For many, the adaption to working from home has been a challenge. Maintaining productivity while also facing health, financial and family concerns can be stressful enough — so understandably many employees would rather not add information security to their list. However, you would have been hard pushed to have missed the sharp rise in data breaches last year. Under the GDPR and Data Protection Act of 2018, companies must protect data in a way that ensures ‘appropriate security’ by using ‘appropriate technical or organisational measures’ — and COVID-19 doesn’t provide an exemption. What can organisations do to keep data safe in such difficult circumstances?
Evaluate current measures
Many organisations already have remote working policies in place (93% according to a study by OpenVPN), however, 25% of these companies have not updated these policies in over a year. Hackers will easily exploit out-of-date systems, so now is the ideal time to update policy, which will also provide the opportunity to remind employees on proper remote working procedure. Additionally, ensure that existing security measures are working as intended. For example, most organisations will use a virtual private network (VPN) for employees to access company data via an encrypted connection. However, many corporate VPN’s have vulnerabilities IT teams do not regularly patch or do not allow for constraints like lack of bandwidth, which may stop the VPN working properly. Many companies, including Dell, have said that evaluating their VPN was a top priority during the pandemic.
A recent study by IBM concluded that the current workforce, who have been rushed into remote work, poses a significant risk to information security. 52% of surveyed newly working-from-home employees reported using their personal devices for work (often without new tools to secure the device) and 45% have not received any new security training — yet 93% felt confident that their company would keep personal identifiable information safe. This suggests that employees are underestimating the security risks of working-from-home and IT teams may be overestimating employee knowledge of information security. Therefore, IT may be unaware of the risks employees are actually taking, such as sharing devices with family members, which means that data could be downloaded and unknown software installed with the employee’s company credentials entered. It’s important to both enforce regular training on how to keep data safe and repeatedly communicate the business consequences of failing to follow policy.
Additional security layers
On a related note, being realistic about the risk employees pose to a security system means limiting the potential damage. Employing multiple layers of security, such as multi-factor authentication and encryption, will help businesses stay safe. Encryption is specifically mentioned by GDPR when outlining what constitutes appropriate technical and organisational security measures — the reason being is that even if a breach occurs, the data will be unreadable. It’s crucial that all devices used for work (including phones and tablets) are encrypted. Plenty of widely used software, such as Microsoft Office or Adobe Acrobat, also provides an option to encrypt files — it’s a good idea to get into the habit of encrypting everything. Then, in the potential situation that a device is remotely or physically accessed by an unknown person, the data stays safe.
While many businesses are juggling a number of concerns during the pandemic, it’s essential that information security remains a priority. GDPR means data must be kept safe at all times by evaluating security systems, understanding the risks your employees take in home-working situations, and responding to this with training and failsafe measures like encryption. Given the financial and reputational consequences of a data breach, it’s vital that businesses are proactive in ensuring information security.