Question: What simple technical and organisational measure can be taken on the computer to prevent access to personal data by third parties?
Answer: Always password-protect your computer!
I always thought that can't be so difficult. But maybe I was wrong, recalling my observations last month.
I could not believe my eyes
Unlocked computers with visible payrolls greeted me in the lunch break of a payroll office. I received the following reasoning from the managing director: "After all, the data is processed remotely in the service provider's data centre and is therefore absolutely secure."
I told the managing director that the first technical and organisational measure (TOM) to protect data is to provide all computers with usernames and passwords. Access to data, no matter where it is, must be very clearly regulated. It must be possible to exclude access by third parties.
The manager was not aware of this, but wanted to take care of securing access to the data immediately.
Who is TOM?
TOM is not just one, but several. According to Art. 32 GDPR - Security of Processing, controllers and processors must take appropriate Technical and Organisational Measures (TOM) to ensure a level of protection. In doing so, the state of the art as well as the implementation costs are taken into account.
For example, saving passwords in plain text is definitely not state-of-the-art. Read more about why e. g. Knuddels.de had to pay a fine of 20,000 EUR.
Always password protect computers
One of the first protective measures is to secure the computer with a password. This does not even have to be registered in a domain on a server. The same applies, of course, to mobile devices such as smartphones and tablets.
However, the best password is of no use if the computer is not locked when leaving the workplace. This should be second nature to every employee. Always lock the computer when leaving, even if you are just going to get a quick coffee.
How the computer is unlocked is irrelevant for the time being. Whether unlocking is done by password, USB stick, transponder or fingerprint is merely a higher or lower level of security.
A password manager keeps order
Once the first security measure has been mastered, there may be many more passwords waiting to be entered. If you want to do everything right and provide the passwords with a minimum length, special characters, numbers and upper and lower case letters, a password manager is indispensable.
Password managers are now available as network solutions so that different employees can access the centrally maintained password database, taking into account their role rights.
Conclusion
In companies, every end device should be password-protected. This is state of the art. Please also protect your private devices from access by third parties. Forgoing a password for the sake of convenience is not an option.
