The ICO recognises the unprecedented challenges organisations are facing during the coronavirus pandemic. As the demand for home working increases, IT solutions will often be used to meet those challenges.
Data protection law does not prevent you from using them. However, you should take the time to ensure you are using them securely.
The following are quick checks that you can perform now. These do not represent a complete security solution, but will support you in identifying some of the common IT vulnerabilities that we often see exploited.
☐ We have clear policies, procedures and guidance for staff who are remote working. These include topics such as accessing, handling and disposing of personal data.
☐ We are using the most up-to-date version of our remote access solution.
☐ Our staff have been reminded to use unique and complex passwords.
☐ We have checked if multi-factor authentication is available and configured it where possible.
Bring your own device (BYOD)
There are different approaches to facilitate home working and each has its own security considerations. See our comparison to help you decide which is the best option for your organisation.
Corporate cloud storage solutions allow users to access data away from the office on any device. They can also help prevent staff from using their own personal storage or messaging services, which can present additional risks.
☐ Our cloud storage is not set to public or accessible without a username or password (or other type of authentication).
☐ Only key staff have been given full access to the storage area. All other staff have been given read, write, edit or delete permissions where appropriate.
☐ We are not using any default root or administrative accounts for any day-to-day activities, and they are appropriately secured.
For long-terms strategies consider our guidance on the use of cloud computing.
You should also consider the National Cyber Security Centre (NCSC) guidance on security within Software as a Service (SaaS).
Attackers will often try to access remote access solutions using well-known privileged accounts, such as an administrator account.
☐ Our staff, in particular our privileged users, have account lockouts in place, ie disabling the account after a certain amount of failed log ins.
☐ We have created generic usernames for our privileged accounts and disabled any built in or default administrator accounts where possible.
☐ We only allow remote access connections for staff that require it.
For long-term strategies you should consider if your remote access solution should be behind a gateway or virtual private network (VPN). Short-term fixes can be applied, for example by changing the listening port of your remote access solution, but this should only be viewed as a temporary measure.
Remote application solutions give staff access to the corporate applications they need whilst working from home. This can help prevent staff from using their own personal applications to process personal data.
☐ Our remote application solution does not allow access to Windows administrative tools such as PowerShell or Command Prompt.
☐ Our remote application solution does not allow access to shortcut keys or help keys that could be used to open non-authorised applications or features.
☐ Plain text usernames and passwords are not included in any files, folders or scripts.
For long-term strategies, as with any solution, you should look at best practices and guidance in the field. Many of the manufacturers’ best practices can be applied universally to any solution, for example server hardening and network segmentation.
As more staff will be working from home there will inevitably be an increase in email as a method of communication.
☐ We have reviewed and implemented the NCSC guidance on defending against phishing attacks.
☐ We have either blocked the ability to add forwarding rules to external email addresses or have a method in place to detect forwarding rules.
☐ We have advised staff to use corporate email solutions and not rely on their own email or messaging accounts for the storage or transmission of personal data.