NIK about remote work in public institutions
The Covid-19 epidemic that was declared in Poland in March 2020 put public institutions in a difficult position. Providing security to employees and business continuity to public institutions required an immediate change in work organisation which posed new threats to data gathered and processed in those entities.
The NIK audit showed that despite the legislation in force, from January 2020 to December 2021 in half of the audited public institutions no system was introduced to manage data security while working from home. The effective regulations were related only to personal data. Some institutions even failed to adhere to their own principles related to work on individual accounts of the operating system, encryption of hard drives of company computers or procedures related to external data storage devices.
The Chancellery of the President of the Council of Ministers monitored neither the scale of remote work in public institutions nor the degree to which mobile data security was provided.
Graphic description
Working from home by number of entities
142 public administration units
17 working in the office only
49 over ¾ of employees
19 less than ¼ of employees
19 from ¼ to ½ of employees
38 from ½ to ¾ of employees
Source: NIK’s analysis
The data obtained in the audit also allowed defining the scale of using company and personal computers while working from home.
Graphic description
Number of entities where part of remote employees used company or personal computers
Use of company equipment:
- 8 - not using computers
- 29 - less than ¼ of employees working from home
- 34 - from ¼ to ½ of employees working from home
- 22 - from ½ to ¾ of employees working from home
- 32 - over ¾ of employees working from home
Use of private equipment:
- 50 - not using computers
- 23 - less than ¼ of employees working from home
- 12 - from ¼ to ½ of employees working from home
- 17 - from ½ to ¾ of employees working from home
- 23 - over ¾ of employees working from home
Recommendations in place of law
According to the law, public institutions should ensure data security to all categories of processed data. The entities audited by NIK, though, cared mainly about the personal data security. In half of the audited institutions the information security management system was neither developed, nor implemented. NIK underlines that this system should define procedures for each type of processed information.
After the epidemic was declared, the Chancellery of the Prime Minister published recommendations in the internet to improve the information and communications security in the public administration. They were related among others to using the home Wi-Fi network, implementing VPN, two-step authorisation, creating backup copies, not using public open Wi-Fi networks and not using private email addresses or social media groups for company communications and also complying with the employer’s guidelines and using exclusively company equipment – laptops and phones while working from home.
Those were only recommendations, though. As a result, the Chancellery of the Prime Minister verified only in a limited scope how public institutions applied the recommendations. It also had no information on what scale public institutions introduced remote work and whether they provided mobile information security.
According to NIK gathering data by the Chancellery of the Prime Minister about the scale of remote work and mobile data processing in public institutions as well as technical and organisational solutions applied would help identify threats earlier. That would facilitate defining additional warnings and recommendations and thus increase the cybersecurity level.
In line with the data of the Cybersecurity Department of the Chancellery of the Prime Minister, 388 security incidents took place in the public administration in 2020 and another 287 occurred until August 2021. The data is incomplete, though.
Data security
Introduction of remote work in public institutions required equipping employees with proper tools to work from home and updating data security management systems. Some of the institutions audited by NIK were not prepared to implement such changes immediately.
Initially, the focus was on social distancing and reducing contact among employees. Rotation-based system was introduced, which made individual groups work in shifts – one day in the office, one day from home but without access to information and communications systems. Since the audited institutions were not ready for technical solutions facilitating such access, the officials’ remote work amounted to participation in conferences and training programmes as well preparation of general documents, without access to the institution’s internal networks.
In 2020, in 10 public institutions audited by NIK, nearly 73% of employees worked remotely at their employer’s request and 9.5% at their own initiative. In the following year of the pandemic the proportions were completely different – only 47.5% of employees worked from home at their employer’s request and 12.5% - at their own initiative. In the audited period, also some persons covered by quarantine or isolation worked from home.
Basic channels for sending information essential for remote work included: electronic mail and encrypted VPN connection facilitating access to the remote desktop of company computers located in public institutions.
Sending attachments containing personal data required encryption and password protection which had to be sent to the addressee via another channel (e.g. by phone or SMS). Three entities allowed the use of private email accounts for business purposes and two entities defined conditions to be met to use that opportunity. One of them was written consent of the data administrator or the IT systems administrator.
In case of information processed while working from home via encrypted VPN channels in five public institutions only the use of company equipment was allowed. In the remaining five entities the use of private computers was accepted but under certain conditions, such as: update of the operating system, installation of an anti-virus programme, use of an individual account and password in line with the policy adopted in a given institution.
The solutions related to information security while working from home certainly helped improve the data security level. However, it is hard to tell to what extent because the heads of those institutions could not properly assess how effective the solutions were. In the audited period only three in 10 institutions conducted an external audit of the security of IT systems. Some entities commissioned an internal audit and included its results in its risk analyses. Two institutions did not make any review in that area.
NIK also has some reservations about training programmes organised by the audited institutions. NIK stands in a position that their employees did not have complete knowledge about the information security while working from home or about methods to prevent consequences of those threats. The employees gathered such information mainly through self-education, e.g. using materials provided by employers. Only two institutions organised training programmes on secure connection with the internal network of a public institution. Other two entities failed to conduct a single training programme throughout the entire audited period. They only gave instructions to employees who collected company equipment to work from home.
NIK recommendations
To the Minister of Digital Affairs:
Information should be obtained from public administration units about the scale of using information and communications systems while working from home and about applying guidelines and recommendations issued by the Minister.
To public administration units:
Public administration units should make a review of their internal regulations in the information security area and modify them so that they are not limited to personal data protection.
