While some of us may be working in pyjamas and enjoying a much more relaxed commute—shuffling last-minute from the bedroom to the home office or dining table—data protection laws certainly haven’t relaxed, and it’s imperative that your organisation maintain the same attitude toward security that it would if everyone was in the office.
Extended perimeters and the use of personal devices and networks, in combination with the proliferation of the cloud, make data security a lot more difficult. And when everyone is working from home, communicating and managing security measures and monitoring for breaches can be a struggle.
A serious breach can be fatal for your business, whether it’s through crippling regulatory action or through a tarnished reputation, and even a relatively small incident can stymie the success of your business. So even though it might seem like the world’s upside down sometimes, keeping on top of data security will contribute to your business weathering the storm and coming out strong on the other side.
1. Update your cyber security policy
While your existing policy may have fit office life, you’ll almost certainly need to adapt it to the realities of a distributed workforce, if you haven’t already.
Push updates to all company devices, systems, and programs to maintain good data hygiene and get the latest security patches. Also make sure that employees know to update their personal devices, and when not to - in the case of a software vulnerability.
Your home working policy should also cover how employees should deal with data when working remotely, including transportation, storage, and disposal, which are all important components of GDPR. Make your policy known company-wide, invite questions, and highlight the responsibility of every employee to stick to it.
2. Encrypt and control access
As part of your strategy, you’ll want to limit an attacker’s reach in the event of a data breach, and one of the simplest and most effective ways to do this is through encryption.
Your IT team will be used to having the ability to monitor server security and the network from within the office, but encrypting all of your employees’ devices, including personal devices and work phones, can achieve the same effect from home.
Using a VPN to create an encrypted connection to corporate servers also helps maintain data privacy for employees working from any location, particularly as you can’t always ensure that every remote employee is using a secure, private network.
Another method of limiting the spread of a data breach is by limiting the access each employee has.
If an attack is made through an employee who only has access to the resources they need for their daily work, then an attacker will have difficulty reaching some of the more critical areas of your network.
A zero-trust model, in which it’s assumed that no user or device inside or outside the network can be trusted, is a holistic approach to cyber security through limiting user access. Even by picking out components of the model, like multi-factor authentication, you can set up several barriers against potential breaches fairly easily.
3. Train employees in security awareness
Even if you have great policies and the best cyber security tech, they won’t save you if your employees aren’t properly trained in your policies and basic security awareness.
Encrypting your devices and using VPNs and/or zero-trust security measures is important, but you also need to educate your employees on the dangers of setting their home Wi-Fi passwords as ‘password’, or connecting through unsecure public hotspots.
Secure your Wi-Fi against hackers in 10 steps
Employees will typically represent the biggest vulnerability in your security posture, whether that’s due to malicious insider attacks or, as is most often the case, human error of some kind.
Train your workers to recognise phishing emails through some form of company-wide cyber security awareness training. This type of attack increased internationally by 59% in the first few months of the pandemic and, followed by stolen credentials, remains the most common vector of attack.
According to the 2020 State of privacy and security awareness report, 43% of employees are not aware that clicking a suspicious link or opening an unknown attachment in an email is likely to lead to a malware infection.
4. Stick to GDPR guidelines if a breach does occur
It’s still possible your organisation gets hit with a data breach, and if it does, you still have the same responsibilities as before the pandemic.
While the Information Commissioner’s Office said in a notice published in September 2020 that it’s committed to an ‘empathetic and pragmatic approach’ that takes into account how difficult times are right now, organisations are still required to report breaches to the ICO within 72 hours of becoming aware of them - provided the incident is likely to infringe on the rights of the data subject.
With a third of respondents in the 2020 State of privacy and security awareness report saying they would ‘probably’ report a security incident and 19% saying they weren’t sure or simply wouldn’t report it, it’s clear that some work is still needed to ensure that employees take responsibility for their own cyber security. Part of this is ensuring they understand when a data breach has occurred, but it’s also important that you foster a culture that makes it clear that accidents can happen and employees shouldn’t feel embarrassed about reporting even the smallest of incidents.
