The biggest uncertainties around Covid-19 may have subsided now that vaccinations are rolling out and the world has learned how to live with the pandemic. But for most businesses, there’s still a largely unanswered question: How will data security work in the age of work-from-home?
This is a pressing problem for business because work performed outside of the office is generally less monitored and more reliant on good employee security behavior. The trouble is that an estimated 95 percent of data breaches happen on account of human error, making large-scale reliance on employee behavior an iffy proposition.
Business leaders are aware of this problem and worried, too. Almost 90 percent of businesses report that they feel vulnerable to data breaches that originate with their employees, and 73 percent of businesses say they have experienced a sensitive data leak within this first year of the #WFH trend. This makes remote worker data security an urgent problem for businesses.
Thankfully there are methods for mitigating this risk, even if complete data security is something only possible in theory.Here are five ways that businesses can help ensure their corporate data resources stay safe in the age of work-from-home.
1. Mandate Ongoing Cybersecurity Clinics for all WFH Employees
The weakest link is always the human link. Because human error is responsible for the vast majority of security incidents, employee education plays a starring role in minimizing the chance of data compromise.
Most businesses already have some form of cybersecurity education in place, but often these tutorials are mind-numbing one-off events that take place during employee onboarding or are offered periodically and elicit groans from the average worker. A better way to educate employees on how to avoid suspicious emails and log out of online corporate resources is through ongoing cybersecurity programs specifically aimed at remote workers.
Crucially, these cybersecurity clinics should be mandated as part of the agreement where employees are allowed to work from home: In exchange for having the opportunity to work from home, an employee must attend the company-sponsored cybersecurity clinics so they can do it safely. By tying the clinics to the privilege of working from home, it makes education an employee enabler instead of a drag.
2. Catalogue Where Corporate Data Lives
When employees work from home, data location gets messy. Theoretically, all corporate data should stay on company servers, but in practice employees often download files to personal laptops, create business data and store a copy for their personal records, and possibly upload things to private data stores such as Dropbox or Google Drive.
It is hard for businesses to secure data if they don’t have visibility into where it lives, so a second way that businesses can boost data security in the age of work-from-home is through data inventory solutions that scan and keep track of where business data truly lives.
This cataloging can get tricky when employees work from home because many devices where data lives are not company-owned. But data discovery solutions exist that allow businesses to peer into even these dark recesses of the computing landscape without compromising employee privacy, and they practically are a must for businesses that care about securing corporate data when employees are not in the office.
3. Classify Data According to Sensitivity
Not all corporate data is equally important. An email that confirms a business meeting likely is not keeping a corporate compliance officer up at night the same way as a spreadsheet with customer data on it. Securing business data, therefore, requires not just knowing where all of a company’s data lives, but also classifying it according to sensitivity.
Data classification does not necessarily require dozens of categories and sub-categories. A classification scheme could be as simple as four levels: restricted, confidential, internal, and public.
With even a simple classification scheme, however, businesses can track and automate security processes based on sensitivity. So an organizational chart might get an “internal” tag and exist with no greater security than file monitoring, while an intellectual property document could get a “restricted” tag and both get encryption at rest and strict access controls attached to it.
4. Monitor Data in Real-Time
Speaking of file monitoring, a fourth method for reducing the data security threat from work-from-home is through ongoing, real-time data monitoring both of corporate resources and devices employees use for work when home.
Discovering a data breach after it has occurred is often too late, so businesses should ensure they have a cloud-based, real-time data monitoring platform in place for uncovering data security issues as they happen.
A good platform will do more than just monitor files, however. Through machine learning, many monitoring solutions now exist that can apply behavioral analytics to uncover dangerous employee activities, actions, and transactions before they occur. If an employee is routinely downloading corporate resources and leaving them on the desktop after use, for instance, some real-time monitoring platforms can now identify this employee as a security risk and help enable intervention before a data breach has taken place.
5. Require Encryption at Rest
Device compromise sometimes occurs even with educated employees and proper security processes in place. A compromise could happen by an employee leaving a file on a personal device after it has been used, by malware that takes over a laptop, or from many other benign or malicious activities.
So a final way that businesses can protect corporate data in the age of work-from-home is through the mandate and enablement of encryption both during transit and at rest.
There are a number of ways that businesses can approach data encryption at rest when it comes to remote workers. One way is automatically encrypting all business data by default so employees must unencrypt it on the fly during use. This can be onerous on employees and also impractical, however, so another approach is making sure that business data is only accessed through mounted corporate cloud drives that have encryption already applied.
The third solution for encryption at rest is offering corporate-sponsored encryption solutions to all employees who work from home at least one day a week or educating them on how to encrypt files natively within their operating system and mandating that all work files live under this encryption.
More than 70 percent of full-time US employees currently work from home as a result of the Covid-19 pandemic. Businesses might be lucky about avoiding a data breach now. But given that more than half of workers now say they will insist on work-from-home options even after the pandemic has passed, remote work isn’t going away. So it is time to make sure corporate data security is ready for the challenge.