Four out of five knowledge workers did their work hybrid or remotely in 2022. And while companies shifted to define and adopt remote work policies, we see similar, and just as crucial, shifts in how they approach data security with a predominantly remote workforce.
To meet the challenges of protecting sensitive information and maintaining regulatory compliance in today's dynamic business landscape, companies must adapt their data access protocols to account for employees accessing data from various locations and devices. Similar to how companies shifted their security posture when migrating from on-premise to hybrid and cloud environments, it's again time to transition to a new data access posture to ensure data security and compliance as employees remain mobile.
Start by training and coaching employees on handling sensitive data and then build it into all facets of their daily work. Combine education with repetition to build experience. From day-one on the job, introduce each employee to the company’s culture of security and quickly give them the chance to be hands-on with security processes in the following areas:
- Data security basics: Train employees to focus on security basics that the company follows, such as how to identify and avoid common threats like phishing scams (validate the URL before clicking); how to spot fraudulent texts (using password managers and never sharing credentials); think of dual authentication as the rule (not the exception); and other practices that are already second nature to seasoned employees.
- Compliance requirements: These regulations and requirements, including data protection and privacy regulations like HIPAA and GDPR, change and evolve. Companies should educate all employees on the specific compliance requirements that apply to their roles and those that apply to the company. Employees with privileges that interact with data regulated by these requirements should understand them at a level they could teach others, and they should have supporting monitoring and policies in place that help them follow these guidelines.
- Data handling procedures: Train employees on the specific guidelines for handling sensitive data, including how to access, store, transmit, and dispose of it securely. But even more important, leverage tools that make it easy for employees to handle confidential data appropriately instead of leaving the onus on them to define a way. With the right tools and knowledge, the company reduces the burden on the employee while also increasing the proper handling of sensitive data.
- Incident response and responsibility: Not all employees are tasked with responding to data security incidents, but companies can train employees on how to identify and report suspected breaches, how to participate in incident investigations, and most importantly, which corrective actions can help prevent future incidents.
Regular security training helps create awareness and introduces skills that all employees need. This training only represents the introduction to security – not the whole story. The organization reaps the benefits of a security-focused workforce through regular daily practices that flow into the rhythm of the team’s work. Every team member should build awareness and familiarity with all security practices and over time, and they will develop security-first muscle memory. Least privilege reviews should feel like second nature for managers. Engineers should expect and be familiar with multiple reviews of all source code changes; make backup, encryption, and limited access the default, not the exception, for every DevOps lead.
Taking the time to converse on using company-approved security tools can serve as a valuable introduction for new employees. Immersing them in a security-first environment with other employees will let them practice and develop security skills that will benefit each other and the company. It’s important to create an environment of open communication and accountability that supports employees coming forward to ask questions and share when they think or know that sensitive data has been compromised.
As a leader, stay selective and demanding about the security tools selected for the company to empower employees and ultimately benefit customers. Choose security tools that make it easier, not harder, for employees to access sensitive data securely to deliver value. Seek out flexible tools that work with ever-evolving regulations and the changes and shifts of the policies that matter most to the company and its customers. Make it easy for data security leads to know exactly where the company's sensitive data resides, at any time, and who has access to it. Make it simple for employees with access to sensitive data to use it correctly, every time, and generate value without inadvertently introducing additional risk. Finally, choose the tools that give the company’s employees the confidence to know that their data is secure.
April Slayden Mitchell, vice president of engineering and operations, Dasera