DSPT Toolkit - Encryption And Passwords

Page 1

ENCRYPTION AND PASSWORDS

As well as good passwords and backups, how else can devices that we use to store or access people’s information be protected?

Laptops, tablets and smart phones are particularly vulnerable to being lost or stolen. They need to be made secure, so that if this happens, your information about people doesn’t get into the wrong hands. And that includes when people use their own devices such as their own smartphone to access people’s data. Are those devices safe?

ENCRYPTION

9.5.2 Are all laptops and tablets or removable devices that hold or allow access to personal data, encrypted?

PASSWORDS

4.5.4 How does your organisation make sure that staff, directors, trustees and volunteers use good password practice?

9.1.1 Does your organisation make sure that the passwords of all networking components, such as a wifi router, have been changed from their original passwords?

Make sure you set up something on each PC, laptop, tablet and smartphone Set a screenlock password or PIN. Make sure these are hard to guess, and change them from the one the device came with. Or use another authentication method (such as fingerprint or face unlock).

Something you might want to consider is encryption – although this depends on a combination of the device and the systems that you use on it. For instance, if the device is only used as a ‘portal’ to reach a care system which is online, then it may not be necessary. But if information is stored on the device itself or if it is used for email, then it should be encrypted.

Encryption is a way of making the information held on the device unreadable unless you have the key to decode it. Most modern devices have encryption built in, for smartphones for example, but the encryption may still need to be turned on and set up, so you need to check this – or get technical advice.

You can set encryption up on a memory stick.

Make sure that your office equipment (so laptops and PCs) all use an encryption product (such as BitLocker for Windows) using a Trusted Platform Module (TPM) with a PIN, or FileVault (on macOS) in order to start up. Once you have this the laptop or PC then cannot be broken into if stolen.

If you have got encryption set up, make sure it’s switched on.

ENCRYPTION FOR MOBILE PHONES/TABLETS

APPLE

(IOS)

How do I know if my iPhone is encrypted? If the password is active, it should already be encrypted.

If you want to check your device is encrypted - Apple support guidance on setting passwords:

https://support.apple.com/en-gb/gui de/iphone/iph14a867ae/15.0/ios/15.0

ANDROID

(e.g. Samsung)

Samsung Galaxy security guidance video (also covers different lock methods, Find My Mobile, Updating the operating system, Samsung Pass, Secure folder, then shows how to encrypt your SD card)

https://www.samsung.com/uk/suppo rt/mobile-devices/how-to-use-securit y-settings/

Microsoft Support guidance for Bitlocker Device Encryption and Bitlocker Drive Encryption (advanced encryption available for Pro and Enterprise editions of Windows):

https://support.microsoft.com/en-us/windows/bitloc ker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf

Video how-to guide for Bitlocker drive encryption: https://www.youtube.com/watch?v=JcK42fIfjS4

FileVault support guide:

https://support.apple.com/en-bh/guide/mac-help/ mh11785/12.0/mac/12.0 for startup disk:

https://support.apple.com/en-us/HT204837

PASSWORDS

Passwords - when implemented correctly - are a free, easy and effective way to prevent unauthorised users accessing your information. In recent research with providers, passwords came up as a key area of risk. Do you recognise any of your passwords above?

These are the 20 most commonly used as of 2019 –and therefore the most easily hacked. AVOID USING THESE!

Examples of bad practice the research found:

Laptop username and passwords were written on a post-it note underneath the laptop

Usernames and passwords shared between everyone/groups of people. NEVER SHARE PASSWORDS

The same password was used for multiple accounts. Once hackers have guessed one, this gives them access to everything

Frequent changes of password forced onto people automatically by the IT system – THIS SHOULD NO LONGER BE A PRACTISE PEOPLE USE

LATEST GUIDANCE FOR PASSWORDS FROM THE...

Make sure passwords are ‘switched on’. This ensures you have a level of encryption in place.

Don’t force regular password changes.

This used to be good practice, however this has now changed. People are much more likely to write down their passwords if they change frequently, so is therefore more risky. Staff will forget passwords, so make sure they can reset their own

Only change passwords if you suspect they’ve been compromised

Consider using password manager software.. It is a tool that can create and store passwords for you that you access via a 'master' password. Useful if you’ve got lots of passwords to remember

Use two-factor authentication if possible. It adds a large amount of security for not much extra effort. 2FA requires two different methods to 'prove' your identity before you can use a service, generally a password plus one other method e.g. smarttoken or a code that is sent to your smartphone (or a code that's generated from a bank's card reader) that you must enter in addition to your password.

Make sure all ‘default’ passwords are changed, including on your Wi-fi router. One of the most common mistakes is not changing the manufacturers' passwords that smartphones, laptops, and other types of equipment are issued with. Change all default passwords before devices are distributed to staff. You should also regularly check devices (and software) specifically to detect unchanged default passwords. The toolkit specifically asks about networking equipment e.g. wifi routers. Get technical support if you’re unsure about this.

Train staff – very important!

Highlight the risks involved in:

• using commonly used passwords

• using the same passwords across home and work accounts

Emphasise the importance of avoiding personal information (such as names, dates, and sports teams)

Use three random words to help create less predictable passwords:

• E.g. chocolatetelephonepluto

• E.g. super1shelfvillage6

• But not onetwothree

• But not applebananapear

PASSWORDS

Be creative and use words memorable to you, so that people can’t guess your password. Your social media accounts can give away vital clues about yourself so don’t use words such as your child’s name or favourite sports team, which are easy for people to guess.

PASSWORD STRENGTH CHECKER (OPEN UNIVERSITY)

you can check how effective your password is here: https://www2.open.ac.uk/openlearn/password_check/index.html

FREE LOCAL HELP IN EAST OF ENGLAND

BEDFORDSHIRE – CENTRAL BEDFORDSHIRE COUNCIL

Bedfordshire Care Group

https://dspt.bedscaregroupltd.co.uk/ SCHHServiceDevelopment@centralbedfordshire.gov.uk

CAMBRIDGESHIRE AND PETERBOROUGH

The Care Alliance (Cambridgeshire, Northamptonshire and Peterborough)

www.thecarealliancecnp.co.uk

admin@thecarealliancecnp.co.uk

07831597711

HERTFORDSHIRE, ESSEX, THURROCK AND SOUTHEND

Hertfordshire Care Providers Association* DataProtection@HCPA.co.uk

https://www.hcpa.info/data-protection/

01707 708 018

NORFOLK

Norfolk & Suffolk Care Support Ltd helpdesk@norfolkandsuffolkcaresupport.co.uk

https://norfolkandsuffolkcaresupport.co.uk/bsbc

01603 629211

SUFFOLK

Suffolk Association of Independent Care Providers admin@saicp.org.uk

www.saicp.org.uk

07949 381686

https://www.hcpa.info/data-protection/

DataProtection@HCPA.co.uk

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.