When the pandemic first took hold and we all started working from home, it all happened a bit quickly. We were forced to adapt and set up our home offices to try and continue working in a way that was as ‘normal’ as possible. We certainly didn’t think that it would last as long as it has done, and there seems to be no likelihood of it changing any time soon. The Chartered Institute of Personnel & Development (CIPD) have estimated that the number of people working from home on a regular basis once the COVID-19 crisis is over will increase from 18% to a huge 37%.
Policies & Procedures
With this in mind, when you first instructed your staff to work from home on their own devices, did you put the right policies and procedures in place? Remember they are working from non-secure Wi-Fi (using their own internet hubs), and may well be using their own laptops (unless you provided them with the necessary equipment). Have you taken the time to update your cybersecurity policy, for example? Many employees who are not familiar with data security issues may not understand the impact of how one slip-up could lead to a huge data breach.
A cybersecurity policy should instruct your employees on how to keep your business’ data safe. If you have a policy but haven’t updated it since everyone started working from home, you should resolve this immediately.
Personal data must be protected both in transit (any time that someone has access to it) and at rest (where it is usually stored). An example of data in transit is when data passes from a website server to a device such as a computer. Data at rest refers to data in storage, like on your device’s hard drive. The two key ways to maintain data protection when your teams are all working remotely is via encryption and controlling the level of access each user has.
GDPR explicitly mentions ‘encryption’ when discussing technical and organisational security measures. If the data you hold is encrypted then if the worst happens and it does fall into the wrong hands, the data will be illegible and therefore useless. Keeping data encrypted in an office environment is much easier than when your team are working remotely. There are some simple steps you can take though, including ensuring all devices your employees use for work are encrypted (including work mobile phones). Most software offers you the option to encrypt your saved files too, which covers the ‘data at rest’ aspect.
You should also take the time to see who in your company has access to potential sensitive data. Employees should only have regular access to the data they need, and nothing more. By limiting the data each employee has access to will reduce the risk of a security lapse. A great way to limit access to your sensitive data is to use a Virtual Private Network (VPN). This will automatically encrypt the connection your employees have to your servers, allowing them to securely and safely access your company’s network.
Whilst training is often deemed as boring, there is no more effective way of reducing the risk of a data breach than to educate everyone who handles data. Don’t expect your staff to immediately put into place new cybersecurity procedures whilst working from home. If you would like any help with this, the expert GDPR team at InfoLore provide training to businesses, so just give us a call.