An unseen force out in the wild to eat every living being alive. A deadly being routing itself through vines to take over our lives. Air that we breathe in is making us sicker than making us feel alive. A shadow monster lurking behind this eerie environment. Sounds familiar? Is this sketch script of Stranger Things? Or is it not?
The world as we know has changed in the last couple of months. The COVID-19 pandemic represents a mammoth transformation to many aspects of our lives. With organisations across the globe turned upside down by the COVID-19 pandemic, there has never been a worse time to suffer a data breach or cyber-attack. We are living the ‘Upside Down’ and these shadow monsters, operating in cyber-space, are waiting for us to take one wrong step.
With the majority turning into remote workforce during COVID-19, the time has come for us to change our entire approach to privacy and personal data protection. As working remotely does not change anything regarding a company’s data protection requirements under the General Data Protection Regulation (GDPR), they remain applicable regardless of the time of day or the location of staff. According to ICO, the most common data breaches during remote working relate to the loss and unlawful disclosure of personal data.
There have been instances where an employee’s personal device has exposed the company data along with personal data of employees, employers, or investors. As reported by Kroll, human error is to be blamed for 88% of data breaches in the UK. Most of the time, the personal device does not have the same level of security as work machines and are not managed by corporate IT policies. They might lack the minimum security safeguards, such as, communication rules that could be a potential source of an information leak, weak passwords, or something as simple as an out of date anti-virus. This gets further complicated if employees are signing into a VPN to use the office shared drive on an infected personal machine as that can infect the whole system.
It seems evident that all the above happen due to human error and they are being traced back to the failures of organisations in securely supporting their workforce. However, this doesn’t mean that accountability is entirely shifted to organisations and their IT departments. Thus, everyone should take sensible measures to ensure that the team and the organisation have the best defences in place during these uncertain times. Let’s see some of those best practices that can be followed by the remote workforce during COVID-19.
- Strong passwords: It should go without saying, but enforcing the use of strong passwords and 2FA are the most basic steps to protecting devices and data. This is especially true with personal devices or if the devices are leaving the place of work.
- Update your BYOD policies: Personal devices generally have poorer security measures than corporate devices and you may have to relax your BYOD policy to include the use of personal devices to enable staff to work remotely. Update your mobile and personal device management policies and enforce the necessary guidelines.
- Communication and guidelines: This can’t be emphasised enough in current times when there is a higher chance that your staff may not follow general guidelines or company security policy. Reminding your team of security policies will make them think twice before installing any random browser plugin, opening a phishing email, or clicking a malicious link.
- Using collaboration tools: Secure collaboration tools are convenient and secure ways for teams to communicate. Wherever possible, ensure collaboration tools offer end-to-end encryption and store data privately.
- Secure your VPN: Review your VPN policy, ensure all VPN traffic is scanned and filtered by the corporate firewall before users accessing the data.
- Avoid public WiFi: Public WiFi should be discouraged on any corporate device without a VPN in place and active. Alternatively, staff may wish to tether to a mobile device with a 4G or 5G connection. Whilst this is far more secure than public WiFi you may wish to consider the cost to the business in data and roaming charges.
- Device Security: An often overlooked consideration, devices carrying sensitive information outside of the corporate network should have encrypted disks. Workstations remaining in the office unattended should also have their disks encrypted. Ensure that all devices, whether it is company-owned or personal ones being used, have anti-virus installed or updated. Updates to operating systems can fix vulnerabilities that can be exploited.
- Mobile Device Management: The global workforce has already been mobile before working remotely in these harsh times. Enforce mobile device management process set-up for all company-owned or personal mobile devices being used for company-related communications.
- Secure physical assets: Theft and tampering are rampant due to limited or no on-site presence. Workstations should be encrypted by default, devices no longer in use should be powered down. Where possible lock devices away rather than leaving them on desks.
- Reporting any suspicious activity: Encourage and remind your team to report suspicious activity, such as suspicious phishing campaigns or links being received.
As working from home seems to be the norm for an unforeseen near future, it is important for organisations to secure the appropriate compliance infrastructure to protect your organisation from risks to personal data associated with remote working. Organisations are encouraging collaboration, workers’ sense of belonging, and overall work satisfaction. Thus, employees also need to do their bit to ensure the safety of organisational data. COIVD-19 is the time to work together, even if it is remotely.