There are numerous HR policies that your business can implement to ensure a smooth and secure home working. While you are not under strict legal requirements to implement these, it is best practice and can help you streamline your processes.
Working from the home policy can set out your staff’s expectations while working from home, including data security and confidentiality. To comply with your data protection obligations it is likely to be appropriate for you to have a separate data protection policy setting out what duties your staff are under when handling personal data, including ensuring that it is processed securely at all times.
An IT security policy can include requirements regarding passwords, the physical security of devices and protocol around installing software. Suppose you already have an IT security policy. In that case, you should review it to make sure it is fit for purpose and strongly recommends using two-factor authentication wherever possible.
If you allow staff to use their devices while working from home, consider a BYOD (bring your device) policy to address the additional security risks that will arise. For instance, this will help you ensure that appropriate security measures are taken when handling sensitive information, including any third-party data, on personal devices.
It will also be beneficial to have a personal data breach policy setting out your business’s response plan if a data breach occurs following a cyberattack.
If your business is accustomed to having staff work remotely, check that all of your remote working systems are updated with the most recent security patches and firewalls. If working from home is new for your business, take the time to ensure that the systems you set up are fit for purpose and that you have applied appropriate and up-to-date security functions. For example, ensure that virtual meetings are private and require password entry.
Make sure you take steps to secure devices while they are outside the workplace. For example, ensure encryption is turned on and that you can remotely lock devices and erase or retrieve data stored on them if they are misplaced or stolen.
If staff are using their own devices to work on, make sure they know how to save work remotely and not locally on their device, check that their antivirus software is installed and fully updated and remind staff to ensure the physical security of their work, for example by locking their screens when they are not working.
Make sure your employees are backing up their work regularly. Any back-ups should also have strict security measures; for example, access should be restricted to certain people within your organization and should be kept separate from the original copy (e.g., using a cloud service). If your necessary data is backed up, you won’t lose it if devices are lost or stolen, and you can protect your business from ransomware attacks (which make your system or data unavailable until you pay a ransom).
Individuals are a crucial target of cyber-crime so remind your staff to be alert and make sure they are aware of the risks to look out for. This may require you to recirculate your policies, refresh their training on relevant security procedures or to circulate specific examples of Covid-19 cyber-crime.
Ensure your staff know what to do and whom to report to if they identify a cyberattack or think there might have been a data breach. Not only might an attack put your business under threat, but it might create legal obligations for you under data protection law.
Your staff may be working from home, but they’re still likely to need IT support access. Check whether your normal support will continue while staff are working remotely, and make sure you update staff if there are any changes. If support is readily available, IT vulnerabilities are more likely to be flagged quickly.
Any data that your business handles that contains personal information will trigger data protection law, and you must remember your data protection obligations at all times.
Suppose there has been a personal data breach due to a cyberattack (i.e. a breach leading to the destruction, loss, alteration, unauthorized disclosure of or access to personal data). That breach carries some risk to individuals. In that case, you will have to notify the ICO (Information Commissioner’s Office) within 72 hours of you becoming aware of the breach. You may also need to notify affected individuals. Even if you do not need to report the ICO (because you don’t think there is a risk to individuals), you should still keep a written record.
These legal obligations serve as a reminder of the importance of businesses having effective cybersecurity policies and procedures to ensure that they can protect their business from attack and comply with their legal obligations if and when an attack does occur.
If you think that your business has been the victim of cybercrime, you should report this through the Action Fraud Websites.