This month is European Cyber Security Month (ECSM), the EU’s annual campaign promoting digital security and providing training and guidance on staying safe online. Hundreds of organisations from Europe and beyond are participating in the campaign, including a number of UK businesses.
One of the main themes of ECSM this year is how to be cyber-secure at home. As an increasing number of staff are working from home, educating them on how to protect themselves from cyber-attacks is becoming more important than ever. The National Cyber Security Centre estimates that half of all UK SMEs have experienced a cyber security breach at some point, and these breaches can lead to serious financial, reputational and legal implications for your business.
This blog explains how you can protect your staff and business from cyber-security risks while staff are working at home, and provides links to relevant HR and IT policies.
How to keep staff cyber-secure at home
We’ve set out below six key steps for minimising the cyber-security risk to your business when staff are working remotely.
1. Have appropriate policies and procedures in place
You’re not under a strict legal requirement to have specific cyber-security or remote working policies in place, but it’s best practice to set appropriate policies and procedures for staff to follow when working from home. Having clear guidelines in place helps to minimise the risk of data breaches, ensure business information and personal data is kept securely, and assists you and your staff to comply with your legal obligations.
Recommended policies include:
- A working from home policy, which sets out your expectations of staff while they are working at home, including in relation to data security and confidentiality;
- An IT, communications and social media policy, which describes your business’s security requirements for staff using IT equipment (eg in relation to installing software and password strength);
- A data protection policy, setting out staff duties to ensure that personal data is handled safely and securely;
- A bring your own device policy, to assist staff with security rules around using their own devices for work and keep third party data secure; and
- A personal data breach policy, to help ensure that your business complies with its data protection obligations if a cyber attack leads to a data breach. It also includes steps your business should take to prevent these types of breaches occurring.
Our Remote working and cybersecurity toolkit includes all of these policies along with guidance on how to use them.
2. Check the security of your remote working systems
Steps you can take to improve the security of your systems and protect your staff and business from cyber attacks include:
- ensuring your systems have updated security patches and firewalls, and can handle appropriate levels of traffic;
- checking with staff that they keep their devices and apps updated and have appropriate anti-virus software installed;
- switching on internet gateways to prevent staff from accessing unsecure websites, apps or other online services;
- controlling the use of USB drives and memory cards (eg only permitting staff to use them on approved drives on business devices); and
- ensuring that remote devices have encryption and password protection turned on, and that you know how to remotely lock access to and/or erase or retrieve data stored on them.
3. Back-up your data
Back-ups are crucial for ensuring that your data is not lost or held to ransom in the event of a cyber attack. Make sure staff back up their work regularly in a secure way (eg access to back-ups may be restricted to certain individuals only and/or back-ups may be kept on a separate device).
Cloud services are an efficient and cost-effective way of backing up data, but should not be used as your only back-up. For more guidance on outsourcing personal data storage to the cloud, see our Q&A on Secure data storage.
4. Train staff on IT practices
Providing appropriate training helps your staff to protect themselves better online. It’s a good idea to train staff on issues such as:
- how to be alert for cyber attacks (such as what a phishing email or other types of scam may look like);
- what to do and who to report to if they believe they have been subject to a cyber attack;
- how to use strong passwords (and/or two factor authentication where possible); and
- what your business’s security procedures and policies are.
You should make sure staff know what to do if there is a personal data breach, as your business has specific legal obligations under the UK GDPR if this happens (eg you may need to notify the Information Commissioner’s Office (ICO) within 72 hours). You can find further guidance on what to do in the event of a data breach in our Q&A on Data breaches.
5. Consider cyber insurance
Depending on the nature of your business, it may be appropriate for you to take out a cyber insurance policy to protect your business from cyber threats. You can find more information on cyber insurance through the Association of British Insurers.
6. Test and evaluate your security
You should test and evaluate your security measures regularly. Ensure you document your results and act on any shortcomings that are found. You may wish to consider signing up to the free Action Fraud Alert Service to receive updates about cyber scams and fraud in your area.
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.