Day 7

Thing 4 and 6

Digital footprint & Further steps to address risks in online activity

This is a bit of a post script because since my last blog and on doing reading for thing 6, I've become quite preoccupied with how essential our digital learning is to the range of activities social care workers are expected to perform. The skills underpin so much of what the worker is expected to do and communicate about that I am beginning to form a view that it is or should be core learning for all managers and workers. And needs to find it's way into induction programs and professional training especially so for those in small to medium projects in the voluntary sector. Although it does seem repetitive we are working with young people who see themselves as savvy and yet make the most basic of blunders such as sharing on line bank access with friends and then find their account emptied. Unless workers are alert to these issues and know the actions needed to minimize risk then we fail young people. Managers too must be able to take the necessary steps to protect their company from security breaches. In my last post we did a lot of work to discourage use of public wifi hot spots because of the security risk and possible data breaches which are not only upsetting but carry serious financial penalties. The accounts manager and myself double password protected as a means of ensuring that the most sensitive of data would not be breached. Spot checks on password security formed an element of the organisation's standard risk audit since as a very small charity we had to strictly manage all aspects of digital security. We put a limit on daily transactions through the bank so the Bank were alert to any suspicious on line activity. We updated policies so workers became aware of the risks of using mobiles to take photographs at events and the activity was prohibited.
As promised in previous blog, I did arrange for a 'security health check and clean up' of my computer by someone who does this for a living and was quite astonished to see how much information was accumulated through visiting different websites and search engines and how often I was agreeing to 'give data access' without thought. Not good!  I have scheduled  a routine cleanup and ensured that iphone has it's current security updates and double password protection. .

Thing 6 exercises bring good ideas to help with team and management responsibilities for data security

Working through the reading for thing 6, I found the section on Passwords of practical assistance and a bit of fun for everyone to do at a team session. Reading the Worst Passwords made me feel quite smug and then of course the exercise how strong is my password brought me down to earth. I tested one of my passwords and found it took only 15 mins to break so thought I was back to lots of jumbled up letters etc. which always get forgotten. I wasn't sure about the notion of starting from a phrase but then could see how each individual might have phrases in their memory bank that might be a good starting point. I thought a bit about obscure poems and bits of books I had memorized over the years so think I might start with that to avoid  recall issues. Again useful for the young people. Later I checked out another password created from a personal phase substituting some letters for numbers and did rather better at 1 month to break it so will try to do this more in the future.

Not so convinced about the usefulness of services to store the information because they have such different reviews and of course these are not immune to hacking but I can see how it works for individuals. The equivalent in the work place is paying a data security manager to take on that task on behalf of a small company and it is welcome that cyber experts from large companies can be willing to give free or subsidized time to help small charities with security issues. Useful too if the person is prepared to endorse the organisation policies and procedures in this area ......provided ofcourse we undertake appropriate safety checks first.

Overall I am thinking that the advice in this section ought to be incorporated into the organisation's policies on data security because it is so fundamental to the individual and the organisation. Following good P&P training by an expert or expert information, teams are able to remind each other of do's and don'ts of everyday security on line. The systems put in place by the company to regulate workers activity online should be checked at intervals as part of the quality management activity. Quarterly checks at team meetings - of passwords, permissions, settings - can be fun using the kind of exercises in Thing 6 and is not hugely time consuming. This high profile monitoring builds self regulation and greater sensitivity to safe practices for young people and workers.

I need to learn a whole lot more about settings and just take time to do checks ..... 

Having trawled through information on app permissions and content, I have to say I found the process a little disconcerting and concluded that we need to be a whole lot more careful about the permissions process and understand that if we don't want certain others to have access to certain information then we need to become much clearer about what we are signing up to. This seems to be about thinking through what the consequences may be and who and for what purpose access to data about us, ideas or service users is needed. I think the high profile Facebook episode of data being shared with & used by a third party recently brought the discussion and accountability into the public domain though may not have influenced  behavior. For me it is about thinking more carefully about who we wouldn't want to have access.  I definitely need to read more carefully when visiting  new sites and fully appreciate the risks since I have learnt that even with the most basic apps like the calendar we risk breaching highly sensitive information by not taking time to check the permissions settings.

Increased risks present for outreach workers............

 As a manager one of the recurrent themes of risk management in this area is workers engaging with service users at home or on coffee shops.  Nowadays core services expect young people to conduct business on line - for example benefits claims, job search, banking. Depending on individual circumstances it is common for workers to have to assist young people in these tasks sometimes using their own devices. It is essential that through supervision workers are clear about company expectations and know how to manage risk appropriately. Public wifi or hotspots are  commonplace and surveys still reveal that a significant percentage of the population  use these routinely ignoring the very real security risks. All workers needs to understand that this is not acceptable as it places themselves and the young persons data at risk - from hacking, malware, no encryption. Likewise work devices linked to a home network which is shared can lead to serious compromise to any data held on the device. Managers / supervisors have a professional responsibility to ensure that their workers know how to protect their clients identity and any information stored on devices at that point - emails, personal details - through safe online connections, password protection, always ensuring that security on devices are routinely updated.