Often set up in the heat of the moment, homeworking makes your company data insecure. And hackers are on the case. They could be a bigger threat to businesses than Covid-19. One group dubbed “Dark Basin” has targeted thousands including some prominent companies. But why target you?
Some reasons
Private detectives (think of divorce), journalists (think of juicy stories) or competitors (think of client contact lists) could all have a motive. That is leaving aside rank illegal activities such as ransom, blackmail and a competitor wiping you out.
If you need to discuss confidential staff matters, then there will be some parts of those conversations that you will want to keep within the management team; not to mention GDPR responsibilities or commercial secrets.
When I first put HR data on a computer (curiously called an Apricot) the device stood alone in a lock-able office – no connection, not even to a fax line (remember those?). Data was more secure than in the filing cabinets. Today most data is accessible from anywhere in the world – including some darker areas. Even without homeworking, passwords may be your only protection.
Are you vulnerable to cybercrime?
How to protect yourself:
- Choose a reputable IT supplier*
Visit them. If they operate out of a lock-up, offer you “cheap” shortcuts and have no certification, think carefully. Remember that they will need access to your administrator’s password – potentially that means ALL your data. And if they are setting up homeworking, they could download it without you even knowing. Perhaps more to the point, anyone who hacks them could then hack you. - Permissions
Restrict access to data to specific users, enabling you to keep commercial and other sensitive data private. Most probably your IT provider will need manage those permissions for you, but you will need to monitor them. It can be a challenge, but it is especially important when your employees are remote. - Brief your employees
From post-it notes on the desk, to laptops left on trains, employees are a huge vulnerability. The right policies are only the starting point, even if fundamental. Here are some you should have:
-
- Data protection
- Bring your own device to work (BYOD)
- Homeworking
- Internet and email
- Social networking
Can I have your password please?
- Consider the home environment
“Pillow talk” has sometimes been a challenge for employers who engage an employee with a spouse who may have competing interests. There are precedents for action on this. Such talk may now extend beyond the bedroom and with a visual aid to assist. It would be wise to have a discussion with any employees where there is a conflict of interest. You should establish rules so that others living with your employee do not overhear telephone conversations, are not present in the background of conference calls and are not able to access the computer via a network. “Can anyone else hear this conversation?” should become a frequent opener to discussing any confidential matter.
So security demands a very high level of trust and confidence in your employee, not least because they could come under pressure from others in the household, a coercive spouse for example. I suggest this might be a valid reason for refusing homeworking, but I am not aware that Tribunals have tested this principle. Furthermore, an employer’s assessment of the power balance in an employee’s marital relationship is not going to lend itself easily to evidence!
- Check it out
When it comes to secure technology, numerous organisations offer Cyber Essential Certification. At the first level it is mainly a checklist to complete and implement. Your own IT supplier may offer it for a few hundred pounds or you could do it yourself for a bit less – if you have the time. - Penetration tests really test your systems. Choose the provider carefully. They are going to learn all your vulnerabilities now – and perhaps even for the future!
Nonetheless, don’t let homeworking make your data insecure.
* We use iTek in Kendal as our IT provider
Malcolm Martin FCIPD
Author Human Resource Practice
Blogs are for general guidance and are not an authoritative statement of the law.