This topic covers the ways in which individiuals and organisations prepare and protect themselves or recover from cyber threats, whether accidental or malicious.
Cyber Essentials is a UK scheme, backed by the NCSC (National Cyber Security Centre) that sets out to help organisations guard against the most common cyber threats and demonstrate their commitment to cyber security.
At a basic level there are five basic 'technical control areas' organisations need to be aware of.
Organisations must make sure that they have adequate:
- firewalls - secure your Internet connection
- secure configuration - securing devices and software
- user access control - controlling access to data and services
- malware protection - protecting from viruses and other malware
- patch management - keeping devices and software up to date
It is possible just to follow the guidance and implement the controls, but more usually organisations would become 'certified' (at an approximate cost of at least £300 + VAT per annum). This could help them to:
- reassure their customers that they are working to secure your IT against cyber attack
- attract new business with the promise they have cyber security measures in place
- gain a clear picture of their organisation's cyber security level
- tender for some Government (and other) contracts require Cyber Essentials certification
- reduce the number of cyber security 'assertions' they need to make when completing the NHS Data Security and Protection Toolkit If they do)
There is also a Cyber Essentials Plus scheme that is more rigorous.
This has all the benefits of Cyber Essentials, PLUS an organisation's cyber security is verified by independent experts (at significant additional cost, possibly several thousand pounds p.a.).
The NCSC states that defining and communicating your Board's Information Risk Regime is central to an organisation's overall cyber security policy and recommends that organisations review their regimes and nine further associated security areas to protect their businesses from the majority of cyber attacks.
The infographic below illustrates the '10 steps'.
Many of us are now working from home due to the COVID-19 'lockdown' and the situation may continue for some time. Whatever the reason for working from home however, there are some of the key considerations that should be taken into account.
There is no legal obligation to have a homeworking policy, but it is good practice and if your organisation has one, you should review it regularly. Now would be a good time to ensure that your policy is suitable in the current environment and if you don't currently have one, we would recommend that one is drafted and implemented as soon as possible.
Your corporate insurance policy may cover employees working from home, but it would be advisable to check this to ensure you are fully covered.
Working from home for a prolonged period is likely to be challenging and stressful for everyone involved. Appropriate support may include guidance on how to promote mental health and wellbeing and highlighting access to appropriate online or telephone occupational health or other support services.
Health and Safety
Your obligations to protect the health, safety and welfare of your staff and the health and safety of others affected will continue.
You should assess the particular risks posed by staff working from home. Although the Health and Safety Executive (HSE) has said that there is no need for this to be done formally where homeworking is only required on a temporary basis, during a prolonged lockdown we recommend that you undertake workplace assessments. It may be possible for staff to undertake these themselves if you provide them with suitable resources to assess their workstations e.g. questionnaires and guides.
Where a staff member identifies any risks or potential health problems caused by working from home, e.g. anxiety or musculoskeletal issues, you should consider how you can support them to manage their difficulties.
Methods of keeping in touch should be established - it may be helpful to expect staff to attend remote team meetings using audio or videoconferencing.
Staff should be advised of the arrangements for notifying when they are unwell and unable to work.
Employers should ensure that staff with ongoing health difficulties/other personal issues are still able to access the appropriate support (e.g. an occupational health service or helpline) as usual.
Staff should also be reminded of IT, communications and social media policies. Consideration should be given to any aspects which need to be reinforced or varied to reflect the different methods of working.
Data Protection Compliance
The Information Commissioner's Office has issued clear guidance that data protection is not a barrier to increased and different types of homeworking, but employers will need to consider appropriate security measures.
Staff Data Protection Issues
Staff should be given clear information about the organisation's approach and expectations regarding online learning and how their personal data will be used.
Staff should also be given guidance on how to protect and look after confidential information whilst working from home.
Staff Workload Expectations
It will be helpful for employers to provide clarity on staff duties and responsibilities while working from home and ensure that the requirements are reasonable, commensurate with their usual contractual obligations and recognise the different or new way of working.
It may also be helpful to give guidance on working hour. Staff should be encouraged to take regular breaks, to ensure compliance with the Working Time Regulations and for their physical and mental well-being.
Some members of staff may have childcare and caring responsibilities and consideration may need to be given to short-term flexible working arrangements.