Data protection compliance for organisations has been put to the test over the past couple of weeks as many employees settle into the routine of working from home.
As if it wasn’t already a struggle for many to maintain compliance before COVID-19, it is now even more important they are aware of the potential risks. Coronavirus does not change the fact that employers must still ensure the protection of personal data and the protection of individuals rights.
Britain’s data watchdog, the Information Commissioners Office (ICO) says it understands the challenges businesses may be facing during this pandemic. Even if they were to take a more flexible approach, it is simply not the case that organisations can just sit back and do nothing.
Employers are collecting a considerable amount of personal data which will fall within ‘special categories of personal data’ and which is subject to stricter compliance requirements. Put simply, employers must protect the health, safety and welfare of its staff, so this means more data.
Data security risks
Data security risks have risen significantly with the increase in employees working from home. Not only is this down to human error (although that is the most common form of data breach), but also includes fraudsters looking to exploit the vulnerability of businesses.
The fallout from coronavirus-related breaches may not become clear for weeks, months or even longer. Here are the top security issues to consider if you now find yourself working from home:
Using online video calls and video software
Zoom is just one of several popular online conference tools that employees have been using to stay connected. But all screensharing apps have vulnerabilities if not used correctly and the right security protocols are not adhered to.
Meeting calls that are not secured by a password can be easily attacked by hackers. Businesses must ensure their teams only send meeting invitations with an associated password – especially if it contains sensitive information.
This includes financial spreadsheets, HR files and CRM databases. This will also limit the risk of a data breach. The use of a strong password created by a random password generator will help to provide a link which cannot easily be hacked.
Using company equipment
Most employees will have been loaned computers and other devices to use while working remotely. Companies need to carefully consider potential risks and understand how they can be mitigated.
If employees are not using a virtual private network (VPN) to access shared company assets, then maybe now is the time to do so. Home Wi-Fi networks are not likely to be as secure as a work network. Using a VPN will help to protect the connection, otherwise, this could leave services exposed to hacking and allow unauthorised access to data.
Another common risk is the standard of PC security software. Employees may find their home PC is faster than the work laptop they’ve been given to use. Maybe they have used a USB stick to transfer large files back and forth between the PCs to speed things up. Clear protocols must be in place to prevent such practices.
Whether it is web security gateways, cloud security defences, encryption, or anti-malware applications, the reality is that significantly fewer of these are likely to be available at home or, if they are available, they could be poorly configured.
The use of one-time codes sent to trusted phones, or using a one-time PIN generation app, can help.
Human error
With over 90% of cyber data breaches down to human error, you can reduce the risk of breaches with effective training. In turn, this will avoid fines from the Information Commissioner’s Office and the potential reputational damage that follows.
Ninety percent of the 2376 cyber-breaches reported to the ICO last year were caused by end-user mistakes. With the rise in home working, this figure is likely to rise dramatically over the coming months.
Sending emails to the wrong recipients, downloading a malware-infected attachment or failing to use a strong password are all ways that human error could ultimately lead to a data breach. Many of these lapses in judgement happen due to lack of knowledge because the employee is tired, distracted or not paying attention.
Witten by Amanda Evans – Head of PR, iCaaS