Could you cause a data breach when working from home?
We examine whether you could cause a data breach when working from home.
Data security when working from home
As businesses navigate the unprecedented coronavirus crisis, many have responded by increasing home working. But, in the rush to get up and running, some companies have not implemented appropriate security measures.
This is worrying, especially at a time when we are all feeling more anxious than usual. Human error is the greatest cause of data breaches, so it is to be expected that such instances might increase when people are worried and confused. Especially when appropriate homeworking procedures haven't been established.
For example, when sending out an email to residents to inform them of changes to services during the coronavirus outbreak, it appears that an employee at Watford Community Housing Trust inadvertently leaked the personal details of 3,545 tenants. This happened because a spreadsheet containing highly sensitive and personal data - including the ethnicity and sexual orientation of residents - was attached to an email in error.
Watford Community Housing has apologised unreservedly for this breach, but had it implemented some simple security measures (e.g. password controls/encryption on sensitive data), any damage could have been alleviated. And, while stress and nervousness might explain why someone might make an error, there is no excuse for organisations that do not have robust data security processes in place to prevent such breaches from happening in the first place.
What can you do to reduce the risk?
At Hayes Connor, we would hope that - as we adapt to our new normal - businesses that haven't yet reviewed their data security now do so as a matter of urgency. The impact of the coronavirus crisis will be far-reaching, and long-term commercial survival will rely on the ability of organisations to quickly adapt working practices to keep staff and clients safe while maintaining business as usual.
But what can you do as an individual employee to keep yourself and your customers safe while working from home? Here are some top tips from our data protection experts.
Alert your employer to the issue
If your business hasn't yet provided information on how it will maintain data security during the coronavirus pandemic, we encourage you to raise this with them. Things your employer should consider include appropriately limiting remote access to files and information, encrypting data, and implementing/updating its mobile working policy.
Ask for data protection training
One of the most important things an employer can do to reduce the risk of a data protection failure is to ensure that all staff are aware of the risks. Now is the perfect time to ask your employer to introduce a remote training programme which will stand your business in good stead today, and in the future.
Educate yourself on data protection
If your employer doesn't provide any training, you can make sure you are aware of the most common risks. Get Safe Online provides a wealth of free resources for businesses and employees. And, the National Cyber Security Centre (NCSC) has created some guidance to help manage the cybersecurity challenges of increased home working.
However, data security is your employer's responsibility, and if they do not take this seriously, they will be held liable for any work-based privacy errors - regardless of where that work is taking place.
Common cyber scams to look out for
At Hayes Connor, we create regular content to help people stay safe online. In particular, for people home working during the pandemic, this includes phishing scams.
What is phishing?
Phishing scammers contact you using emails, texts, phone calls, etc. They aim to trick you into believing they are someone you can trust. Common phishing scams to look out for include:
- Where fraudsters contact you posing as your (employers') bank
- Where fraudsters contact you posing as a company (e.g. Microsoft or your IT provider) and encourage you to complete steps that let them gain access to your computer
- Where scammers send out a message from an online service you use and ask you to click on a link. This link takes you to a fake page that collects your login details
- Where you receive a message from a person or company you know and trust, which lures you into downloading a malicious email attachment.
People working from home must be on their guard against such attempts during the COVID-19 pandemic (and beyond). Particularly as data stolen in previous breaches can be used to trick people into thinking scammers are legitimate.
Best practice data protection security measures
There are a few common mistakes when it comes to dealing with sensitive work information. So, we would advise you to follow these best practice tips, whether you are working from the office or from home.
Think about the value of the data you are accessing
It is vital that personal details (e.g. names, email addresses and more sensitive data) cannot be seen by anyone else on a shared family computer. Also, never save this data to your family computer.
Hard copy files must not be printed off and left for someone else in your household to see. Never leave sensitive information unattended.
Dispose of sensitive and private data appropriately
When personal and sensitive information is not disposed of correctly, it can fall into the wrong hands. As such, you must make sure that you correctly destroy and get rid of any such data.
Protecting data before you send it
When sending information, make sure it's securely encrypted. For example, you can add encryption to files that are zipped. Just don't send the password in the same email as the protected file.
Check before you click send
According to the Information Commissioner's Office (ICO), most data protection breaches happen because of distractions or mistakes. Always check email addresses, contents and attachments before you click 'Send'. This includes making sure that you use the BCC function on emails where appropriate.
Data protection remains essential
Today, technology is making it possible for businesses to adapt to employees working remotely. However, being mindful of potential data protection risks, and quickly implementing appropriate security measures, should be front of mind.
Alternatively, if you have been the victim of a data breach, pleasecontact usto find out how we can help. Our initial advice is completely free, and there is no obligation to process.