There has been a flurry of activity from regulatory bodies regarding the robustness of organisations contingency planning. Many organisations have included in their contingency planning a working from home component. This note details some considerations from a Data Protection and Document Security point of view.
With the onset of more people working from home due to the Covid 19 restrictions, unfortunately this does increase the risk of a data breach –
Working from home/Remote Working = Greater Data Breach Risk.
To mitigate these risks we would advise clients to ensure the following matters are in place prior to rolling out remote access.
Please note this advice regards the use of Laptops/desktops in the home, and does not give any guidance on the use of mobile smart phones and tablets and the advice below is not exhaustive. And as always when it comes to IT talk to an IT expert.
Device and Network Security
Laptops and desktops should be:
- Provided by your chosen IT provider
- Have hard drive encryption in place and active
- Login details should include a strong password
- Require that employees use a non-stored and “strong” password to connect during each session, especially for VPN access.
- Devices should have up to date software, anti-virus and malware installed
- Don’t allow family members to use your work devices. Under no circumstance should laptops or desktops used for remote working be used by the wider household – no matter how many times the kids ask!!
- Always use a secure network connection and secure VPN when working from home – Your IT service provider should be able to advise
- Never use public Wi-Fi or unsecure network
Email and software
Areas that may be considered in relation to email and software include:
- Logging on and using email should be arranged by your service provider. Two factor authentication needs to be in place.
- Put passwords on attachments
- Enforce reasonable session time-outs for sensitive programs or applications.
- Limit program/file access to only the areas absolutely needed by that employee.
- Reserve the right to terminate employee access at any moment.
- Provide the software and storage services for remote file storage and other tasks; don’t rely on individuals to use their personal programs and accounts.
Some considerations under this heading include:
- Clear guidelines around what information should never leave a secure environment, ie printing off of financial information
- Get your service provider to establish access permissions that support these guidelines.
- Save material to where the organisation advises ie Onedrive, A secure Dropbox etc.
- DO NOT USE USBs
- Have Clear backup procedures for material saved locally. (I am assuming that adequate backups and restore is sorted for the organisations data/systems)
Clean desk policy – securely shred any confidential paper material that is no longer needed
When working from home, staff will have information that pertains to your organisation around people that are not company employees. There are obvious challenges to this with regard to Remote workers but ensuring that information is kept secure is of high importance. Some simple (low tech) measures may include:
- Try an have a space or office away from the kitchen table
- Do not work or access your organisations data while there is someone else in the room – remember the confidentiality of the Personal Data
- No written material should be left unattended – even for a cup of tea!
- Logout if you are leaving the laptop or desktop unattended – seemingly cats have a habit of jumping on computer keyboards and might press a few keys when a laptop is unattended!
- Adhere to a clean desk policy.
- Use locked drawers
- Have a secure paper shredding service in place for your employees.
If you have staff working from home / Remote Working, we are also offering Residential Shredding Bags for them to place any confidential paper material that is no longer needed. This will reduce the risk of a Data Breach.
Your organization must have clear and practical policies that stress the importance of data protection. Staff members using remote access should be reminded that all organisational policies apply, such as:
- Data Protection
- IT security
- Clean desk
- Access to data
- Passwording of emails
Finally, a way to achieve data protection compliance for those working remotely, is for organisation to adequately and consistently express the importance of data security.