GDPR & working from home

National Cyber Lead for the Police Digital Security Centre, Neil Sinclair explores GDPR in relation to the new way of working.

With so much business now being conducted from home, and with the future suggesting that remote working will be the “new normal”, many small business owners have had their focus returned to General Data Protection Regulation (GDPR). It was a major area of concern prior to its introduction on 25 May 2018 so one hopes that proper processes for the handling of data are already in place. Nevertheless, the Information Commissioner’s Office (ICO) receives an average of 1276 data breach reports each month. Some of those are very high profile: British Airways, Marriott, EE, EasyJet, to name but four. But of  course there have been many breaches that the media may have disregarded, the ICO has not!

The concern for small business owners is that, with staff working remotely and using different devices (“endpoints”) to access company data, control of that data has, to a   large extent, been lost. The question that consumes many business owners is “how can we control our data with so many remote workers, and where does the responsibility fall if data is “lost””?

The purpose of this blog is not to run through the details of GDPR again. It is to assist you to remove the uncertainty around the control of your company’s data when it is potentially sitting on someone else’s device.

Here is what you need to know: it’s not just businesses that can be investigated and fined for breaches of GDPR. Individual responsibility is as important as corporate responsibility for protecting personal and special category data.   As “data processors”, employees  must act on the Data Controller’s (that’s you or someone appointed by you) instructions, keep data secure and not do anything that would put the data controller in breach of GDPR. This is important knowledge because if you impress this on every employee and every contractor, then to some extent your problem is halved. That is not to say you can abdicate responsibility however.

It is important that you have the correct processes in place to protect the business’s perimeter and keep your data securely within it. “Privacy by design” is a concept of GDPR, so the business owner should make it part of the process from the outset, not an add-on at a later date.

The simple solution is to make sure your cybersecurity controls – network, web, email, endpoint, identity management, authentication, access management – are fully functional without regard to the users’ location (i.e. ensure they are cloud-based). As you complete your transition away from on-premises IT you can simultaneously move away from on- premises security controls. They will become increasingly less valuable anyway. The Cloud should be the default for running your business. Cloud-based security controls reduce and then ultimately eliminate the need for routing traffic from remote offices or using VPNs to enforce and monitor security. Start with the security controls in use by your everyday users – such as authentication and single sign on (SSO) – and move to more specialised teams, such as IT and security, over time. The internet is resilient, the home networks for many employees are excellent, and the cloud service providers have proved they are ready for the increased load. If an existing, critical application can’t be moved to the cloud, start the process of getting a new, cloud-based application to take its place.

If you want to extend control to the endpoint, and it is highly recommended, then you have to own it. This means supplying the team with laptops and mobile phones. Trying to secure employees personal equipment can create all sorts of complex privacy issues, so it is probably worth your while spending the money. It’s an added bonus if hardware, software updates and security functions can be delivered without staff having to come to the office or connecting to the corporate network.

Whether you take that advice or not, most account take-overs can be averted by using multi-factor authentication. Without it, cloud-based storage can be easily accessed by a malicious actor by acquiring a solitary sign-on credential. The upside of multi-factor authentication is that it makes application access incredibly easy for your employees no matter where they are.

Employees’ home networks are part of your business continuity program, so treat them as such. Discourage the use of default admin passwords on their routers and the use of weak or easily guessable WiFi access passwords and require your staff to have a minimally performing home network at the ready. Tethering to their mobile devices for backup access to the internet should be encouraged. With the impending arrival of 5G mobile networks, this will become increasingly cost effective.

There is clearly a need for some staff training to get the best and most secure remote workforce. It is time well spent: it could save you a fortune if it averts a breach.

A lot of people think all data breaches have to be reported to the ICO – this is not the case. Only breaches that involve personal or special category data that pose a risk to people’s rights and freedoms must be reported to the ICO.

A ransomware would not necessarily have to be reported, if it merely encrypts your files so that no one can access your system. So you need to know the nature of a cyber attack, but do be mindful that breaches that involve personal or special category data and pose a risk to people’s rights and freedoms must be reported to the ICO within 72 hours.

When things calm down from the current crisis, make sure you conduct a comprehensive review so that learnings can be recycled back into your organisation. It should then become a part of a regular review. You will then know if your digital weak point is likely to be people, processes or technology, and you can plan your budget accordingly.