The IT and comms issues when working from home
News from device security company Kasperksy in September - that almost a quarter of corporate computing and smartphone devices could be “unprotected” - is a warning for any type of organisation, charities included, that its data and information is at risk whether staff work from home (WFH), in the office or anywhere in between.
Then there are personal devices to consider. The survey showed that many workers access workplace systems from their personal devices. For example, 57% use their own smartphone to check work email, and 36% use their laptop or desktop for work.
The conclusion by IT news and insights publisher TechRadar was, “Your work PC could be the biggest security threat in your home”, adding, later, “Using your personal phone for work could be a terrible mistake”. More later in this article on these security risks for charities.
Perhaps unsurprisingly, Kaspersky found that personal devices are even less likely to be protected than employer-supplied equipment. Almost half - 47% - of personal smartphones and 43% of tablets lack antivirus software, and 31% of users have never thought about making their phone more secure with antivirus software. 21% think their phone can’t be hacked.
I suggest we can be sure that working from home is more “here to stay” in the months, and possibly years, ahead, than it was prior to the COVID-19 pandemic. With that in mind, let’s run through the issues arising from WFH some or a majority of the time.
For charity employers in particular, there is the dimension of explaining to affected workers that the range of IT and comms measures to be adopted are in the interests of the charity and the people it seeks to benefit in that the measures are designed ultimately to protect the charity’s ability to undertake its role effectively. Thus they should be seen in a positive light by those working from home.
Trust and performance
There needs to be degree of trust in employees actually doing their work. This may already be underwritten by the extra commitment that charity staff have to their work and so trust may be well established anyway. If not, staff can be monitored via online tools about when they are working, and their performance assessed. At a basic level, requesting from them a weekly report of work completed can be useful.
All of this should be put within the context of the charity appreciating and supporting their employees to the charity’s benefit.
Online performance tools enable charity employers to set targets for when projects should be completed by, and to manage regular performance reviews [or appraisals] which can be used as steps towards individuals’ annual appraisals. The tools can include absence tracking and be used to identify individuals who are better suited to a different job or task in the charity, a positive rather than a negative aspect.
It should be explained that online performance tools can also be used to support team morale and purpose, and personal development programmes, and help identify and staff who are suffering from working alone or in unsuitable conditions such as a noisy or crowded home environment.
Face-to-face virtual meetings can be held, free of charge, via Zoom, Skype, Google Meet and suchlike, to reinforce team bonding/learning/reviews and trust. All within the environment within which one would expect a charity’s workforce to operate.
Internet links
Some staff will be using their own wired broadband connection, others a 3G or 4G/5G network signal from their provider. Wired broadband, if used with a quality router that updates itself with security updates, comes with a high level of security thanks to the firewall aspects of the router.
Employees who WFH will may not want to use their own network supplier, especially if it has a data limit. The charity could top it up or provide a dedicated, work-only data bundle. Bundles, with or without new phones, can be rented in 30-day or longer term blocks. Another option is to buy or rent (again, in 30-day or longer term blocks) a mobile router, a MiFi personal hotspot, allowing an employee to use their own phone for work but via this password protected, secure device, which comes with its own data SIM card.
Another advantage is that the MiFi can be shared with other staff if they’re living together/sharing accommodation, or wish to work at times in a coffee shop or other location. In such cases a personal, private hotspot is the only alternative to a vulnerable and perhaps over-used [resulting in slow speeds] free Wi-Fi hotspot. Even paid-for Wi-Fi is a security risk, because numbers of people will know its password, posing a security threat to all users of the hotspot.
A combination of data bundles and an MiFi can enable a charity to move to downsized or upsized offices without the usual commitment to, and costs associated with, landline broadband connection and the risk of delays in getting it.
Data and IT devices
As noted earlier, security of computing equipment and smartphones is a prime issue that will need addressing. TechRadar’s warning - “Using your personal phone for work could be a terrible mistake”, in September, was stark, and included “…apps on your phone could be used as a stepping-stone into corporate networks” - because they can be open to being hacked.
