Extraordinary circumstances lead to extraordinary measures. Many people now find themselves trying to work from home; for some, working from home is routine, but for many others it is new. The suddenness of the measures put in place to slow the spread of COVID-19 has meant that most have had little preparation and less than ideal circumstances. Even for those used to home working, the normal solitude has been interrupted by having other family members at home at the same time. It is undoubtedly a time for patience and forbearance.
But it cannot be a time for laxity. Already, mal-actors have been quick to exploit the weaknesses that emerge in a crisis. With a few simple rules of “data hygiene” we can help to ensure that one crisis does not create another.
Working from home involves access to data (often personal data); the normal ways and means of storing and processing this data is often not set up with large-scale remote-working in mind, and network infrastructure has difficulty scaling up. The temptation to take shortcuts looms large. Resist! Letting your guard down, or failing to act appropriately, is the data equivalent of not washing your hands and then rubbing your eyes. Don’t do it.
Obviously individual circumstances vary, but here are some simple guidelines to help protect and safeguard personal data during the crisis:
Normal security rules apply
While the surroundings of your home are familiar, when dealing with customer or employee data while working from home, it is best to regard your home network as “public” rather than “private” so that your computer’s firewall takes appropriate precautions.
Ensure your equipment is up to date
Make sure that you have all the latest updates to ensure that you are combatting (electronic) viruses and other cyber-threats accordingly.
Hopefully it never happens, but if it does, take immediate steps to inform your organisation if anything goes missing.
Don’t use personal email account
Use your work email system for work.
If something is slow or inaccessible, wait for it to come back. Speak to your IT. Don’t be tempted to find a workaround.
Use the equipment provided by your organisation
If you’ve got a company-provided laptop, use that rather than your own. Transfer of personal (or other) data to your own computer may be treated as a breach, and is probably against corporate policy.
Avoid USB memory sticks, SD cards, etc
You should only be accessing corporate systems through your corporate laptop. Avoid the temptation to “make things easy” by copying stuff onto USB. If you really have to, work very hard and ensuring that the USB is kept safe. Don’t multiply the risk by multiplying the USBs.
Lock your screen
As the lockdown tightens, there are more family members at home. They are not entitled to see any of the data you are working with. Turn your computer off when you are not using it, and keep it somewhere safe.
Don’t let others use your PC (or your phone)
Aside from exposing data to risk of disclosure, those fingers are a vector for viral transmission.
Check that it’s OK
If you are simply continuing normal work, but from home, that’s fine. But if you’re asked to do something different, especially if it involves special categories or sensitive data, check that it’s covered by your organisation’s record of processing activities. Your DPO should be able to help you with that.
Special Categories of data require more care
Certain data (e.g. health data) requires special, extra care is taken to safeguard it. Don’t bring these records home, or process them, unless it is strictly necessary that you do so.
Avoid using your home printer
Do you really need to print something? Is there a risk that something will sit on the printer and be seen by others? Do you have a shredder to dispose of printed material?
Have secure storage
If working with paper, make sure you have a safe place to keep it. Just as in the office, make sure that anybody with no business in seeing it doesn’t see it.
Shred your documents
Don’t just throw paper into the recycling. If you really must have paper documents, and don’t have a shredder, get a dedicated bin where you can store documents until you can bring them into shredding facilities at work.
Keep a record of your records
Know what you’ve brought home, so it can be accounted for.
Nothing is perfect, and perfection can hardly be expected even in the best of times. Nevertheless, following these guidelines will help you to ensure that the personal data that you are entrusted with is as safe as possible while you are working from home. If you would like to discuss your cyber security concerns with Expleo, contact us today.
Declan Brady, Head of Data Protection and Capability Improvement Practice, Expleo Ireland
This is the fourth in a series of blogs from our team at Expleo Ireland, which we hope will provide you with helpful advice and insights for now and into the future. Catch up on Phil Codd, Managing Director of Expleo Ireland’s piece about rising to the challenges of the current emergency, David McGrath, Director of Business Agility’s advice on change reaction. and Rebecca Keenan’s excellent piece on the Digital Workforce. Next up, Head of Marketing Siobhán Smith will address how to manage crisis comms and important factors for communication as we move forward following the pandemic.