PROTECTING DEVICES
As well as good passwords and backups, how else can devices that we use to store or access people’s information be protected?
Laptops, tablets and smart phones are particularly vulnerable to being lost or stolen. They need to be made secure, so that if this happens, your information about people doesn’t get into the wrong hands. And that includes when people use their own devices such as their own smartphone to access people’s data. Are those devices safe?
ENCRYPTION
9.5.2 Are all laptops and tablets or removable devices that hold or allow access to personal data, encrypted?
PASSWORDS
4.5.4 How does your organisation make sure that staff, directors, trustees and volunteers use good password practice?
9.1.1 Does your organisation make sure that the passwords of all networking components, such as a wifi router, have been changed from their original passwords?
THE FOLLOWING SHOWS YOU WHAT YOU NEED TO HAVE IN PLACE: UNLOCK PASSWORD OR PIN
Make sure you set up something on each PC, laptop, tablet and smartphone
Set a screenlock password or PIN. Make sure these are hard to guess, and change them from the one the device came with. Or use another authentication method (such as ngerprint or face unlock).
Something you might want to consider is encryption – although this depends on a combination of the device and the systems that you use on it. For instance, if the device is only used as a ‘portal’ to reach a care system which is online, then it may not be necessary. But if information is stored on the device itself or if it is used for email, then it should be encrypted.
Encryption is a way of making the information held on the device unreadable unless you have the key to decode it. Most modern devices have encryption built in, for smartphones for example, but the encryption may still need to be turned on and set up, so you need to check this – or get technical advice.
You can set encryption up on a memory stick.
Make sure that your o ce equipment (so laptops and PCs) all use an encryption product (such as BitLocker for Windows) using a Trusted Platform Module (TPM) with a PIN, or FileVault (on macOS) in order to start up. Once you have this the laptop or PC then cannot be broken into if stolen.
If you have got encryption set up, make sure it’s switched on.
ENCRYPTION FOR MOBILE PHONES/TABLETS ANDROID
How do I know if my iPhone is encrypted? If the password is active, it should already be encrypted.
If you want to check your device is encrypted
- Apple support guidance on setting passwords:
https://support.apple.com/en-gb/gui de/iphone/iph14a867ae/15.0/ios/15.0
Samsung Galaxy security guidance video (also covers di erent lock methods, Find My Mobile, Updating the operating system, Samsung Pass, Secure folder, then shows how to encrypt your SD card)
https://www.samsung.com/uk/suppo rt/mobile-devices/how-to-use-securit y-settings/ For more information, email dataprotection@hcpa.co.uk or phone 01707 708018
ENCRYPTION FOR LAPTOPS AND PCS
BitLocker encryption (only available for Enterprise, Education or Pro versions)
Microsoft Support guidance as to how to manage BitLocker encryption:
https://support.microsoft.com/en-us/windows/devi ce-encryption-in-windows-ad5dcf4b-dbe0-2331-228f7925c2a3012d
Video how-to guide here on:
https://www.youtube.com/watch?v=JcK42fIfjS4
FileVault support guide:
https://support.apple.com/en-bh/guide/mac-help/ mh11785/12.0/mac/12.0
for startup disk:
https://support.apple.com/en-us/HT204837
PASSWORDS
Passwords - when implemented correctly - are a free, easy and e ective way to prevent unauthorised users accessing your information. In recent research with providers, passwords came up as a key area of risk. Do you recognise any of your passwords above?
These are the 20 most commonly used as of 2019 –and therefore the most easily hacked. AVOID USING THESE!
Examples of bad practice the research found:
Laptop username and passwords were written on a post-it note underneath the laptop
Usernames and passwords shared between everyone/groups of people. NEVER SHARE PASSWORDS
The same password was used for multiple accounts. Once hackers have guessed one, this gives them access to everything
Frequent changes of password forced onto people automatically by the IT system – THIS SHOULD NO LONGER
BE A PRACTISE PEOPLE USE
LATEST GUIDANCE FOR PASSWORDS FROM THE...
Make sure passwords are ‘switched on’. This ensures you have a level of encryption in place.
Don’t force regular password changes.
This used to be good practice, however this has now changed. People are much more likely to write down their passwords if they change frequently, so is therefore more risky. Sta will forget passwords, so make sure they can reset their own passwords easily.
Only change passwords if you suspect they’ve been compromised
Consider using password manager software. It is a tool that can create and store passwords for you that you access via a 'master' password.
Useful if you’ve got lots of passwords to remember
Use two-factor authentication if possible. It adds a large amount of security for not much extra e ort. 2FA requires two di erent methods to 'prove' your identity before you can use a service, generally a password plus one other method e.g. smarttoken or a code that is sent to your smartphone (or a code that's generated from a bank's card reader) that you must enter in addition to your password.
Make sure all ‘default’ passwords are changed, including on your Wi- router. One of the most common mistakes is not changing the manufacturers' passwords that smartphones, laptops, and other types of equipment are issued with. Change all default passwords before devices are distributed to sta . You should also regularly check devices (and software) speci cally to detect unchanged default passwords. The toolkit speci cally asks about networking equipment e.g. wi routers. Get technical support if you’re unsure about this.
Train sta – very important!
STAFF TRAINING – KEY POINTS
Highlight the risks involved in:
• using commonly used passwords
• using the same passwords across home and work accounts
Emphasise the importance of avoiding personal information (such as names, dates, and sports teams)
Use three random words to help create less predictable passwords:
• E.g. chocolatetelephonepluto
• E.g. super1shelfvillage6
• But not onetwothree
• But not applebananapear
PASSWORDS
Be creative and use words memorable to you, so that people can’t guess your password. Your social media accounts can give away vital clues about yourself so don’t use words such as your child’s name or favourite sports team, which are easy for people to guess.
PASSWORD STRENGTH CHECKER (OPEN UNIVERSITY)
you can check how e ective your password is here:
https://www2.open.ac.uk/openlearn/password_check/index.html
FURTHER INFORMATION AND GUIDANCE
click on links below
Digital Social Care
FREE LOCAL HELP IN EAST OF ENGLAND
BEDFORDSHIRE – CENTRAL BEDFORDSHIRE COUNCIL
Bedfordshire Care Group
https://dspt.bedscaregroupltd.co.uk/
SCHHServiceDevelopment@centralbedfordshire.gov.uk
CAMBRIDGESHIRE AND PETERBOROUGH
The Care Alliance (Cambridgeshire, Northamptonshire and Peterborough)
www.thecarealliancecnp.co.uk
admin@thecarealliancecnp.co.uk
07831597711
HERTFORDSHIRE, ESSEX, THURROCK AND SOUTHEND
Hertfordshire Care Providers Association*
https://www.hcpa.info/data-protection/
DataProtection@HCPA.co.uk
01707 708 018
NORFOLK
Norfolk & Suffolk Care Support Ltd
https://norfolkandsuffolkcaresupport.co.uk/bsbc
helpdesk@norfolkandsuffolkcaresupport.co.uk
01603 629211
SUFFOLK
Suffolk Association of Independent Care Providers
www.saicp.org.uk
admin@saicp.org.uk
07949 381686