The Physical Security Guide to Working From Home

With so many people now working from home to help limit the spread of COVID-19, employers have naturally had a number of challenges to face when it comes to complying with data protection legislation.

The Information Commissioner’s Office (ICO) has released a statement around the subject of data protection and coronavirus to help business owners better understand what is expected of them during these extraordinary times.

The ICO has said that it recognises the unprecedented challenges being faced during the pandemic and that it is appreciated that information may have to be shared quickly and that working processes may have to be adapted. In response to concern raised by data controllers, the ICO has helpfully provided answers to the most common questions being asked, one of which specifically concerns working from home:

Question: More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period? 

ICO answer: Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

In other words, whatever measures you employ within your business premises to protect data, you should consider for your homeworkers, although of course they would need to be reasonably practicable. Setting clear policies and issuing guidelines is vital so that staff know what to do and are aware of the risks (and penalties) involved in failing to follow security advice.

Cyber security is of course of paramount importance, but that is a subject for the IT department. But what about physical security? Large volumes of data breaches reported to the ICO are attributed to lost or stolen devices, demonstrating that data is not just at risk digitally, but also physically.

Not only is loss of data a major issue when it comes to ICO penalties which can be anything up to the equivalent of 20 million Euros, it can also be devastating for a business in terms of the devastating and very expensive connotations of theft of intellectual property (IP theft).

So, how to protect your business and its data during the pandemic whilst your staff are working from home? Here’s a guide to help you.

Keep conversations private

Telephone calls with clients or online meetings involving screen shares are best kept private, especially where discussions are sensitive. Whilst understandably, staff will feel that close family can be trusted, there is no control over precisely who is listening in and who might inadvertently disclose something that’s seen or heard.

Make sure therefore that staff are advised to hold telephone or online meetings behind closed doors wherever possible.

Clear desk policy

You no doubt operate a clear desk policy in your place of work where staff are required to lock away paperwork and devices when leaving their desks for any period of time. Generally to prevent prying eyes from external or even internal sources, a clear desk policy also helps to avoid theft by opportunistic visitors where workplaces are open to the public.

Extend your clear desk policy to your homeworkers. Whether it’s a desk, a kitchen table or a sofa, make sure they know the importance of stowing away whatever they’ve been working on, should they be popping out to get essentials from the local shop or taking their daily exercise, stopping for lunch or finishing up for the day.

Working from home is a very different scenario compared to the office environment. Family members, flatmates, curious children and even pets could pose a data security risk, so be sure to enforce the clear desk policy amongst all remote workers. Bear in mind also that devices and paperwork left in view of street windows are an open invitation for an opportunistic intruder.

Secure devices and paperwork

Following on from the clear desk policy, it is important that ‘stowing away’ is taken seriously. Simply stashing data containing devices or paperwork such as confidential contracts into a drawer or under an armchair doesn’t count as secure.

Laptops, tablets, removable storage media… any data containing device needs to be safely locked away in a fixed-down safe or at very least a locked cabinet. Make that a rule amongst your homeworking workforce, because if there is no obvious attempt to have protected data and it winds up being compromised, then your business could be in trouble with both the ICO and your insurer should you need to make a claim. It is very important to take physical security for data protection very seriously.

Helpful Security Advice During the Pandemic

Whilst our showroom and offices are closed during the coronavirus lockdown, we will still be providing helpful security advice here on our blog and via our Twitter and Facebook feeds and we are authorised to continue to provide a 24/7 emergency security service should you need us.