As social distancing and self-isolation become the norm across the globe in the wake of the COVID-19 pandemic, companies are encouraging their employees to work from home. While some have long adopted remote work strategies as part of increased flexibility in working hours, others have, until now, opposed them as potentially hazardous to data security and compliance efforts.
Organizations falling under the scope of data protection regulations and standards like PCI DSS, HIPAA or GLBA, have now been forced to reconsider their stance on remote work and have begun adopting it as a strategy across the board.
Remote work comes with a number of challenges to data protection. From an increased likelihood of external attacks to employees’ tendency to relax security practices while in the comfort of their own homes, sensitive information leaving a company’s premises will always be more vulnerable than when it is firmly within reach of a well-secured company network.
However, in the present situation, remote work is no longer a choice but a necessity. So how can companies ensure data is well-protected even when all their employees are working remotely? Here are our data security tips:
Adopt new solutions before your employees do
As employees find themselves in a situation where they need to perform all their tasks from home, they will be tempted to start using new software to facilitate their work. This includes video conferencing tools, messaging applications, and document sharing services. It’s essential for companies to choose these solutions before employees take matters into their own hands and start using unauthorized software that is not up to business standards and compliance requirements.
A good cautionary tale is a popular videoconferencing tool Zoom, which has gained an immense user base during the COVID-19 pandemic but was revealed to have serious privacy and security issues, which could be disastrous if company employees use it for work-related meetings. It is therefore highly recommended that companies already have approved software in place that employees can use as part of remote work strategies.
Encryption is key
Once work devices are taken out of the security of an office environment, they become vulnerable to theft or loss. It is essential that encryption is applied to all devices, whether laptops, mobile phones, or removable devices such as USBs.
Most modern computers and phones have encryption built-in, but it needs to be activated and configured. This is something companies should do before they allow their employees to start working from home. Encryption, along with remote wipe and device location options, effectively secure data at rest on devices, making sure that, should a device be lost or stolen, the data on it will not be accessible to third parties.
Use VPNs for remote network access
Virtual Private Networks (VPNs) allow remote users to securely access a company’s network and services through an encrypted network connection that authenticates the user and/or device and encrypts data in transit between the user and the company network.
Companies using VPNs at this time must check that their VPNs are patched and have the needed capacity and bandwidth to handle all their employees working remotely at the same time.
Control what can be connected to computers
USB removable devices, although useful, are an often overlooked source of data breaches. They are easy to lose or misappropriate and infect with malware. They are also frequently openly shared and hard to keep track of who has used them for what and when.
To reduce the risk of infections through USBs, companies can apply device control policies that limit or block the use of USB and peripheral ports. These policies can allow only trusted company-issued devices to connect to a computer.
Ensure policies remain active offline
Many data protection policies are dependent on a computer being connected to the company network or the internet. While working remotely, however, employees may not always have a continuous internet connection available. This means that, for the duration that their computer is offline, data protection policies are no longer active, risking both data loss and noncompliance with data protection legislation.
By using Data Loss Prevention (DLP) solutions that apply policies directly on the endpoint, companies can ensure that data continues to be protected and monitored whether a computer is online or not.