With the recent and sudden move to remote working businesses need to consider data protection and GDPR compliance whilst employees work from home. Matrix Recruitment's Sarah O'Donnell outline 9 top tips employers should follow during this time.

A paper released by the European Union Agency for Law Enforcement Cooperation (EUROPOL) states:

This pandemic brings out the best but unfortunately also the worst in humanity. With a huge number of people teleworking from home, often with outdated security systems, cybercriminals prey on the opportunity to take advantage of this surreal situation and focus even more on cybercriminal activities.”

Hackers are now stepping up their attacks even in the midst of a global pandemic. They are also reportedly exploiting new vulnerabilities that have emerged in relation to the global response to COVID-19. Our Business Support Manager and GDPR expert, Sarah O’Donnell, has put together the top 9 things you can do to protect your business whilst your employees are working from home.

How can you protect your business?

1.Strong Password Protection

This seems so obvious and simple, but many people do not use strong complex passwords. Others will use the same password for all sites both professional and personal. It is essential that your staff follow a complexity rule and password policy when setting their passwords for remote working, such as

  • Mix of Upper case and Lower-case letter
  • Numbers
  • Special characters
  • Minimum of 12 characters
  • Use of random/unrelated words
  • Do not use personal words like family names, pets
  • Use a password manager to manage your multiple complex passwords
  • Do not auto-fill passwords
  • Never share their passwords with others / write them down

Users should also have different passwords for different sites, example your CRM password should not be the same as your login to your emails. Google Chrome also offers a free Password Checker Extension that can be downloaded. This will highlight to the user if their password is susceptible to a data breach.

It is also critical that when working from home that YOU and only you have access to that PC/Laptop especially if it is a work issued device. If it is a personal device with other users always ensure you have a personal profile set up solely for work purposes and that you have a strong password set up for your profile.

2. Multi- Factor Authentication

MFA adds an extra layer of security if you have staff that are currently working remotely. This is where an individual must provide two or more credentials in order to authenticate their identity, such as mobile phone number. For example, when your employee is trying to access their emails from home they will receive a text message to their mobile phone with a code that they will need to enter before access is granted. This ensures that your company is data is safe and only being accessed by the right people. As we all know, passwords are susceptible to hackers, so by adding an authentication factor that is not so easily guessed, like “something you have” (your mobile phone number) this protects your data. Unless the hacker has all of the factors required by the system, they will not be able to access the account.

3. Phishing Training

Phishing campaigns are being launched by hackers to exploit the current crisis and are expected to continue to increase in scope and scale. Now more than ever companies need to train their staff on how to identify malicious phishing emails and what to do if they receive one.

  • Always check the sender and the spelling– does it look legit?
  • Don’t click any links on the email
  • You may receive emails that look like they are from your manager/accounts team etc – check email address.
  • Any email that you are unsure of always ask your manager or your IT Company.
  • Don’t provide any details such as usernames, passwords, bank details etc.
  • If you receive a phishing email , block the sender and delete the email

You can also work with your IT Provider to set up Phishing Test emails, whereby your staff will receive a test phishing email. This will identify any susceptible users, and identify any training gaps.

4. Password and Name of your personal WiFi

Large numbers of staff working remotely using their personal home wifi is a hackers paradise. They can attack home routers to gain access to the main WAN on a much larger scale. Many home routers use a default password and have other security issues. To protect your company data it is important to train staff on how to

  • Change the wireless network SSID name: Broadband providers issue customers with a default SSID name and password. The default name is chosen by the manufactures of the routers example “EIR 2g 1232345”. Changing the default name to something else (not identifying you or your home) will make it harder for any potential hackers as you are not giving away the make and model of your router. You can also hide your SSID name from showing up in the available networks list.
  • Complex Passwords for your Home WIFI – Again, similar to the above ensure you have a complex and unique password for your home WIFI.

5. VPN – Virtual Private Network

A VPN is very easy to set up and allows you to create a secure connection to another network over the Internet. The VPN connects the PC/laptop of the remote user, to the secure private network in the office. The company can set certain sites containing large volumes of sensitive data, such as Payroll, CRM etc as restricted sites that can only be accessed on the secure network in the office. Each user will have a VPN username and password. This adds another layer of security that these sites can only be accessed outside of the office with the unique password.

6. Locking the PC/Laptop

It is very important to ensure, now more than ever, that you lock your PC/Laptop every time you step away from it.  It might seem simple, but accidents can happen. It only takes one click of a button for something to go drastically wrong! You can also set your device to automatically lock/timeout after a period of non-use.

7. Clearing your History / Emails / Files and Recycle Bin

Develop the habit of clearing your search history every day/every other day. It is also good practice to delete any sensitive data from your emails/laptop once processed. Don’t forget to clear the recycle bin too.

It is also important to remember if you are saving any files to your personal device that it cannot be accessed by anyone else. One must also delete the file once it has been used for the purpose intended. Using Microsoft One Drive which is a cloud based system is much safer.

8. Video Conferencing

While video conferencing is an incredibly useful team, especially at this time with many people working remotely, it is vulnerable to hacking. Many people flocked to sites like Zoom since the pandemic began. However, it was discovered that the site was not secure and many meeting URLs and user email addresses were being leaked. There was also a surge in “Zoom bombing” with hackers bombing zoom meetings with images.

Video Conferencing on the most part is really useful but on the most part, if you are discussing hugely sensitive confidential information due care and attention should be taken such as

  • Use a password or PIN function where available to enter meetings and only share it with those scheduled to attend the meeting
  • Make sure to enable features that alert of newly joined participants – audible tone

9. Use of Printers at Home

While working from home, hard copy documents and printouts must be handled with extreme caution. The same principles apply for Data Protection at home, i.e we do not put work related documents in the kitchen bin!! These must be shredded. It is best to avoid printing material outside of the office but if you must, ensure that it is being stored and handled with the same level of care as in the office. Example – locked filing cabinets, locked office etc.

If you require further information on GDPR protection whilst your employees are working from home, please contact Sarah O’Donnell

Sarah O'Donnell Data Protection Remote Working