Review & Re-Assess your Data Security Risks

The chaos of Covid-19 ! 

The outbreak of the Covid-19 pandemic and UK government levelled restrictions; saw a frantic switch by business to a reliance on staff remote working facilities over the last month.

The change in operational environment opened up a multitude of potential risks to data security and compliance with legal obligations. 

Now the dust has settled a little and businesses adjusted; now is the time to review the changes which have been made and assure risks are mitigated as far as practical.          

Covid-19 has not changed any of the responsibilities or legal obligations you have under GDPR or contractual agreements.     The following is offered as guide to the areas in which review should now consider potential risk:

Risk Review Check List

 Access & Storage: 

  • Online access to network / cloud storage secure 
  • Home routers secure / complex password  re-set
  • Network / Cloud access via two factor authentication
  • PCs & Mobile devices PIN/Password/Fingerprint protected 
  • Passwords in use complex  ( Issued a Policy ?) 
  • Cloud storage encrypted & monitored by vendor
  • Network servers encrypted & monitored 
  • Mobile devices / storage encrypted 
  • Network / Cloud anti virus & malware protection
  • PCs &  Mobile devices anti virus & malware protected
  • Mobile devices – remote wiping enabled 
  • Business equipment restricted to business use only
  • Network servers physical security maintained
  • Hard copy data in transit – carried securely
  • Hard copy data at home – kept secure
  • Prohibited  access / viewing of data by family at home 
  • Adequate policy on accessing data in public 
  • Adequate Confidentiality policy / agreement in place 
  • How secure are online meeting platforms in use (Eg. zoom) 
  • Are full data back ups being maintained & monitored
  • How is remote equipment being tracked / inventoried 
  • Who is responsible for recovery of unneeded equipment
  • Have data destruction / erasure requirements been defined
  • Have User access restrictions remained in force

 Software & Updates:

  • All software in use vendor supported (Eg. WIN 7 not in use)
  • Software updates / security patches applied immediately
  • All devices receiving updates – monitored / controlled  
  • Un-required / Unsupported software removed

Data Sharing :

  • Is there policy on how staff should securely share data
  • Is staff private E mail sufficiently secure / permitted 
  • Adequate restrictions on data sharing via social media
  • Restricted use of online meeting forums for data sharing
  • Adequate policy defining data classifications & security in handling
  • Adequate restriction on sharing of staff general medical information
  • Planned & Compliant infection notifications to staff 
  • Adequate staff awareness of Vishing / Phishing / Smishing
  • Is document / change control being adequately managed 

Resource & Furloughing: 

**   Has Furloughing / laying off of staff left gaps in the resource focused on Data Protection & Security ? 

  • Sufficient IT resource to support staff & infrastructure
  • Sufficient IT resource to maintain data security 
  • Adequate  key holder response to site alarms / issues
  • Legal requirements for a named DPO still covered 
  • Who is now responsible for Data Protection / Security 
  • Who now handles Data Subject Access Requests
  • How are staff warned / reminded of data security threats
  • Have you planned cover for Key staff sickness 
  • Is there planned back up for key suppliers / contractors
  • Is effective phone call re-direction / routing in place  
  • How long can homeworking be sustained 
  • Is homeworking sufficiently productive / efficient / accurate 

Legal & Contractual: 

  • Is your Privacy Policy / Notice still accurate & relevant 
  • Do Data Security Policies adequately cover homeworking
  • Are staff contracts adequately covering homeworking
  • Does homeworking breach customer contractual agreements 
  • Are certifications still valid (Eg. Cyber Essentials / ISO 27001)
  • Would you now be able to detect / report a data breach 


Please contact me if you need guidance or support:  

martin@aversus.co.uk

Share this post on LinkedIn

Share on linkedin

Related News