Before the current health emergency, many organisations had equipped themselves well to support remote and mobile working, recognising the productivity and agility that could be gained. Nobody, however, expected that they’d suddenly need to enable an entire workforce to do their jobs from home. The resulting disruption is huge – and as businesses struggle to manage the change, cyber-criminals are waiting in the wings to target any chinks in the security armour.
Businesses must act now to prevent customer data, PPI and other sensitive and confidential information being exposed, while ensuring people can still access the databases and systems they need, and safely process and share information.
The risk of not doing so is real: in a 2019 survey of IT decision makers carried out by Apricorn, one third said their organisation had already suffered a data breach as a result of remote working, and 50% admitted they were unable to guarantee that their data was adequately secured when being used by remote workers.
More than ever before, the responsibility for safeguarding data sits with every single individual within the business. It’s down to the employer, however, to rapidly equip everyone with the processes, information and tools they need, as well as mitigate against potential human error.
Identify and address the risks. Map out all of the data that’s used within the organisation, and stored on-site or in datacentres, and also the data that’s coming in – for example, from new customers registering for accounts online. Find out who accesses the data and why, and how they use it.
Check the controls that are applied to information at each stage of its journey, talking to your cloud provider where applicable. Determine the specific risks it’s exposed to when it’s on the move and at rest. Look for gaps in the security strategy that leaves data vulnerable – in particular, check for basic weaknesses such as out-of-date or unpatched software, default passwords or misconfigured databases.
Apply the necessary controls. Immediately address any gaps you’ve identified. Restrict access controls according to ‘least privilege’ principles, allowing employees only to access the data and systems they need to do their jobs. Putting in place a privileged access management (PAM) solution will help to reduce risk. Data loss prevention (DLP) tools, continuous network monitoring, firewalls and intrusion detection/prevention will also work to prevent accidents and spot malicious behaviour.
Protect data with specific remote working policies. Review all your data security policies and business processes, updating those that cover remote working or creating new ones as needed. Clearly set out how employees are expected to behave when working at home, the best practice protocols they’re expected to follow, the types of mobile devices, removable hard drives and USB storage devices allowed, and how these must be used.
Communicate and educate. Policies and processes should be communicated clearly and directly to all employees – including temps, contractors and the senior team. This is also a good time to refresh workers on the specific legislation that applies to the business, and the consequences of failing to comply.
Highlight the specific risks of mobile working – for instance accessing work systems and apps over an unsecured wifi connection or clicking on a phishing email when distracted by something that’s happening at home.
Encrypt everything as standard.
When everyone’s out of the office, enforcing policies is a challenge. Encrypting all data when it’s being stored, as well as in transit, will lock it down, so that even if an employee makes a mistake and inadvertently exposes or loses information it will be indecipherable to anyone unauthorised to access it.
Encryption is specifically recommended in Article 32 of GDPR as a means to protect personal data. Two thirds of organisations now hardware-encrypt all information as standard – up from just half last year, according to Apricorn’s survey.
This ‘last line of defence’ can be extended with the provision of highly secure USBs and portable hard drives that automatically hardware encrypt all information written to them. This will enable workers to move large volumes of data around safely, wherever they end up working. Moving data offline also avoids the possibility that it might be targeted in the cloud, for example.
Businesses must act now to secure all customer and corporate data as it moves beyond the confines of the office walls. This needs to happen rapidly, so the best approach at this time is a straightforward one, focusing on the three fundamentals of cybersecurity: policies, people, and technology. Those that can safeguard their data and systems, while continuing to enable productive and efficient working, have more to gain than avoiding regulatory fines and reputation damage. This is also an opportunity to actively build customer trust and loyalty through continuing to handle their information in a respectful and responsible way.
Jon Fielding, managing director EMEA, Apricorn
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus