Last year, a survey from IBM revealed that more than 80% of respondents either rarely worked from home or not at all before the pandemic. Today, the trend has reversed. More than half of the same respondents are now working from home, the majority of which will be using corporate IT equipment; however, some are using their personal devices. This shift is often without new security policies, tools or guidelines in place to help employees understand how to secure their devices properly and which processes to follow for managing sensitive data. This change in working practices has left employers worried about the increased risks of data breaches associated with the unique vulnerabilities of a distributed workforce.
This shift to remote working is likely to become more permanent. According to analysis from Morgan Stanley’s research unit AlphaWise, 82% of office workers surveyed across five European countries would like to continue working remotely post-pandemic. So, what should organizations do to strengthen their security posture in a hybrid working environment?
Track IT Assets to Protect Your Data
Bad actors love this new reality. A lack of guidance and training for employees, combined with data being shared across personal and corporate IT assets and security policies not being up to scratch or communicated effectively, has broadened the attack surface.
All organizations concerned with maintaining data privacy and security must recognize the need to update data management practices and security policies to match this new normal. In fact, given the increased risk in a home environment, data policies and practices should be improved to fit the prevailing circumstances better.
One often overlooked yet important action is tracking all IT assets that process or store corporate or customer data or PII. Regardless of whether it’s a personal or company-owned device, any IT asset holding sensitive data is a potential risk. Keeping track of all IT assets means that when it comes to securely sanitizing the data on it, all traces of that data can be accounted for.
Do You Really Need to Keep That Data?
Now that you are tracking IT assets, the next natural step is to track the data processed by or stored on them. Tracking the data on all IT assets from creation to end-of-life with a full audit trail is basic cyber hygiene and one of the most effective methods of securing your data. There are tools to automate this, and hiring a data protection officer (DPO) can help significantly ease the process.
To make tracking IT assets and data efficient, instate a data retention policy to regulate precisely how long data is stored and how data is handled at end-of-life. These two aspects should be communicated effectively to all employees.
A common mindset is that all data collected is important and should be stored; however, storing data beyond its intended lifecycle increases the risk of that data causing problems. Data beyond retention periods, temporary copies, data processed in home offices and inadequately managed data centers are examples of why organizations need to analyze data lifecycles actively.
As we adjust to a permanent hybrid working environment, organizations face novel issues like employees accessing sensitive data externally from a core server or storage unit. With asset tracking and a codified data retention period in place, the chances of that sensitive data getting into the wrong hands are significantly reduced.
Dealing with Data at End-of-Life
A comprehensive data retention policy must cover the full data sanitization process for redundant, obsolete or trivial (ROT) data to a regulatory compliant standard, with auditable processes throughout. Information that has been appropriately and permanently erased cannot be recreated or accessed by bad actors. Protecting data is a journey and a mixture of many necessary components, but active data sanitization is essential.
The split between local and remote storage can cause a headache for data management and sanitization. New tools like remote erasure solutions, along with regular audits of corporate data, tracking and accounting for all data exchanged between a remote workforce, will minimize the risk of data breaches.
So, as you prepare to permanently operate in a hybrid working environment, ensure data security is top of the boardroom agenda and that your security policy and data management best practices are well communicated. Remember, the most common cause of a data breach is human error, so all employees must be well versed in your company’s data management policy. Secondly, when using a mix of personal and professional IT equipment, ensure the assets and their data are tracked with a full audit trail. Finally, instating a data retention policy with regulated data sanitization upon end-of-life is crucial to keeping your sensitive data safe.
The world has permanently changed; if you don’t adapt your security policy to match, you could cause permanent damage to your reputation, brand and bottom line.