Data privacy and protection has been in the spotlight as cyber-criminals look to exploit the significant changes in working patterns and practices implemented in response to COVID-19. Ian Davis, Head of the Information Security Practice at Gemserv, argues organisations need to be equally mindful of the risks to data they hold for clients.
Although the easing of restrictions will come as a relief to all of us, the changes in working practices seen in response to lockdown are most likely here to stay for the foreseeable future.
Offices will start to re-open their doors, however social distancing measures mean many staff will be required to continue to work from home for some or all of the time.
The mass shift to remote working seen since lockdown measures were introduced has forced businesses and employees to quickly adapt to very different ways of operating and, for some, the first challenge has been finding a space in which to work in their home.
Over the last few months, there has been no shortage of amusing images posted on social media featuring staff working from sheds, garages and greenhouses or squeezed around a shared kitchen table.
Although this flexibility, alongside the adoption of other collaboration tools, have enabled businesses to continue to operate, such images will also have given many CIOs sleepless nights by highlighting just how different ‘home’ working environments are compared to the relatively controlled security of the office.
Cyber-criminals have looked to take advantage of the changes to working practices, with significant increases seen in attacks targeting the home working population.
Against this backdrop, much advice and guidance has been provided by industry and Government agencies to raise awareness of privacy issues and ensure organisations do not fall foul of data protection legislation.
However, less emphasis has been placed on the equally important need for organisations to maintain control of the sensitive assets they hold for clients.
Risks just as great as personal data breaches
Although breaches of confidential client information may not be subject to legislation, they could destroy the reputation and future of an organisation just as readily as a breach of personal data.
For CISOs, the challenges of mass remote working are very similar to those faced by the DPOs and centre on the need to minimise the risk to client data.
One of the key challenges for many employees is that the management of sensitive data outside of the relatively secure environment of an office is a new experience.
Although people have worked remotely to varying degrees for the last twenty years, the difference is that it was previously planned, with staff provided with the equipment needed; being familiar with remote working policy and procedure; having a regular workspace; and being accustomed to safeguarding the information they worked with.
More distanced from controls
Organisations can implement a number of technical solutions to reduce risks to data in transit or at rest. However, in these new working employee environments, the risk of data leakage and a breach of confidentiality are more distanced from the controls in place prior to the lockdown.
Employees used to home working before the lockdown are likely to already have a dedicated workspace, but this will not be the case for many who are now having to work from home unexpectedly.
Against this new backdrop, how many organisations have revised their risk assessments to examine the effectiveness of existing controls in this new ‘normal’?
An example of the problems faced is that of shared accommodation. Flat sharing is now even extending to room sharing for many young employees. It is not just that an employee may be working on the dining table, but they may be sharing that workspace with others from outside the organisation, all using a common home WIFI connection.
Clients may be happy that employees are still providing a service, but would they still be happy knowing that their confidential data is displayed on screens or being voiced over speakers in a shared environment?
How to mitigate risk in the home working environment
Firstly, it is important at this time for an organisation to review its risk assessment and subsequent control effectiveness. This is a period of major change and the risks and controls identified may have been suitable for a previous controlled environment, however organisations need to question if they are still robust. A risk and control review is likely to identify deficiencies in policy and procedure.
How many organisations have conducted a risk assessment around home working? Policies are likely to have been created for the office environment and planned home working, but are they transferable to the new environments? An IT department can control what is inside the organisation’s boundary, but many home broadband routers are still set up on vendor defaults.
User education is a key aspect of data security, but how many organisations have revised the advice provided to employees?
An employee who doesn’t normally work from home is unlikely to be familiar with remote working policies, so it is important to check whether they have been given appropriate guidance rather than just be left to continue working.
Providing privacy screens and headsets can help to minimise the leakage of confidential data in the home environment, however training and awareness also needs to be revised. Organisations shouldn’t readily assume that an employee has read the remote working policy.
A structured approach of reviewing risks, adapting controls, revising policies and educating users will help ensure robust data protection is in place for the benefit of both organisations and their clients.