Every day across the UK around 1.5 million professionals work from home – more productive, happier in their role and measurably less stressed, perhaps. At the same time, however, they may be increasing the risk to sensitive business data.
Since the Government has recently given all employees the right to request flexible working, the number of home-workers and the associated information risk looks set to increase – just when the stricter EU General Data Protection Regulation (GDPR) is set to come into force on 25 May 2018.
If employers get it wrong it’s going to hurt and the pain could be worse than ever. The GDPR will have the power to impose fines of up to 4% of a company’s global turnover in the case of significant data breaches. Fines of this magnitude will dwarf the £100,000 fine imposed on a local council by the ICO for a data breach recently caused by a home-worker.
Moreover, with the GDPR’s new requirement that all organisations publically acknowledge any data breaches, reputational damage is another likely and potentially damaging consequence of lapses in information security by home-workers.
What can employers do to protect employees and their organisation’s information?
Organisations that have put a secure information management process in place that encompasses home and remote working and have educated employees who work from home accordingly will be able to prove that they have taken all necessary action to mitigate the risks to their information. This will not just count in their favour should the worst happen – it will also help to protect knowledge of competitive value, such as IP and customer data.
Iron Mountain conducted its own research to understand the scale of the issue. Less than one-fifth of European office workers surveyed claim to know what information may or may not be removed from the office, or what the company’s formal home-working policy is. Worryingly, half use personal email accounts to send or receive work documents. Others speak of a lack of a secure company intranet, or having to use their own IT equipment – suggesting that data vulnerability isn’t always down to employee carelessness. Many employers are failing to provide staff with the support and guidance they need to take care of company information while away from the workplace.
It remains clear that once out of the office, information management best practices tend to be forgotten. This may mean that they haven’t been properly instilled within the office environment either. The key is to normalise responsible information management as part of the organisation’s culture so that employees treat data with care, wherever they are and whatever they’re doing.
With a clearly structured, relevant and user-friendly information management strategy, it is possible for businesses to reduce the information risks introduced by flexible and home-working, while maintaining the benefits. Here are Iron Mountain’s tips on how to implement and action a plan for successful information security:
- Provide clear and practical policies for home-working that cover the importance of using a secure network when out of the office. Ensure such a network is in place and reliable, or employees will work around it to get the job done. Clear guidelines will help ensure compliance.
- Identify and communicate which records should never leave a secure environment. Make it difficult if not impossible for employees to work around this.
- Ensure home-working policies outline both the responsibilities of the employer as the information owner and the employee as the information handler.
- Regularly train and re-train employees on company policy and guidelines and be sure to review these frequently to ensure that practices are up to date with the latest trends.
Organisations need to understand that information management and information security starts and ends with them, not their employees. When allowing employees the opportunity to work remotely businesses need to implement an agile information management policy that can be adopted and adhered to by the entire organisation. Ultimately, education and responsibility is key to preventing a potentially devastating data breach.