15 ‘Essentials’ for Managing Risk During Home Working
Homeworking is being ‘proven’ (albeit, forcibly) as being partially viable in the current Coronavirus national emergency. It’s worth bearing in mind that on the back of this, some of our working practices are going to change, forever. It’s a worthwhile investment of time therefore, to get rules and structures in place, right from the start.
Risk cannot be removed, but it can be managed. Ask yourself; in the event that things go wrong, what evidence could you present to the ICO or your insurer (or regulator, if your industry has one) to demonstrate you were managing the home working risk?
Here are 15 ‘essentials’ that you might find useful, now and for after the emergency has passed:
- Forget computers for a moment; do you know if your staff are using pen and paper for work at home? Where are they keeping these notes/records? You, really, really do need to know and have controls/rules in place.
- Every employee needs to know that they are personally accountable for maintaining data protection, irrespective as to where there are working. Set out your homeworking rules in a plain-language policy document. Have all of your workers sign and return it (electronically, if necessary) to certify that they have read and understood the requirements and their responsibilities. Keep a copy on their personnel file.
- Make sure that your record of personal data processing is up to date with where and how personal data is being processed (Article 30 of the GDPR). If you don’t know how and where processing is happening, your operations are, put simply, ‘out of control’.
- Don’t use Whatsapp or Zoom or DropBox or any other communication or file sharing platform without thoroughly checking the license agreement first. Many of the ‘free’ versions do not provide adequate assurances that demonstrate compliance with the GDPR.
- Never transfer files between devices using a USB stick or other portable sources unless the content of the USB stick has been thoroughly vetted first (NB. Effective vetting is almost impossible in most ‘home’ situations, so if in doubt; don’t use them!).
- If you are using the Internet to conference or screen share, make certain that the Temporary Internet Files are deleted from the device after every session. These files contain information/data from the activity.
- Your team should not be using their own devices (computers and phones) to conduct work. Tough, but true.
- If it becomes absolutely unavoidable that ‘own’ devices are used, you should obtain documentary evidence that appropriate software, with the latest patches, and anti-malware/virus protection is in place. This applies to mobile devices and Macs as well as PCs. This could become important evidence to show your insurer and the regulator(s) if things go wrong.
- If a machine is running Windows 7, it should never, ever be used for business purposes, including sending emails. Don’t be lured into a false sense of security in thinking that your staff will be logging into a secure portal; if they are using a Window 7 device, it is still Windows 7 that is underpinning everything else that they do (and Threat Actors are eagerly exploiting that).
- 10. Establish a rule that home Wi-Fi networks must have strong password protection and are not being shared with anyone else at the time that work is being conducted. Remember that the devices are all sharing one network (your home WiFi/Internet connection) and so a weak link in just one of them can cause security issues for them all.
- Obtain evidence that a VPN is being used. (NB. If there is no VPN, the activity on the devices will be tracked and could become compromised.)
- ‘Business’ supplied equipment must only be used for company work. Use a different device for watching the news at lunchtime or online grocery shopping (etc).
- Establish a ‘protocol’ for emails. The current mass-homeworking situation is every Threat Actor’s birthday and they are inviting you to the party, usually via email. The best policy is not to click on any link inside an email unless you are 100% certain of where it will take you. Do not trust a strange link simply because it appeared in a legitimate email from a colleague.
- Establish a rule that devices ’own’ or ‘company’ are never ever used at home in front of staff members’ friends or family or in front of windows. Also, 'smart devices' such as Siri or Alexa could be listening to you; switch them off or remove them from the room before you conference.
- Ensure that computers are never left untended. If you have to pop to the loo, lock the computer first. Your work will remain intact until you return and unlock it.
You can also see our list of 10 ‘essentials’ for video conferencing here.
Please contact us to discuss your concerns on information security and data protection as well as business continuity management.