Managing risks for online programs

Many organisations adjusting to the new “normal” of operating during COVID-19, are looking to transition programs to online using web conferencing software.

Online engagement presents numerous opportunities to extend the reach of an organisation and connect with communities. However, while the delivery of programs may look different in an online space, new and existing risks still need to be evaluated.

Preparation is essential. Before your first online meeting there are a few things to consider.

How to choose web conferencing software

The Australian Cyber Security Centre (ACSC) has produced a helpful information sheet1 addressing Web Conferencing Security. When selecting a web conferencing product, they recommend considering the following:

Tip 1: Is the service provider based in Australia?

The use of offshore web conferencing solutions introduces additional business and security risks. For example, laws in other countries may change without notice and foreign-owned service providers that operate in Australia may still be subject to the laws of a foreign country. In addition, service providers who are located offshore may be subject to lawful and covert data collection requests and access an organisation’s data without their knowledge.

Tip 2: What is the service provider’s track record?

Look for a service provider that actively and quickly engages with their customers, advocates for data privacy rights and proactively addresses cyber security issues, such as having a vulnerability disclosure program.

Tip 3: Are privacy, security and legal requirements being met?

Prior to agreeing to a service provider’s terms and conditions, organisation should seek privacy, security and legal advice. In particular, pay attention to whether a service provider claims ownership of any recorded conversations, content or files that are created or shared.

You’ve chosen a conferencing product, what’s next?

Have your activities changed?

Many organisations are simply offering an online version of their normal business activities. If your activities are new or significantly different to your normal activities, it’s best to notify your insurance broker of your plans and discuss any potential gaps in cover.

Do you have a Client Protection Policy?

A Client Protection Policy outlines how the organisation will minimise the risk of harm to individuals and is particularly important if you’re working with youth or vulnerable people. While engaging with clients online, it’s important to continue to operate under your Client Protection Policy and include measures to cover new exposures if necessary. Normal adult attendees or educators should still be involved in youth meetings to ensure the meetings remain structured and don’t get out of hand.

Does your insurance cover cyber attacks or online meeting intruders?

If you use the internet and have valuable information on your digital devices, you may be at risk of a cyber attack. A cyber incident may result in denial of service, ransom demand, theft of data, public disclosure of personal information, etc. It’s important to check if you policy covers these types of incidents and what additional benefits are provided. A cyber policy is designed to respond quickly following a Cyber event, providing access to specialist consultants (example: IT Forensics and Crisis Management). In addition, the policy can assist with the cost of first and third party claims, business interruption and socially engineered theft.

It’s time to go online

When using a web conferencing solution, the Australian Cyber Security Centre, recommends incorporating the following practices:

  • Configure the web conferencing solution securely
  • Establish meetings securely
  • Be aware of unidentified participants and only allow invited participants to join a meeting
  • Be aware of surroundings – using a private location will help maintain confidentiality
  • Be mindful of the potential private nature or sensitivity of conversations. It’s good practice to set expectations prior to a meeting, for example, whether the contents of the meeting will be recorded or made public
  • Only share what is required

For more advice on staying safe online, visit the Australian Cyber Security Centre website: cyber.gov.au

If you’d like more information about the cover provided by a Cyber Insurance policy, view our Cyber product page or contact us.

Source: 1 Australian Signals Directorate’s Australian Cyber Security Centre, Web Conferencing Security, publication, First published April 2020. < https://www.cyber.gov.au/publications/web-conferencing-security>