Articles by Fredrik Forslund
Since lockdown came into effect, organizations globally have undergone years' worth of transformations in a matter of months. Whether it’s been to transition their operations online or moving their IT infrastructure to the cloud, there’s no denying that the face of business has changed permanently, experiencing a seismic shift, both operationally and culturally. As we enter the “next normal” there remains a great deal of uncertainty around what the next twelve months holds and how organizations can navigate turbulence in the face of a possible recession. One of the most notable and widely reported trends has been the switch to remote methods of work, or home working. And even with news of some businesses returning to their places of work and office spaces opening at reduced capacity, it’s widely speculated that for some, the home office environment is here to stay. Lower operational costs, greater flexibility and productivity driven For the vast majority, however, working from home is an entirely new process. In fact, a recent survey from IBM revealed that more than 80% of respondents either rarely worked from home or not at all prior to the pandemic. And in turn, more than half are now doing so with their personal laptops and devices. While the benefits of a more remote workforce are well documented – lower operational costs, greater flexibility and productivity driven by being able to access shared workspaces and applications from anywhere, at any time, and on any device – it does represent a sizeable concern in terms of security and data protection. An evolving threat landscape In the IBM survey, it was also revealed that organizations had not implemented any new security policies to help guide their staff when it comes to handling sensitive customer data and password management. And with so many employees logging on from residential networks, through personal devices that may be more easily compromised, the overall attack surface has greatly increased, raising the risk of potential corporate and sensitive data leakage in their new home office settings. The challenge is that bad actors love this new reality, as employees are far more likely to fall victim to a cyberattack when working outside of the office’s firewall. A survey released by INTERPOL, showed that cybercrime had grown at an “alarming pace” as a result of the COVID-19 pandemic, with a particularly large increase in phishing scams/fraud (59%), malware/ransomware (36%), malicious domains (22%), and fake news (14%). And this should be real cause for concern for organizations, because should one employee fall victim to a data breach through a scam or spear phishing attempt, for example, that company will be liable to pay potentially huge fines in line with national data regulatory standards. In April this year, the UK’s data protection watchdog, the Information Commissioner’s Office (ICO) and the EU, did both announce that they would temporarily soften their enforcement of the GDPR. However, this was not a cause for organizations to become complacent and neglect the data protection policies they had worked so hard to implement in their office environments. The momentary change actually means very little in terms of the critical importance of safeguarding private and sensitive data. Don’t slip into bad habits It’s essential that all organizations implement proper audit trails to track and account for any and all data It’s fair to expect that the move to a home office will inevitably make employees feel, well, more at home. And with that might come a relaxation in their approach to data management best practices and the adoption of a few bad habits. One thing to consider about a remote workforce, is it’s highly likely that everything will be saved to a desktop as temporary data or in permanent folders, particularly if access to central, cloud-based workspaces and platforms is impaired or restricted. The issue here is that this can impair an organization’s chain of custody over its organizational and customer data. It’s essential that all organizations implement proper audit trails to track and account for any and all data in their possession. With data stored locally on a device and off-premises, this data immediately becomes harder to audit and presents a significant risk to the organization. It’s crucial that both the organization and its employees understand how to actively clean up this type of environment. Managing documents through centralized cloud-based workspaces, is a much better way to continuously manage data stored. What this all comes down to is a need to account for the significant cultural shift all organizations are experiencing. While certain aspects of our day-to-day working life certainly won’t be business as usual, an area that can’t slip is data management and the safeguarding of private data. Ensuring that privacy is ingrained in all processes, new and existing, and maintaining the mantra that security should be every employee’s top priority is crucial. Give data privacy the time and respect it deserves, make it part of the company’s culture, and a compliant, secure workforce will follow. Basic hygiene and remote solutions = a healthy remote workforce So, what is the best way to ensure a remote workforce is following data management best practices and keeping home offices secure? Primarily it comes down to following many of the basic hygiene practices and guidelines that organizations should already be following. Don’t sit on sensitive data in your home office that is not needed and no longer holds any value to the business. Maintain a full audit trail of any and all data from point of collection, right through to end-of-life and erasure. And ultimately carry out the permanent and irreversible erasure of data when it becomes redundant, obsolete, or trivial (ROT), to reduce your risk – in fact, it’s completely possible to carry out certified data erasure of selected data remotely. Don’t sit on sensitive data in your home office that is not needed Equally, a lot of concerns about ensuring your workforce is following security protocols and maintaining regulatory compliance can be alleviated through tools and processes that you don’t even have to think about. Appropriate methods of data sanitisation can be achieved through automated solutions that can be pushed out by administrators to help continuously protect employees in the background, without the need for a significant shift or change from normal routines. Remote erasure practices also enable the sanitisation of devices that reach end-of-life, these can then be transported to the device processor without the threat of sensitive data being intercepted. In these uncertain times, organizations will undoubtedly be challenged in new ways, but it’s vital that they don’t fall victim to new data management challenges and risk facing wholly avoidable fines from data breaches. Security and achieving compliance have always been about the journey, not the destination, and this is yet another step in that journey. It won’t happen overnight, and it must be a company-wide effort. Employee education is essential, and privacy should be built into every part of the organization across departments, not just across IT or legal departments.