remotely, making it difficult to ensure proper processes are in place with regards to data privacy and security.

Data privacy and security has always been an integral part of any business. Ensuring the proper protocols are in place to protect not only sensitive client data, but also company and employee data is essential. Most companies likely have enterprise strength anti-virus software installed on employee computers, confirm current and supported operating systems are installed, and enforce controls like two-factor authentication and virtual private network (VPN) connections to ensure an extra level of security. However, with this recent shift in having more employees working remotely, many companies have struggled to ensure enough security measures have been put in place.

With security measures lowered, companies may be more vulnerable to hackers and viruses, and may ultimately have a far greater risk of compromising their own data along with employee and client data. Even large corporations with extensive data privacy and security teams and budgets, like Twitter, Marriott, and Garmin, have recently fallen victim to these types of attacks. So, as we see an increase in the number of people working remotely, it is even more important to have heightened procedures in place. Equally as important is having regular dialogue with your employees regarding security risks and their part in identifying potentially suspicious activity.  

How businesses had to adjust for inadequate infrastructures with employees working remotely

Many firms were caught off guard with the mass migration to home office working due to the fact they had an inadequate technology infrastructure or licensing to support a much larger number of users working remotely. These firms had to:

  • Add, replace, or upgrade firewalls and internet bandwidth to increase their capacity to handle the larger number of connections and the increased amount of traffic into their networks.
  • Order additional VPN licenses for their firewalls to accept a larger number of connections.
  • Update or upgrade two-factor authentication applications to support the larger volume of remote users.
  • Order more laptops and peripherals such as monitors. As companies started purchasing more computing equipment for their employees, it created a temporary shortage in availability thus delaying the transition of some employees to working from home.
  • Provide additional training for office staff that had never worked from home and needed a crash course on how to connect a VPN and "the do’s and don’ts" of working remotely.
  • Ensure adequate and safe home networks and internet connections to support users working from home, especially in the case of multiple people in the household working remotely or kids who may now be taking online school classes.

Many of these actions were things companies may not have thought about or planned for until they were forced to do so.

Measures you can take to ensure business as usual through sudden business disruption

In order to ensure your company is ready for a sudden business disruption, spend time now planning and preparing by asking a few questions:

  • Do you have the proper data privacy and security processes in place to handle a sudden business change?
  • Is your technology environment ready to pivot quickly and securely, if needed?
  • Are you regularly testing your security controls to confirm they can be adapted?

Further steps to consider include:

Help prepare your employees for a sudden business disruption

A sudden business disruption will involve changes to an employee’s normal routine. Helping employees navigate this type of sudden change can be key to keeping your client and firm data safe and secure. As employees continue to work remotely, take steps to ensure they are properly prepared with the right technology equipment and continue to practice safe computing habits—e.g., creating strong, secure passwords; reminding them that even though they are at home, they should still lock their computer when it is not in use; alerting them to best practices for handling files they receive from outside sources.

Focus on strengthening your core data security systems and protocols

Develop a lifecycle plan to keep your perimeter equipment up to date including the replacement of old outdated equipment. This plan should also include performing regular testing of your perimeter defenses through vulnerability testing and testing your security systems and controls to make sure they are working properly. Consider hiring an independent third party to perform such tests as this will ensure you get an honest evaluation of your security controls and perimeter defenses. Creating a strong technology core will allow your firm to pivot and adapt quickly whenever a disruption occurs.

Confirm preventative tools are in place and working

Make sure you are running an enterprise level anti-virus on all computers, even employees’ personal computers if they use them for work related tasks. Ensure you are running a current and supported operating system on all your computers and that it is up to date with vendors patches. Older operating systems or ones that are not properly patched run a risk of having vulnerabilities that could be exploited, thus giving a hacker access to your network.

Ensure business continuity plans are in place and up-to-date

Business continuity planning ensures you have systems of prevention and recovery that deal with potential threats to a company, enabling the ongoing operations before and during execution of disaster recovery. Your business continuity plan should have routine risk analysis and regular maintenance and upkeep so you can maintain “business as usual” in the event of sudden business disruption.

Build an employee culture dedicated to the security of your firm

Have regular training sessions with your entire firm taught by your Data Privacy and Security Officer or your Information Technology leader. Reinforce the importance of data security; why it is not only important to your company and client data, but also to your employees’ data. Have discussions and break-out sessions with teams to provide them with opportunities to ask questions, bring up their own real-life examples, and offer alternative perspectives.

By placing emphasis on your organization’s data privacy and security, you can establish a culture that will set you and your employees up for success and can ensure minimal disruption and vulnerabilities from a sudden business disruption.

Don’t forget about the vendors that work with your employee and business data

Finally, while you are making sure your own business has strong data privacy systems in place, don’t forget to talk to the various vendors you work with. In the mobility industry, you likely work with tax providers, immigration firms, and relocation management companies. Are you sure each of these strategic vendors have the level of security measures in place to protect your company and employee data? They could potentially come in contact with your employees’ home addresses, bank account details, tax documents, and many other items that contain personally identifiable information. Make sure you are working with vendors that take the necessary precautions to ensure the safety and security of your business needs.

Download our Data Privacy and Security Questionnaire to evaluate your current vendor’s data privacy and security programs

While we hope pandemics like COVID-19 won’t happen again, recent events have taught us that we need to be prepared for anything. The risks your company and employees face if you are not prepared for such events could trigger a data breach or system failure. These events would far outweigh the cost and time that should be put into your data privacy and security measures. With proper planning, policies, and training, you and your employees will be ready for unforeseen situations and will hopefully encounter minimal disruption when they do occur.