Assistive technology and IT security

Assistive technology and IT security

This resource was created by our Technology Taskforce, a group of senior IT accessibility individuals from leading UK and global organisations. For more information, including how to join, see our website. 

Introduction

Many people with disabilities or impairments benefit from the use of assistive technology in the workplace. However, the use of such technologies can introduce additional information risks that need to be managed.

Rather than a knee-jerk rejection of AT, employers must understand and manage these risks to support disabled employees and avoid discrimination.

This document has been produced to help organisations manage the additional information risks and to highlight the need to consider accessibility issues in their departmental security policies.

Critically, organisations should note that security requirements should not represent an insurmountable barrier to the adoption of appropriate and managed assistive technology in the workplace.

Assistive technology and IT security

Assistive technology (AT) is an umbrella term for hardware or software designed for disabled people. It includes adaptive and rehabilitative technologies or systems that are designed to increase or improve the user’s functional capabilities (for example, voice to text systems, screen magnification, and speech systems).

We have created a detailed guide to what AT is available and how organisations should provide it in our resource, ‘Assistive technology catalogues.’

AT is necessary for many disabled employees. However, the installation and use of some AT might raise additional security risks. Organisations should understand what these are, and how to manage them – without depriving employees of the AT they rely on.

The following section outlines some of the most widely used AT. It covers the potential risks that could arise from its use, and the mitigating actions organisations can take to manage these risks.

Screen enhancement or magnification systems

These systems enhance the visual display available to the user, typically by magnifying the content, or enhancing the brightness of a window or text.

This increases the possibility of sensitive information on the screen being inappropriately overlooked by bystanders or colleagues.

Risk mitigation

Where possible, screens should be arranged in a manner which prevents sensitive information from being overlooked by unauthorised personnel.

Audio recognition or output systems

This category includes products that use a microphone to translate audio input into text and commands, or record it, as well as those which amplify audio output.

Such systems could enable unauthorised personnel to overhear sensitive information. They may also retain logs of security-related entries, such as authentication and access control credentials.

Risk mitigation

• Use only uni-directional microphones to help minimise any extraneous sounds being picked up by the devices.
• Ideally, staff should wear headphones when using audio output devices to minimise the chance of eavesdropping.
• Train staff using the device to use a keyboard input for any sensitive information, to minimise the risk of it being overheard.

CCTV systems

These systems typically use a camera or scanner to capture an image of a static document, before processing the images to magnify or extract text on a user’s computer.

Unauthorised users with access to these systems could compromise the camera to provide them with access to sensitive information in the local working environment.

Risk mitigation

• Where possible, physical access to the CCTV system should be managed.
• A record of scanned documents should be maintained and regularly checked.
• The repair or exchange of CCTV equipment should be managed securely.
• Any additional functionality which the CCTV device offers, such as wireless connectivity, should be disabled. If the device provides any additional ports, such as USB or firewire, the security operating procedures should disallow their use.

Dictaphones

These systems typically make audio recordings of speech for later playback.

Broadly, they can represent two potential security risks:

• Loss of such a device can mean that any material on it could be accessed by unauthorised users and, moreover, copied onto a PC for subsequent distribution.
• Many people allow material to be copied to them from a PC – and therefore Dictaphones might be considered large external storage drives.

Risk mitigation

• Where possible, physical access to the Dictaphone should be managed. For example, when not in use, it should remain in a locked cupboard or drawer.
• Use Dictaphones that are capable of encryption and set encryption level to high (256 bit).
• Dictaphones should not be taken out of the office unless needed.
• Organisations should consider blocking users from copying files to Dictaphones.
• Any material recorded should be deleted from the device at the earliest opportunity.
• Only use Dictaphones without external storage, such as SD cards.

Remote access and flexible home working

Members of staff may use a security token to dial in remotely via a VPN connection. There are a range of alternative devices and methods available for those with a visual impairment or learning difficulty such as a larger security token, a soft token on their PC or an equivalent mobile app.

Risk mitigation

• Ensure larger / talking security tokens are kept safe and used in quiet environments.
• When entering passwords with larger, magnified or talking PC functionality, employees must be mindful of their surroundings. Considerations should be elaborated in security operating procedures, such as not using them in public spaces.

Risk management

In keeping with the deployment of any new technology, the use of AT should be supported by:

• A formal risk assessment and the implementation of proportionate security controls. These controls must balance the needs of the individual with the security requirements of the organisation.
• Security operating procedures that are tailored for the individual. They must explicitly state the parameters within which the technologies can be used and the processes for reporting any security related concerns.
• Systematic provision of training on new equipment as part of the delivery process. Training should also be provided when significant updates or fixes are rolled out.
• The provision of timely and informed technical support. Maintaining the configuration of some AT can be complex, especially in a dynamic office environment. Moreover, the interaction between some assistive systems and bespoke ‘in house’ applications can sometimes lead to unforeseen availability issues that can cause significant problems for users.
• AT packages that should be included in the organisation’s patching policy and appropriately prioritised. Updates and fixes should be applied in a timely manner to ensure that systems maintain their optimal functionality at all times.
• Departmental security policies that account for the requirements of their disabled users. They should be able to demonstrate that reasonable efforts have been made to ensure that they do not discriminate against, or disadvantage, disabled users.