Working from Home, Data Protection and Security Challenges
Date: 31/03/2020 | COVID-19, Business & Professional Services, Commercial Property, Construction, Corporate, Data Protection & Information Law, Dispute Resolution, Employment & HR, Energy & Natural Resources, Environmental, Healthcare, Planning, Regulatory Law, Residential Development, Blogs
Businesses are facing many challenges right now and although a cyber-attack is never welcome, on top of everything else businesses can do without their systems being encrypted or data being lost. So, what can businesses do to ensure that their systems are not vulnerable to those bad actors who are sadly exploiting the situation.
Here are some practical tips provided by Davidson Chalmers Stewart linking into the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).
All your portable devices should be encrypted. People working away from the office are more likely to lose devices or have devices stolen. Most modern devices will have encryption built-in but you must make sure encryption is turned on and configured properly.
You should also ensure that you can delete information on devices remotely. Most information is backed up these days.
The NCSC recommends providing access to a company’s system through a VPN. This allows information to pass through a secure, encrypted network. VPNs must be patched and the NCSC has provided guidance for businesses using VPNs here.
If you are using RDP you must ensure that your server is only accessible by your staff to ensure that only your users can access the system. There has been a massive increase in attacks on RDP.
Multi Factor Authentication
If you can enable a second line of authentication, then do it on all software. This provides protection against the bad actors getting into your system through a brute force attack or accessing passwords through spoofing or malware. It is a simple way to effectively protect accounts. More information from NCSC here.
Patching and updates
It is still important to keep all software up to date and staff should be advised to do this on devices they are using away from the office.
There are many pressures on IT departments but it is so important to monitor your systems for anything suspicious. Modern systems have monitoring built in and there is simple guidance from NCSC here.
There has been a massive increase in phishing emails and text messages.
This week I received a spoof text from DVLA saying that they owed me money and a real text from the Government directing me to information about the new rules in relation to the Covid-19. Both involved clicking on a link – but the DVLA one was too good to be true.
You should note that the Government can ask your mobile provider to send a message in an emergency but that bad actors have been spoofing these messages, so be careful. And the DVLA returning money to me would not be an emergency!!
So it can be difficult to discern what is real and what is not. There is some good advice from the national Cyber Security Centre about how to identify spoof messages here. And there is an online course for your staff which NCSC has provided here.
The bad actors are getting more sophisticated and use information about you from social media to make these messages more personal. So even if they use your name, be extra vigilant.
What to do if someone has clicked!
All staff need to know what to do if they do click on something suspicious. The business needs to encourage reporting issues without seeking to blame anyone. Studies often show that CEOs are just as likely to click on a bad link as anyone else in the company. But the company’s reaction can make a difference to a small issue becoming a much bigger one. So you must encourage reporting!
- Make sure everyone knows how to contact your IT department and encourage then to do so if they suspect that they have clicked on something they should not have.
- Open your antivirus software if installed, and run a full scan. Follow any instructions given.
- If anyone has been tricked into providing their password, all passwords should be changed on all accounts.
- If you have lost money, you should report it as a crime to the police.
- If personal data is involved, the consider whether to report this as a personal data breach to the ICO.
Please do get in touch if you require any advice about data protection or cyber security matters.