September 20th, 2021, sees the lifting of the recommendation for remote working from home here in Ireland that many of us have embraced and made our own. The very thought of going back into hours of traffic with early rises and late back home sends chills down many a spine.
Despite the relaxation of Covid 19 restrictions, it seems there are companies out there that are not in any rush to getting everyone back to the workplace and want to make remote working or a hybrid model work.
However, unless the company has made real efforts into looking at how remote working impacts on their IT & Data security, they may be looking at an increased risk of data breaches along with increased associated costs that are linked to employees working from home.
A recent study carried out by Ponemon Institute along with IBM Security based on what they call “real-world” data breaches, looked at 500 companies worldwide and found that the average cost of a cyber incident is now at $4.24 million per incident.
And when they had a closer look, they found that organisations where remote working was involved had a higher average cost of just below $5 million. Makes you think, doesn’t it?
If your organisation is embracing remote working for the foreseeable, we have put together some points worth considering for the protection of personal data.
In the rush to working from home, many employees grabbed their laptops and screens and just hoped for the best. Their employers also hoped for the best and prayed that their security would keep up with these rapid IT changes.
A risk assessment in these instances is always recommended. Employees should be asked to carry out a risk assessment of their home working space. What their physical space is like and what equipment are they using. Employers should also focus on the security of their devices and what applications and networks the employees have access to.
Is a risk assessment done now, eighteen months too late? Not in our opinion, reviews of the remote working situation & security should be undertaken on a regular basis. So even if one was completed in 2020, now is the time for a review.
Stolen user credentials were the most common cause of breaches according to the Ponemon/IBM study, this combined with customer data being the most common type of data exposed in breaches (44%) could be a lethal combination for any business.
Regularly changing passwords, not using the same passwords across multiple applications, never using the same passwords for personal and work devices, using multi-factor authentication to gain access to work applications are all necessary password security practice.
Phishing is an attempt to steal financial information by sending an email or message which purports to be a trusted source and dupes the victim into opening the email or message.
The damage occurs when the victim receives a link to their computer in the form of a message or an email and they click on the link or download an attachment. This may send a virus to their computer or further encourages them to change passwords or to part with financial information.
Remote working employees need to remain particularly vigilant when dealing with email security. A “no-trust” approach should be considered by employers and extra security steps incorporated into procedures. Employees should be informed of phishing attempts and any information that will help them to recognise one.
Company issued devices are generally the most secure option for remote working, as these can be supported and updated remotely. Extra security features can be installed such as multi-factor authentication for remote access. This is particularly important if you process special category data.
But sometimes a company issued device isn’t possible (for any number of reasons) and employees are required to access company software on their own devices. While this is not ideal, employers should use multi-factor authentication for remote access.
It is also important that business and personal data should never cross over, which is a risk when using personal devices! Not to mention anti-virus and firewall requirements.
Bottom line is, if your employees are still using their own devices 18 months into remote working; lady luck may run out soon – it’s time to rethink your security strategy.
Sensitive Personal Data
If your organisation is in the business of routinely processing any of the categories of data that fall under the heading ‘sensitive personal data’, (for example health or medical information, racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership) then consideration must be given to the necessary restrictions that are required for such processing.
Some organisations have a strict policy of sensitive personal data only being processed on-site, which is understandable given the implications, should they be involved in a breach.
Paper and Files
Has your business a paperless office? If so, then you can skip happily on to the next point, because thankfully you are exempt from this concern. However, if (like many businesses), you have a love of paper that is so strong it is deep in your culture and part of your soul, then sadly we need to talk.
If it is necessary to remove physical files from the office into a remote working environment, then it is necessary to have strict policies in place around how this is managed. There must also be a method for tracking the movement of files so there is accountability at all times.
Where it is necessary to use paperwork in a remote work setting, then equally it is necessary to consider how the paperwork is disposed of. Confidential waste bins will not easily fit in between the fridge and the cooker, and the reality is that buck will stop with the employer for any breaches that occur.
Policies & Procedures
In the event of an investigation into a breach, the data protection commission will look to see what policies & procedures are in place for employees to follow. Employees need guidelines to ensure that remote working works. Policies around Security and Data Protection need to be updated (or drafted!) to account for the different work environment and challenges.
Once all policies are updated, these should be rolled out employees and training provided. This is a vital step in the remote working process as your business is reliant on your employees to get it right. GDPR in Practice as well as understanding what a data breach looks like and knowing what to look out for in phishing emails are all remote working 101.
When we talk about compliance monitoring, we don’t mean remote monitoring technologies (it is important however, to know that a DPIA needs to be carried out if it is something being considered), but rather the methods which can help provide assurances that standards continue to be met in the remote working environment.
It may sound simple but a good ol’ check list to ensure that compliance requirements are adhered to on a weekly, monthly, half yearly and annual basis really does form the basis for good compliance.
Accountability is key for any organisation that wishes to continue with remote working, it applies to employees but sits on the shoulders of the employer. Making a good compliance regime is vital in any remote working environment.