Data Governance in the Age of the Home Office
The COVID-19 pandemic took many businesses by surprise. Companies that were vehemently opposed to remote work because of security and compliance concerns have found themselves forced to reconsider their stance at an alarmingly quick rate. This means that remote work policies were put together hastily to ensure company operations continued as lockdown measures swept the world.
The reality of remote work as the new normal has meant that all the carefully crafted data protection frameworks and data governance policies have suddenly become insufficient in the face of a completely new status quo. Mostly because, the premise they were built on, employees working together on a company network within a designated office space, ceased to exist overnight. Even businesses that allowed remote work rarely made provisions for such extreme cases as their entire staff working from home simultaneously for extended periods of time. Remote work policies were thus stretched thin or proved inadequate.
The transition to remote work sent many companies into chaos, with data security practices becoming more lax. Cyberattackers have taken advantage of the situation to prey on vulnerable employees. UNRI reported that the number of phishing websites for example have increased by an alarming 350% from January to March 2020.
Malicious attacks against corporate networks and servers also saw a surge as the pandemic slowed down response teams dealing with attacks. The shift towards mass workforce mobility also leads to a similar spike in data movement, putting highly sensitive information at a higher risk of loss and theft.
An increase in USB drive usage
Removable devices, and USB drives, in particular, have long been a thorn in the side of data protection strategies. Pocket-sized, easy to misplace or steal, they have been responsible for countless data leaks over the years. To make matters worse, in recent years, USBs have also become a popular malware infection tool. However, there is no denying they are practical, easy-to-use tools that are an essential part of most work environments.
USBs and removable devices are most often used by employees when leaving company premises, whether to attend business meetings and conferences or to work remotely. The reason for it is fairly simple: this is when they need to take relevant files and documents with them and it’s easier to simply copy them onto a USB, especially if the files are big, to ensure they have access to them at all times.
And while this might be an understandable practice in normal circumstances, when put in the context of the COVID-19 pandemic, it becomes highly problematic. As employees find themselves leaving familiar office spaces, they may feel the need to take confidential files and sensitive data with them to ensure they can perform their duties effectively from home. As a consequence, a large amount of sensitive data is likely to wind up either in the cloud or on vulnerable removable devices such as USBs, from where it can be easily accessed by outsiders or stolen.
A rise in internal threats
Mass layoffs in many countries have led employees fearing dismissal to copy corporate files and sensitive information onto their personal devices, in the hope they may prove useful to them in case they lose their jobs. Many times, they feel entitled to take these files as they may be the result of their work over the years.
This desire to secure something for the future can be very dangerous for companies for two reasons. One is the possibility that their employees, embittered by job loss, may take sensitive data about their business operations to their competitors or use them to discredit the company.
The second is that the data copied, although never used maliciously by the employees that took it, may be stolen or made public leading to potential fines for companies for noncompliance with data protection regulations. Under the new wave of data protection legislation such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), businesses are legally liable for any data breaches that involve the sensitive data they collect.
Protecting data while working remotely
Companies can take measures to curb the transfer of sensitive data onto removable devices through the use of tools such as Data Loss Prevention (DLP) solutions. These can block computers’ peripheral and USB ports, thus preventing connection of any such devices to company endpoints or allowing only trusted devices like encrypted company-issued removable devices to connect to them. Data defined as sensitive can also be blocked from being transferred onto popular cloud services or file sharing websites through DLP tools.
Enforced USB encryption can help mitigate data vulnerability on removable devices. Through it, an encryption solution is deployed automatically to any trusted USB storage device connected to a company computer. Once installed, any files copied onto the USBs will be encrypted and accessible only through passwords.
Another particularly useful feature of DLP solutions is their ability to not only control but monitor sensitive data and log its movements. Admins are thus notified when an employee attempts to copy or transfer sensitive data. In this way, companies can keep a close look at important information and immediately detect any increases in data transfers whether via the internet or through portable devices.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.