As businesses start to return to ‘a new normal’, there are some difficult conversations to be had between employers and their staff. With a growing desire for flexible working across all industries, businesses have some critical decisions to make on the technology they are using and how they decide to operate long-term.
There are three key choices that all companies are facing right now; bring everyone back to the office when safe to do so; operate via a hybrid work model or stay working remotely. Ensuring your IT Security is set up correctly will be crucial to making the latter two options viable in the long term.
Data Protection Guidance for Companies
Companies are constantly being urged to strengthen their ability to protect their own data and that relating to their customers or face sanctions imposed by the ICO, which can include substantial fines. The National Cyber Security Centre (NCSC) recommend that organisations follow a ‘defence in depth’ strategy to help protect against:
- Remote Desktop Protocol (RDP) configurations
- Unpatched software & unsecured devices
- Phishing emails
- Access by remote workers on personal devices
Personal devices such as smartphones, tablets and laptops are often not configured to the same level of security when compared with corporate devices.
Guarding against the threats to data security in this rapidly changing work environment is a challenge, especially to the non-technologically minded. After all, your system is only as strong as its weakest link…
Returning to the office safely
Whatever the size of the business, there are things you will need to consider as a priority. Firstly, just how “safe” is the home environment your staff are using? Whether they have one of your desktop systems or a laptop, it’s still very possible that their computer could bring a “virus” back to work that is just as deadly to the business as COVID can be to humans.
Before these computers connect to the network, you will want to make sure you have scanned them for viruses and carried out any remedial work including:
- Updating all software
- Checking where backups were going and renewing any links that need to be made
- Changing the default Wi-Fi router back to the company site
- Removing any other Wi-Fi settings (unless they will be needed for hybrid working)
- Removing personal files and any non “work” software that may be installed
- Re-establishing the printer connections
If you allow employees to use their own devices, you will need to decide if they still need to do this, or if you return them to your old system. If you do plan to let them connect to the office network via their own equipment then all the measures mentioned above still apply, with a few additional things to consider:
- Is the company information on their device?
- Is the device password-protected?
- Does the IT department know it is on-site?
Staying secure if you continue to work remotely
Of course, there are many other things to consider if you plan to continue with remote working or adopt some form of hybrid working. These should include:
- Developing guidelines to prevent the loss of sensitive / personal information and be GDPR compliant
- Educating employees on new security threats they may face
- Establishing operational workflows and incident response plans which take into account remote / hybrid working
- Improving staff IT security awareness and provide them with contact information so that they can alert the relevant person quickly in the event of any security threat they become aware of
- Ensuring only authorised devices are connected to the network
- Keeping patches up to date and developing and maintaining an inventory of devices, applications and patches
- Making sure your staff have strong passwords and consider adding multi-factor authentication to accounts
- Putting in place a Bring-Your-Own-Device (BYOD) policy
- Reviewing your access policies and role-based privileges to determine whether staff need the same access on or off-site
- Securing your network
- Updating data protection and security policies in line with the new way of working
- Using a zero-trust networking model, multi-factor authentication or risk-based authentication to restrict access
Changing the way we work also gives businesses a perfect reason to carry out a Data Protection Impact Assessment (DPIA). More generally, there is a lot of useful guidance on the NCSC website here, including the safe use of personal devices and a Vulnerability Disclosure Toolkit.
From a HR perspective, key actions that employers can undertake in order to safeguard the security of their data include:
Data Protection – Update staff on their responsibilities under the GDPR whilst working from home via training sessions and ensuring there are regular lines of communication so they can ask questions and report concerns in this regard.
Technology – Provide employees with the opportunity to take up technology training or computer refresher courses as increased proficiency in this regard will reduce the risk of inadvertent data breaches.
Environment – Liaise with employees to identify those that share their homeworking space with others and ensure that they are still able to hold conversations / attend virtual meetings so that others cannot overhear / oversee them.
Equipment – Ensure the confidential disposal of print outs / handwritten notes via the provision of mini shredding bins or use of remote collection services provided by confidential waste management companies.
So, whether you decide to work remotely some or all of the time going forward, this advice should help you plan your IT set-up correctly and improve the security of the data you have responsibility for. If you would like any more information or if you have any questions regarding the information discussed in this article, please get in touch.
Special thanks to our guest writer Sam Alford DPO, GDPR Consultant at PPP Management.