In the beginning
No one would have believed it, some of us might have thought it, but now many are living it. I’m talking about working from home. And of course that means talking about Information security and working from home.
As a company and if appropriate, we have always offered the opportunity of working from home and so early on we met the challenges of dealing with security concerns head on. We’re lucky compared to many, we took data security seriously with for ISO 27001 certification over 6 years ago.
Initially we thought it would become a huge burden, both from getting buy-in from staff. We also thought it would slow us all down and make us less efficient. How wrong we were. In fact, it was the complete opposite. We embraced the changes to how we work, and by far, those changes made us even more efficient. The end result is we are safer and now even more competitive.
At the time, we were but a simple marketing agency, producing pretty, but clever emails. Looking around us, we could see that taking security seriously was not the ‘norm’ in our industry. You might feel the same about yours. We realised that this so-called world of certification was growing rapidly. It forces you to look at how you work with your partners, clients and suppliers. And then the penny drops, companies are often not very good at it. Information and data security that is.
It’s a little bit viral in a way, excuse the irony. But you do end up looking for partners that are equally serious with how they keep their company safe.
Working from home and keeping info safe
You may have already looked in to ‘best practices’. Or simply think that everything is fine because your company took one of the more recent cyber essential certs. As opposed to a full blown and dedicated security ISO standard. But we can always do more to ensure our employees fully understand the basics of Information security and working from home. And that at least, the devices we use for our day to day work, are set up with what’s need to operate safely.
I shall leave a link or two at the end of this article to help further your own research. Or even give us a call to find out how we can help, based on your own unique circumstances.
There are always risks whether or not your company is used to employees regularly working from home. In fact many of us often have work emails and messengers on our ‘smart’ phones. Remote working includes all devices, not only laptops and desktops.
A quick note about GDPR, which now everyone seems to have heard about. The new Data Protection Act 2018 replaced the previous version from 1998. The new Act introduced GDPR and gives the ICO (Information Commissioners Office) more power and resources to enforce the law. Every company needs to take this seriously, especially with HR and employee records.
Cyber criminals are taking advantage that, due to the lockdown, so many people had to hastily start working from home. And without the proper controls may be vulnerable from a security perspective.
Basics steps to information security
People benefit with some structure, and Information security and working from home is no different. Having things documented is one of the best ways of starting. But what to document?
There are many components. But focusing on the priorities, to hit the ground running, we need a ‘Remote working policy’.
From this we can include the basic details required to keep people safe. It can be top level guidance. Structured in a way that can link to other important docs you create, things like password management or file sharing.
The ICO has acknowledged the best way to ensure that data is safeguarded is to encrypt it. That way, if its stolen it becomes very hard to simply extract the original information.
Luckily this is has become easier for us humans as long as we use a few tools and click some settings.
Data ‘At Rest’ security
Lets look at Data ‘At Rest’. All modern operating systems e.g. Apple or Microsoft, have built in encryption systems for the hard drive or disk. If switched on, it becomes very difficult to retrieve the data off the drive if you don’t have the password. Helping us achieve Information security when working from home.
Apple use Filevault and Microsoft use Bitlocker. Get those turned on.
Mobile devices, like ‘smart phones’ use encryption by default. In many ways they’re safer out-of-the-box, but of course they are also easier to lose. Laptops and desktops are not generally encrypted by default. And your data is accessible whether or not a thief has the password, using easily obtainable programs.
Using cloud-based storage. This sounds like a double edge sword. But it’s one of the keys to safely working from home. The top cloud-based providers, whether Microsoft O365, Box, Dropbox etc. use encryption on their storage and are securely managed. So this satisfies data at rest in the cloud. This leads us to the next step, Data ‘In Transit’.
Data ‘In Transit’ security
Whether you send an email, share a file or a message to a colleague on messenger, these are all Data ‘In Transit’. This is often where mistakes or vulnerabilities can occur. It’s worth spending time getting this right. Make sure everyone knows the do’s and don’ts to keep your company information safe.
- Do – use file sharing links. This removes sending confidential data over insecure email or messengers
- Do – use expiry times, passwords, or only share with people that have the permission to download the file
- Do – share folders, create a file that only selected people can see and put the details there.
- Don’t – send confidential data in emails as file attachments. Zip attachments with a password are not that difficult to hack
- Don’t – send usernames and passwords in email. Especially together, or in a thread of an email. Confidential information, e.g. login details, can end up in the hands of some one else if the email gets forwarded.
Added bonus for using cloud-based file sharing, is no more clogged and bloated email software. Every file sent as an attachment makes your software slow down.
Added bonus 2, your email client will be less of a security risk with confidential files you have been sending and receiving. If someone has access or intercepts your email, all they can then retrieve is a link that has either expired or has restricted access.
Many companies use O365 as it sorts out many of these potential problems. MS Teams has become a winner, with secure message sending and file sharing. Make sure you’re not making your group chat public and keep it private, else you could end up in trouble!
MS Teams allows companies, clients and suppliers to easily collaborate securely together, something which was difficult in the past.
Other security considerations
Of course, the usual virus programs should be installed on all work devices. Enable end-point protection to stop your staff plugging in USB drives and downloading your data. A screensaver that locks your screen after a few minutes is a simple, effective way of securing your device. Especially if you forget to close your screen whilst making that cup of tea. It also stops mischievous employees declaring undying love to the boss, from your unattended device!
All these things require staff to understand why the best practices for Information security and working from home exist. And, to take them seriously.
Government link on working from home:
