The COVID-19 pandemic caused massive disruption to the working practices of corporate Australia, commencing with a sudden and substantial increase in remote working in March 2020 as lockdowns were implemented. With this shift, enterprise IT was asked to rapidly enable and support millions of users in leaving the highly controlled “rockpool” of corporate systems for the “open water” of cloud-based collaboration tools and personal devices. Within a few short weeks, the safeguards that many organisations had carefully built over years to maintain their critical IP in singular, securely stored instances were broken down. Sensitive data was suddenly spilling out into the depths—multi-instance, synchronised and available on the personal mobile phones and laptops of staff working at home.
Had organisations had the time to configure the new devices and tools appropriately, these tools and personal devices could have been configured to enhance protection, but with IT teams working at such short notice and under such immense pressure a trade-off had to occur between the usual supervisions and controls that help prevent and detect IP crises and the need to accommodate the "new normal."
As we fast forward to today, it appears that the corporate working environment may be permanently changed. In March 2021, the Australian Bureau of Statistics (ABS) reported 41% of Australians were working from home at least once a week - nearly double the numbers prior to March 2020.
In this two-part blog series, we’ll explore some of the risks of IP being exposed in the open ocean, tips to investigate and recover lost IP, and prevention measures that organisations can implement to bring their data back to the safer shallows.
Those organisations who have not yet knowingly experienced data loss through online collaboration tools may be under the false impression they’ve miraculously avoided a crisis. However, as the pandemic in Australia loosens its grip on personal mobility and the economy recovers, there could be new and emerging insider threats—current staff who are potentially considering the value of the critical IP they have access to for personal gain, or future business ventures.
The Australian privacy regulator—the Office of the Australian Information Commissioner—has reported that the number of data breach notifications increased in 2020, and the number of breaches resulting from ‘human error’ rose by 18% in the second half of the year. This serves as a stark reminder that insider threats—both malicious and inadvertent—have increased in severity and frequency during remote work, and must be addressed to protect IP.
Organisations should carefully consider preventative and monitoring actions to ensure they maintain control and visibility of critical IP. Organisation should remember to apply the rule that “not all data is equal;” that is, different kinds of data will require different security controls to adequately address the varying levels of risk.
The Privacy Act 1988 (Cth) ("Privacy Act"), requires that private sector organisations take ‘reasonable steps’ to keep personal information secure. Generally speaking, this means putting in place solutions and processes to mitigate known risks (Australian Privacy Principle 11.1). Organisations are also required to destroy or de-identify personal information that they no longer require for a lawful business purpose (APP 11.2). Additionally, the Privacy Act includes mandatory data breach notification obligations, with strict timeframes (Part IIIC). In our experience working with organisations experiencing an IP crisis, management often find themselves facing pointed questions from regulators, especially when the data breach involves personal information.
Recovering exposed IP and preventing future loss often requires an in-depth investigation, and investigations into the loss of data from corporate collaboration solutions are already becoming commonplace among Australian enterprises. In part two of this blog series, we’ll discuss specific investigative tips and preventative actions that teams can take to rebuild the safe boundaries around their IP, even as many employees continue to work from home.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
Managing Director, FTI Consulting
Tim De Sousa
Senior Director, FTI Consulting