As organizations navigate a digital business landscape amid COVID-19, 88% of companies have encouraged or required employees to work remotely. This new period of remote work represents uncharted territory for millions of workers and thousands of organizations across all industries, regardless of size or sector. Of course, remote work brings its own set of challenges, but none greater than the risk of dispersed data across dispersed workstations.
Many leaders trust their employees to not disclose sensitive information, but as confidential finance data, intellectual property, customer information and more are shared across a number of devices and platforms, information is bound to get lost in the shuffle. In just one scenario, leaders should ask themselves -- where are sales professionals storing prospect proposals, contracts and other information needed during onboarding? The answer is muddled, as employees will store these sensitive materials across a range of locations: within localized folders; synced onto cloud storage folders; uploaded onto CRM systems; archived in emails chains; captured in temporary locations by applications and shared via internal chat apps. These types of data decisions, while intended for necessary business operations, present a new risk that can be exploited when not managed properly.
As workforces expand beyond the four walls of an office, so does the organization’s data. The following best practices will arm organizations with the information they need to create systems and policies that promote a secure remote work environment, preparing them for these unprecedented times as well as the future:
Defining device ownership
As employees transition to working remotely, begin by establishing a clear company position on device ownership. For most organizations, there are three device ownership categories including, complete device ownership, employee device ownership, or a mix of the two.
Complete device ownership by the company is the ideal scenario for most organizations; however high costs and continuous maintenance can make it infeasible. Complete device ownership poses the least amount of risk to the company and allows total control over all devices, enabling remote monitoring to validate any device is safe and secure for use.
In some cases, particularly where work from home was implemented on short notice, employees are forced to use their own devices when working remotely. While this is a low cost option and has a quick onboarding process, security risks are high. As employees store vast amounts of company data on non-company devices, the potential for compliance violations and breaches can only increase.
Organizations who implement a hybrid approach of company-owned and employee-owned devices will create an IT team’s worst nightmare. Without the ability to determine “safe users” from “rogue users,” they create splintered security policies that cause internal confusion and an overall lack of visibility. Regardless of the strategy, executive leadership must convey a clear company position for IT security to implement appropriate levels of control to mitigate the associated risks.
Ensuring security recognizes remote work
Once organizations have made a decision on device ownership standards, it’s important to undertake a thorough review of existing security standards and policies to define best practices in the office and remote work setting.
For example, standard security policies may mandate that only company owned storage devices may be used for storage of company file data, and that usage of personal printing devices is forbidden. Traditionally, this type of policy has worked when staff with remote work privileges worked from home once per week. However, the practicality of such a policy becomes flawed with a high chance of violation under a continuous work from home scenario.
Other common factors include where company owned devices have been deployed. Picture an employee allowing a family or other household member to use that device for non-work reasons such as external e-learning or streaming. This is often in conflict with the fact that many organizations monitor usage metrics for security purposes. Thus, it’s important for employees to be made fully aware of these policies to mitigate the risk of unapproved users.
Throughout the entire process of creating, establishing and enforcing these standards, organizations need to continuously keep their employees in the know through regular communication. Having all employees read the standards and sign off is important, however communication of these policies does not stop after responsibility has been assigned.
Ultimately the most important component of having security policies and standards is education. Invest as much time educating your employees on best practices in terms they can relate to. They represent your security front line, making daily data decisions that impact the business as a whole. Therefore, regular, bite-sized interactive training is one of the best investments an organization can make.
Become aware of all data, no matter where it rests
Even with the best processes and security technologies, cracks will form over time resulting in the storage of company data in unknown or unapproved locations. To overcome this unknown, organizations should regularly deploy data discovery across all areas of storage configured to monitor and detect company data, personal and other forms of sensitive data. These data discovery scans should include any servers such as file, email, databases, workstations or laptops including those used remotely, and all cloud stored data.
Using a well defined and properly deployed data discovery strategy enables an organization to establish a true level of confidence in the security of its most valuable data -- which carries the highest level of risk -- is accounted for and not being mishandled or stored in unsecure locations.
Many organizations were forced to implement remote work strategies without the appropriate time to consider all associated risks, and now must retrospectively review how they can be addressed. Initially, remote work was viewed as a short term issue which can be solved with temporary solutions. Organizations are adjusting this view with the acceptance that work from home should be treated as a long term strategy and requires a change to how things were done in the past. The security decisions that will be made by both executives and employees will have a lasting impact on the future of the business, particularly when it comes to how and where data is being handled in a remote work situation. Rather than viewing remote work as an unwanted or temporary condition, organizations should review data security risk posture with a view that incorporates work from home as an ongoing business norm.