Information security carries one of the highest risks to organisations for fines and litigation in the event of a breach, so managing this area takes a lot of time, resources, and long-term strategy.
Enter Pandemic-inspired lockdowns and the requirement to make overnight decisions. Balancing the need to move quickly with the necessity to act strategically has not been easy for organisations, and has resulted in breaches of a relatively new nature.
In this month’s blog, we will examine 4 areas that organisations fall foul under challenging circumstances, and look at how breaches can be avoided in future.
1. Screen Sharing on Video Calls/Meetings
Video conferencing platforms such as Zoom and Teams truly came into their own during lockdown. One wonderfully useful function they offer is ‘screen-sharing’, giving hosts the ability to show all call participants the content of their PC or laptop screen, usually for presentation purposes or training.
However, where issues can, and have arisen, is when a call participant has inadvertently shared confidential information while screen-sharing. It could be as simple as ‘Alt-Tabbing’ through screens in search of something, and landing on an open email or confidential letter in progress. It could even be the act of flicking to a different screen to continue work while the meeting is in progress, forgetting to close down the sharing function first.
It can only take a few seconds for data to be seen (and even recorded via screen-shot) by persons for whom it was never intended.
2. Using Standard Email for Bulk Communications
Many organisations moved to email marketing systems such as Salesforce and Mailchimp to replace face-to-face interactions, but not everyone was in a position to move so quickly, and indeed, many didn’t have room in their budgets for such services.
As a result, some organisations moved to using standard email to keep in touch. Issues arose when it came to bulk emailing – sending the same message to multiple recipients at once.
While using the BCC (blind carbon copy) option is effective for bulk emailing without revealing who else has been sent the email, or their details, it does not sufficiently protect against human error, such as pasting the email addresses into the CC (carbon copy) section, by accident or through lack of knowledge, revealing all recipients names and email addresses.
Using the BCC option for bulk emailing is not considered data protection compliant, and use of it would result in penalties if found under investigation to be at the root of a data breach.
3. Using Untested Software
The fast-moving nature of the pandemic often called for making decisions in haste, moving very quickly, and effectively making things up as we went along! An issue arising from this need for speed, was the adoption of software systems that hadn’t been fully tested before implementation, either for their functionality or their suitability.
Problems can occur where software is unreliable, prone to crashes, or may carry a level of security (i.e.: Firewalls and Malware protection) far below that needed for the type of data handled by it.
It can also cause complications with regards to how the software is used, and who is using it, which brings us nicely to our fourth point…
4. Access & Permissions
Software and systems shared with multiple employees should be tailored to give appropriate access and permissions to those who need it, and secure and reliable restrictions for those who don’t.
An issue arising from moving too quickly with new systems and software is failure to set up appropriate access, permissions and restrictions, potentially resulting in employees gaining access to information they don’t have the authority to see or handle.
How To Avoid Data Breaches and Fines
If a breach is serious, it can result in litigation and an investigation by the Information Commissioner’s Office (ICO). The ICO will investigate the measures that were in place, prior to the breach, to ascertain whether or not the organisation did everything possible to protect against such an event. This can make a world of difference when it comes to the matter of fines.
So what steps should an organisation take to protect against breaches at a time where so many of us feel like we have been on a professional back foot for almost 3 years?
Update your Policies
Ensure that your Data Protection Policies are fully up to date, especially in the wake of any moves to new Procedures or systems as a result of the lockdowns. They should be clear, easy to access and well communicated to all employees.
Focus On Your Training
Sufficient training should be provided for employees on handling confidential information and managing personal data, and any training received should be documented, signed and dated by both the employer and employee. This includes secure use of, and conduct when on video conferencing calls (i.e.: simple guidance such as closing down all other work projects or software while screen sharing). Training refreshers should take place annually ideally, or in the event of any changes. And it should go without saying that it is essential that employees complete training prior to being given access to confidential data.
Use Dedicated Communication Systems
As mentioned above, the use of BCC for bulk emails would not be considered data protection compliant by the ICO in the event of a breach. It is safer to use a dedicated email marketing service or a content management system. Many of these services offer free options for organisations with smaller contact lists, making them accessible to those with limited budgets.
Test All New Software
All new software must be tested for its levels of security, functionality and suitability to the needs of the organisation. For smaller organisations without an IT department, it is worthwhile employing the services of a professional IT company to carry out these tests. As tempting as it might be to rush ahead and get started with the first appealing option found, all testing should be complete before implementation, as it can be incredibly hard or even impossible to go backwards later with many types of software.
As with so many areas of Employment Law, this can be a tricky area to navigate. If you need assistance or support with managing your data protection strategies, please do not hesitate to get in touch.