We are all aware that the unexpected and immense move towards home working undertaken as a result of the Covid-19 pandemic has presented a variety of challenges to organisations across every sector. Some of these can be relatively easily managed by the implementation of business continuity plans, such as establishing regular contact with staff and customers, whilst others will require new procedures, evolving as organisations encounter new and unexpected complications, and all whilst bearing in mind that this cannot simply be a temporary fix given the government’s view that it could be up to six months before ‘normal’ life resumes.
Whilst there is plenty of advice as to the management of employees working remotely and how they can manage the practicalities of working from home, stress levels experienced by employees and managers alike will be significantly higher than usual, each dealing with personal as well as professional challenges, perhaps resulting in the potential for decrease in workload but also, importantly, substantially increasing the risk to the security of personal data and confidential information now processed outside of the secure office environment.
Risks to data security emanate from a variety of sources, most commonly human error, however scams and cyber attacks have significantly increased over recent weeks, becoming ever more convincing to their targeted recipients. It is conceivable that this increase, combined with the likely decrease in supervision and potential reduction in contact between colleagues, could result in an increase in data breaches or hacking of an organisation’s confidential information, as well as significant financial risk where funds are regularly transferred.
So how can you assist your employees and ensure appropriate security methods are adopted at home?
- If not using the organisation’s equipment, ask employees to specify what devices they are using.
- If necessary, require employees to encrypt personal data and confidential information before sending, and to confirm the intended method of encryption beforehand.
- Issue reminders to update usernames and / or passwords.
- Require employees to safely store sensitive manual files and paper documents until they can be returned to the office for shredding.
- Advise all employees not to use a speakerphone or conduct work-related conversations in the presence of smart speakers or home surveillance (e.g. Alexa Echo, Google Home, Siri, Ring) and to be mindful of others who may have access to their screens.
- Where possible, require opt-out of cookies each time an employee uses video-conference applications.
- Update internal policies for remote working and data privacy, ensure these are circulated to all employees and referenced in online team meetings.
As for the organisation, it goes without saying that, if it hasn’t been completed already, ensure the organisation is properly equipped by consulting with an information security professional to maintain good cybersecurity. Such consultation is likely to include reference to the following:
- Include warning labels on incoming emails that originate from outside of the organisation.
- Where possible, equip employee devices with remote access capability, relevant software, and up to date manufacturer software updates, via a virtual private network (VPN).
- Ensure multifactor, two-step authentication is required for employee remote access.
- Clarify with employees the acceptable systems and devices that are permitted and identify and specify particular information and documents that require careful handling.
The recent statement published by the Information Commissioner’s Office confirms its understanding that the processing of personal data may be affected by the needs of an organisation when addressing the impact and attempting to limit the spread of Covid-19, and although this gives some comfort to organisations, maintaining adequate security measures remains imperative. Save for certain understandable delays, for example in the response to individual requests, the processing of personal data carried out by organisations on a daily basis must continue to be undertaken within the confines of the GDPR.
In conclusion, although the sudden move to remote working comes with a new set of challenges for many organisations, a careful and thoughtful approach in responding to issues as they arise will allow these organisations to continue to adequately limit risks to the data processed by employees, with the added benefit of future proofing those business continuity plans for any future similar event.