“We’ll help you solve
a tricky problem”
Millions of workers have experienced working from home for the first time as a result of the pandemic, creating a number of new challenges for employers.
While many businesses will have been focused on the practicalities of working from home, they may have failed to properly consider the implications on data protection.
Working remotely can make a business more vulnerable to cybercriminals and open up the possibility of data misuse.
The Information Commissioner’s Office (ICO) has made it clear that home working does not alter the expectations for protecting personal data under the Data Protection Act 2018.
As such it has called on employers to check the following to ensure that personal data remains secure by eliminating some of the common IT vulnerabilities that are often exploited.
Businesses must have a clear set of policies, procedures and guidance for staff who are remote working, which should include best practice on topics such as accessing, handling and disposing of personal data.
Employers should also send regular reminders to staff to:
When it comes to IT, businesses should make sure they are using the most up-to-date version of remote access solutions and have provided staff with devices or software that prevents malicious activity.
Businesses should also consider implementing multi-factor authentication, which ensures that criminals cannot access sensitive personal data.
Working via the cloud has become essential in many sectors, as it allows users to access data away from the office on any device.
The ICO says that this can also help prevent staff from using personal storage or messaging services, which can present additional risks.
However, when using cloud storage technology, businesses should ensure that it is not set to public or accessible without a username or password or another type of authentication.
Businesses may also want to consider just giving key staff full access to the storage area while allowing all other staff members to read, write, edit or delete, where appropriate, so that users can be carefully monitored.
Businesses should also not be using any default root or administrative accounts for any day-to-day activities and should check that all accounts are appropriately secured.
Remote desktop applications have proven to be an essential tool when working from home, but they can be vulnerable to cyberattack.
Criminals often try to access remote access solutions using well-known privileged accounts, such as an administrator account.
As such, employers should check that staff, in particular privileged users, have account lockouts in place, for example, software that disables an account after a certain number of failed logins.
Businesses should create generic usernames for privileged accounts and should disable any built-in or default administrator accounts where possible.
To limit misuse, remote desktops should only be accessible for staff that require them and each account should have a unique identity and password.
For long-term strategies, employers should consider if remote access solution should be behind a gateway or a virtual private network (VPN).
Short-term fixes can be applied, for example by changing the listening port of your remote access solution, but this should only be viewed as a temporary measure.
Businesses may want to consider investing in remote applications that provide staff access to the corporate applications they need whilst working from home, which can help prevent staff from using personal applications to process personal data.
However, employers should check that:
Email communication is an essential part of most people’s workday and is an important part of working from home.
However, emails can also be vulnerable to cyberattack or misuse of personal data.
To protect data businesses should consider either blocking the ability to add forwarding rules to external email addresses or have a method in place to detect forwarding rules.
Staff should also be advised and reminded to only use corporate email solutions and not rely on their own email or messaging accounts for the storage or transmission of personal or confidential data.
Businesses may also want to review and implement the NCSC guidance on defending against phishing attacks, which can be found here.