Data Protection and Working from Home: Are You Doing Enough?

With every member of staff working through different internet connections or mobile devices, the in-company IT teams have to work harder to ensure the remote workforce is as safe from cybercrime as when they are working from the office. 

When working in the office, how you handle and store client’s data is heavily legislated and any failings with this leaves the company liable for fees and fines. The working from home regulations regarding data protection and GDPR is exactly the same as in the office. If the company is identified as a data controller location is not a factor. 

How can I protect my data when working from home? 

Whereas within the office environment data security may be automatically backed-up and protected due to being connected to the internal network, this may not be possible when working from home. Staff need to be made aware of how to protect data when not in the office and the importance of creating backups of their data, and the dangers of storing files on their desktop rather than in the cloud, for example.  Back ups of key data will prevent data being irretrievably lost should there be a security breach (malware, ransomware, virus) which corrupts or encrypts the files, or should they be accidently deleted by a user. 

Just ensuring staff know which cloud system they should be using to store their files could be enough to prevent data loss, and a loss of time and money for your business. Disaster and recovery services such as those available at CIS can also provide further reassurance that your data will be safe and secure, should there be a reason for the data to be lost.

Fighting complacency with working from home

One of the biggest problems facing a business with a workforce changing from onsite to remote is complacency. The mindset that “The data will be safe at home,” meaning that security measures become lax, and more risks are taken in regard to how staff are connecting to the internet, and whether their PCs and laptops are password protected for example. 

The only way to fight this is through staff straining. Staff need to be aware of the dangers of: 

• Using unsecured WIFI connections. 
• Not having password protected hardware. 
• Clicking on links in emails – even if they look genuine. 
• Leaving data accessible on screens or printed material on desks. 

Just because people are not working in the office environment does not mean they are not governed by the same rules when working on company data. So, when leaving the desk unattended, even if there is only family in the house the member of staff needs to get into the habit of locking the screen.

How does GDPR affect working from home? 

At the beginning of the pandemic safety measures the Information Commissioner’s Office (ICO) were taking the changeable circumstances into account with GDPR breaches. However, now that we are more than nine months into the measures with staff working from home businesses need to ensure they are complying with all GDPR legislation with their remote, and on-site teams equally. 

There are a few simple ways to protect data when working from home to ensure that the remote team are working within the GDPR guidelines. Staff should; 

• Only use devices provided by the workplace to access and store data.
• Avoid using personal devices for work related activities if possible.
• All devices used for business purposes should have the same level of system security as you would in the office. 
• Have a safe space for private calls and a door you can lock.
• Protect screens from family members who according to GDPR legislation would be unauthorised third parties.
• Use all the same processes as you would in the office when sharing data with third parties. 
• Any printed material should be locked away safely or shredded if no longer needed. 

The IT department within the organisation also has the responsibility to ensure the devices provided for business use are set up with all the appropriate firewalls, anti-virus, anti-malware and anti-ransomware software that they would have in the office – and this includes on mobile devices.

How to protect business data while working from home

Protecting business data when working from home follows some of the basic security rules as working in the office environment such as; 

• Passwords – All hardware (laptops, PCs) used to access company data should be password protected. 
• Secure passwords – All passwords should be secure and be between 8 and 10 characters long – including upper- and lower-case letters, numbers, and special characters. 
• Multi-factor authentication – In addition to a password, there may be biometric information required, app generated codes, personal information of physical authentication keys. 
• Avoiding public or unsecured WIFI – When using such WIFI connections you are essentially inviting any other third party to infiltrate the data and do what they want with it. 
• Use a VPN to connect to company servers – this is a much more secure option than the home internet connection for accessing data held on the company servers. 
• Updated software – Even when working away from the office environment it is key to ensure all software is running the latest version. Don’t postpone updates to a more convenient time.
• End to End Encryption – this is a system that ensures data sent to a third party can only be read by the intended recipient as they have the encryption code. 

Location really shouldn’t have an impact on data security if all the correct systems are in place and staff are fully trained on what they should and shouldn’t do, and more importantly why this is the case. Although no security is 100% secure the more you have in place the safer you will be.

If you want to ensure that your remote staff are as safe as they can be and are compliant with GDPR laws, give the team at CiS a call and we can assess the processes in place and make suggestions for improvements. You can find out more about our cybersecurity services here.