The ongoing COVID-19 pandemic has upended life for millions of people around the world, especially when it comes to work. While the remote work lifestyle has its perks and complications, there’s no denying it’s also introduced a dramatically heightened risk of data loss.
Scores of employees who have never been trained to securely work from home, have been thrust into a new work situation. And although the economy has shown signs of improving, an uncertain business climate could tempt workers who are unsure what their future holds into stealing sensitive data such as trade secrets or source code.
In many scenarios, engineers with access to highly sensitive data and IT systems are working from home with less oversight than they’ve ever had. Many employees have less access to corporate network data shares and sanctioned collaboration tools – services usually present at offices designed to safeguard that valuable data.
It’s always important to follow cybersecurity best practices – especially when working from home – but there are specific strategies employers can take to mitigate data loss risk during the COVID-19 period. Here are five steps security leaders should do to better protect their company’s data:
1. Remind employees of the company’s policies for handling sensitive data.
Organizations should have protocols in place for sharing sensitive data, regardless of whether it relates to employees, the business itself, or customers. It’s important during these times to reiterate those policies and remind employees of the limitations of email, Slack, or whatever’s popular in your office. By issuing data governance policy reminders organizations can stress the importance of using only sanctioned apps, cloud storage services and USB drives. When it’s abused, not every company has the technology necessary to see and outright block this type of activity.
2. Ensure sensitive information gets labeled properly.
If the organization handles highly sensitive or regulated data make sure it’s labeled as such. Flagging data and ensuring there are policies in place to subvert unauthorized access can go a long way to deterring misuse. Organizations can deploy watermarking technology to remind users that they’re accessing protected information and in some cases, prevent an employee from handling it improperly. Other technologies can automatically label files to drive data protection programs and ultimately serve as the building blocks of data security.
3. Limit access to sensitive data.
By tracking who has access to sensitive files and file drives, organizations can keep better track of what’s accessed and when. It’s important to periodically assess employees’ need for that access and limit it for those that don’t require access. Organizations should develop formal policies and procedures around who has access; in many scenarios, depending on the sensitivity of the data, this gets handled on a need-to-know basis. Monitor network access for access to confidential data and/or anomalous behavior, unusual spikes in downloading, or irregular traffic and follow up as needed.
4. Host a remote security awareness training session.
Many organizations have grown accustomed to hosting an annual or biannual in-classroom security awareness training session. With the onset of COVID-19, these in-classroom experiences can no longer occur. Consider offering a remote and/or on-demand security awareness training.
5. Deploy VDI or desktop-as-a-service.
Employees working from their personal PCs or laptops and leveraging their home Wi-Fi networks can create high-risk situations. Since organizations have a limited ability to enforce security controls in these circumstances, they should consider moving employees off personal devices to corporately-managed virtual endpoints hosted in the cloud. VDI and DaaS providers such as Amazon Workspaces can reduce the risk by delivering strong controls on remote workstations while still allowing the system and data access employees need to do their job.
At this point, it’s clear we’re in this for the long haul. While some offices have opened back up under strict social distancing guidelines, the majority of us will work from home for several months. And while this isn’t an exhaustive list by any means – they’re important first steps for employers to secure company data now and in the future.
Tim Bandos, vice president of cybersecurity, Digital Guardian