0

0800 435 772

News and views

Home > News > GDPR, Data Protection and the Coronavirus...

GDPR, Data Protection and the Coronavirus...

Posted on 26 March 2020SharePrint

Our GDPR experts have been supporting their private clients during this difficult time with data protection issues. You probably won't be surprised to hear that the requirement for many people to work at home has caused a considerable number of data breaches to occur and it seems to be the basics that people are getting wrong. Remember that data has value and that it needs to be protected just as securely as any other valuables when working from home.

Working from home...

If you are setting up remote access to a network so your staff can work from home, you should make sure the user accounts have strong passwords. If the data is sensitive or carries a financial risk to customers you should use additional security, such as encryption and two-factor authentication if possible.

The switch to working from home can be daunting for people who have not done it before, especially when it happens very suddenly. People who are used to working with each other in a protected workspace are suddenly the first line of defence in a generally insecure environment.

Here are some general pointers to supporting secure home working.

  • You may need new software to work remotely or existing software may work differently. Make sure people have the support they need to troubleshoot the issues.
  • Ensure your staff know how to keep the software on their devices up to date and secure. A lot of this is automated in the latest operating systems but if your software is more bespoke you will need to make sure people are supported or the unpatched software could constitute a security risk.
  • There are many ‘collaboration tools’ available online - consider how one of these could help your staff to continue to work with each other outside the office space. Make sure people are aware of sharing sensitive information in a shared workspace though, this could be a data breach
  • The risk of theft of physical machines or devices is greater outside the office. Make sure people are conscious of the need for physical security, as well as the usual password and encryption measures. Also make sure people know what to do and who to report to in the event of a theft. Try to encourage an open, no-blame culture in circumstances like this as you are depending on your staff as the afore-mentioned front-line.
  • Removable media, such as USB drives, come into their own when working remotely. As useful as they are, they also carry security threats. Make sure your staff are aware of this and know to scan the media for viruses or malware and that personal data is encrypted.
  • Make sure your staff know what to do if there is a problem or a data breach occurs. The GDPR data breach reporting procedures still apply but may need amending for remote working. For example, there may not be a physical form to complete.
  • Your staff might feel more vulnerable to cyber threats when working outside the office environment and there is evidence to suggest that this is a genuine fear. Cyber criminals are always quick to take advantage of during a crisis. More on this in a moment.
  • If you are permitting or requiring people to use their own devices to do work for you then you should have a BYOD (Bring Your Own Device) policy for your organisation. The Information Commissioner’s Office (ICO) has provided some excellent guidance on the subject here.

Email scams and the coronavirus...

People are becoming wise to phishing scams but it is also the case that scammers are very quick to adapt and seize upon every new opportunity to commit fraud and steal your money. When people are working in the office it is often a quick task to check with other colleagues that an email is genuine or not. When working remotely, there is more responsibility placed on the receiving member of staff to choose the correct course of action.

There has been an upsurge in the sending of 'phishing' emails that try and trick people into clicking on a bad link. The user is then sent to a dodgy website which could download malware onto the computer or steal passwords. The scams claim to either have a 'cure' for the virus, offer a financial inducement or be encouraging you to donate to a fraudulent cause. Some emails may look like they have come from Government departments, such as HMRC, as the Government increases its efforts to provide financial support for struggling businesses.

If someone has been tricked into clicking a link, tell them not to panic. There are a number of practical steps to take to tackle the issue.

  • Run a full virus scan and follow any instructions given.
  • If they have been tricked into providing a password the passwords should be changed on all linked accounts.
  • Make sure the IT department are informed and kept up to date.
  • If money has been lost then report the incident as a crime to Action Fraud. You can do this by visiting www.actionfraud.police.uk.

These are challenging times for us all and many organisations will be learning on their feet and having to adapt very quickly. Following these useful pointers will help your organisation to demonstrate to the ICO, in the event of a data breach, that you have take your responsibilities seriously and put sound organisational security measures in place.

UK Training