Digital MPs

Staying secure

We looked at how to keep the teams' systems secure and saw opportunities to improve security, outlined below.

My personal worry, coming new into this environment and already having a digital footprint, is being protected from having my name known by constituents who can perhaps then seek me out. I don’t know whether that’s a valid worry or not. That’s a cause of concern for me.

- Staff member

I’m afraid to say that I was caught by a malicious email. I opened what looked like a genuine link and had to send to computer away to be rebuilt at PDS. It looked like a completely plausible bill or invoice that I should have addressed, so I opened it. It was dealt with very quickly and with minimal fuss, but it just shows that, you know, it can happen to any one of us, and it can look entirely plausible.

- Staff member

MPs and their teams work with official and sensitive data, and benefit from clear guidance and understanding of good practice. In our work with them, we discussed:

  • the vulnerabilities, outcomes and likelihood of being hacked
  • when to avoid using public wifi in hotels or trains for example
  • how phishing scam emails and social engineering phone calls can fool people, making them more ready to identify suspicious emails and calls knowing that MPs can be targets
  • making sensible choices such as locking away computers, avoiding USB devices to transfer files and always speaking to the PDS helpdesk when issues arise

We identified basic steps to get right:

  • We helped teams vet their existing software to ensure it met Safe Harbour privacy principles, and only recommended new tools we felt were sufficiently security minded
  • We turned on two-factor authentication on tools such as Twitter, personal email accounts or cloud storage, adding a layer of security many staff weren't aware of
  • We encouraged use of cloud syncing for Office 365 to ensure data backups existed and were accessible through a secure interface
  • We recommended that all MPs used their Parliamentary email account for work correspondence to ensure data remains secure
  • We helped set up password managers so that teams could use passwords that are strong, secure and shared. We also recommended using data leak websites such as Have I been pwned? to check passwords haven’t been leaked by previous hacks.
  • We applied DMARC to the website domain to protect an MP’s website from getting phished.

There are also both physical and virtual security risks for MPs and their staff.

MPs and their staff frequently deal with citizens who the NHS, Job Centre or local authority can no longer deal with due to dangerous or threatening behaviour. As well as trolling, several of our MPs received threatening messages while we were in their offices and we worked with their teams to ensure they had processes in place to deal with trolls and report any threats to the Serjeant at Arms and the police.

Some of our caseworkers felt at risk of online stalking from unstable clients so we helped them audit their web and social media presence so that they could feel happy that they weren’t involuntarily opening themselves up to unnecessary risks through over sharing of personal details online.