Since the pandemic started, security professionals have flagged personal computers, tablets and smartphones as weak spots that must be strengthened if those devices are used for work. Keeping track of employees who use their own devices, and ensuring the devices are well protected by antivirus, anti-malware and anti-spyware software – and good “surfing” habits - is one thing. Doing the same for freelance workers is another, but they too must conform to a charity’s IT security and work practice requirements.
There is also the situation of volunteers who, for whatever reason, may have to access a charity’s systems using their own devices.
Purchasing new or refurbished devices for WFH staff will eat into charities’ bank balances. An alternative is renting any number of different devices, in any configuration, on short term or longer-term rent.
Data backup is a vitally important area that must not be overlooked. Backing up on drives or USB sticks at home is useful, but should be carried out in parallel with backing up online in case the drives or sticks get damaged, lost or stolen. There are many online backup options to choose from, some with free offerings.
Backing up at the end of each working day is a discipline, but less so if it’s scheduled by the home worker to happen automatically at pre-determined times. The charity can liaise with employees about this, to ensure it happens and therefore removes one level of data security concerns.
Real-time backing up to a drive, stick or cloud storage is another option.
IT in the cloud
Backing up by WFH staff or freelance workers need not be necessary if the charity they are working for has its IT in the cloud. In that case they will be accessing their work remotely, using their device as their work access device, because data processing - their work - will be happening in the cloud, where it will be subjected to strict backup regimes that the staff or freelances need not be concerned with.
Preferably, from a data security point of view, the hardware at home will be set up in such a way that it can’t process anything itself. That will greatly reduce, or stop entirely, the risk of an infection, thereby safeguarding the charity’s IT from being contaminated.
That IT will be protected by the latest antivirus, anti-malware and anti-spyware software supplied through cloud services provider. If a charity is using a hybrid IT system – part cloud, part its own system - vigilance must be maintained. If it’s using its own cloud solution [a private cloud solution on its own servers] vigilance must be doubled.
Follow the guidance above for protecting data in care and wellbeing situations. Data relating to fundraising, including taking donations by credit or debit card, requires extra vigilance, as does card details being inputted into a home worker's computer and stored on a charity’s own private cloud server.
If a charity’s employees and freelances are to use their smartphones for some of their work, they could safeguard the use of its number - separating it from business use - by using a VoIP-based phone app that allows the charity to give their workers a different phone number to use. It can be a number with a “landline” and professional look, for example a number with a dialling code that’s local to the charity. Apps like that allow a lot of free calls to be made and can be used anywhere. The work number stays the same regardless of location.
Credit/debit card data
Storage, backup and archiving of credit card data requires careful attention. For the storage of cardholder data, rendering a card’s account number unreadable, or as close to that as possible, is essential. Strong cryptography is highly recommended. Regularly back data up to secure cloud storage solutions and to external hard drives that are held in secure locations.
Those steps are among standards laid down by the PCI Security Standards Council (PCI). If your charity stores and backs up personal credit/debit card data, it should comply with the PCI’s standards.
Create and implement a policy that addresses how to best handle card data, if your charity hasn’t already done so. If it has, ensure it complies with the PCI standards. You might want to implement a system that uses unique employee PINs to track sales and refunds - and train your staff in the proper handling of credit card transactions, and what to be aware of in potential fraud situations.
Freelance workers and volunteers must absolutely not be over-looked in any move to improve data and device security. No more backing up on USB sticks and leaving them lying around shared living accommodation and/or shared workspaces!
Trend to freelance
Across the board, some employees are becoming self-employed – freelance - as cutbacks bite. They will need to be appraised of the full gamut of security risks and how to address them, if they have not already been.
By following steps that are appropriate to their size and financial situation, charities can reduce to a minimum the risks posed by the use of personal computing devices, smartphones included, for work.
