It might be fair to say that many email marketing companies view the Information Commissioner’s Office (ICO) with a degree of trepidation. They take pleasure in listing the latest penalties they have imposed on their website. It’s enough to make anyone nervous. However, they normally also list the criteria they will use to judge you, with the implication that if you comply, then any penalty is likely to be light.
Any company with lots of personal data, such as email marketing lists, that has been forced to use remote working due to the current crisis, will be concerned as to a fine should the worst happen. That’s not to mention the harm to the company name. To their aid comes an ICO checklist. https://ico.org.uk/for-organisations/working-from-home/working-from-home-security-checklists-for-employers/
This has two main purposes important to us:
1/ It provides an easily understood framework for companies to limit the risk of loss of data if a number of staff are workings from home, and
2/ It gives clear indicators of what the ICO will check if they are considering a prosecution for a breach of regulations.
It gives general principles: you need clear policies and procedures, current processes, informing staff of the requirement for unique and complex passwords, and have multi-factor authentication in place. One thing not mentioned is the requirement for records of having complied.
It’s fairly straightforward and is only stating what we all should be doing. If not, you need to keep up. It follows a number of specific subjects, and these are dealt with in some detail.
Bring your own device (BOYD) is covered, although mainly by saying there are different approaches for you to consider. If provides a handy comparison of systems; https://ico.org.uk/for-organisations/working-from-home/bring-your-own-device-what-should-we-consider/ Pick which you think is best, with recorded reasons.
Most will be a little concerned about cloud storage. There are, however, distinct advantages to having central remote storage for data so limiting the amount staff using their own devices will need to store. The ICO also provides detailed downloadable pdf guidance for cloud storage https://ico.org.uk/media/for-organisations/documents/1540/cloud_computing_guidance_for_organisations.pdf
The vulnerabilities of remote desktop are explained together with ways of negating them, such as disabling accounts after a number of failed attempts to log in. It’s all fairly basic. There are just three matters listed for you to cover.
Remote applications, which give staff working from home access to corporate applications they require, are the matter of the final heading. One of the concerns is staff using their own applications to process personal data and sensitive communications. Again, there are just three matters for you to cover.
The final subject matter of concern is, rather ironically for us in email marketing, is the expected increase in email as a method of communication both internally and externally. There’s a link to the National Cyber Security Centre’s advice on defending against phishing attacks; see https://www.ncsc.gov.uk/guidance/phishing
Despite the raising of a few of the imposed restrictions, some form of working from home will probably be on going for those companies engaged in email marketing. Not only that, you might find the new systems advantageous. Take on board the ICO’s advice.