The Information Commissioner's Office (ICO) exists to, among other things, uphold information rights and the rights to data privacy for individuals. It can hold businesses and public bodies accountable for their actions including fines and sanctions, and it therefore makes sense that their latest guides focus on home working and use of personal devices for office work.
Working from home: security checklist for employers...
When lockdown first began, there was understandably a mad dash to get people set up for home working, to register for tools that assist with home-working challenges, and of course to try to continue 'business as normal' when the setup was anything but. Eight weeks on however and it's no longer appropriate for your company or your employees to be bumbling along without due care or protective procedures. Just as your employees have rights at work, so they have rights when working from home, and you also need to protect your business both physically from the threat of cyber-related breaches and by delivering quality policies for your teams.
The ICO's guide to working from home includes a security checklist for employers, as well as helpful information on all the things you should be considering. There are four core principles to the checklist as follows:
- clear policies, procedures, and guidance for staff who are remote working. These include topics such as accessing, handling and disposing of personal data.
- using the most up-to-date version of the remote access solution.
- staff have been reminded to use unique and complex passwords.
- checked if multi-factor authentication is available, and configured it where possible.
The guide goes on to provide specific checklists for different applications, including the use of personal devices for work, cloud storage, remote desktops, remote applications, and email. We believe this to be a very helpful checklist for businesses and recommend that they check their own policies against it.
See the full guide here...
Using personal devices for work...
While some businesses already provided work devices for mobile staff, it is fair to say that this is not common policy for the entire workforce, only those who are already on the road or out working. This left many businesses faced with the choice of asking employees to use their personal devices for work or forking out significant sums to equip a whole workforce, assuming of course that they could obtain enough devices in the first place.
In principle, there is nothing wrong with requesting that your team use personal devices, but it can leave your files vulnerable to cyber attacks as you cannot control either the device or the home network. This makes it essential that you implement the right policies and procedures and where possible, incorporate or implement security practices that stand between your files and your employee's personal network. Things like multi-factor authentication, antivirus software, and software updates are highly recommended.
The ICO also provides a guide to support businesses with managing security according to device type and we highly recommend that you go through the checklist.
Take a look here...