Given the strange situation we all find ourselves in at the moment, with so many people suddenly
working from home for the first time, organizations have little time to prepare for the consequences that may arise from increased risk of cyber attacks and data breaches. All the data they have is not where it perhaps should be or protected to the same extent as it is normally. It is likely that many employees will continue to work from home for many months, if not forever.
All organizations should be looking at a few key areas:
- Are all the devices connected to your data systems secure?
- Devices: are you employees using their own or company owned laptops / mobile phones ?
- Are there loopholes in your security systems?
- Who has access to what, when and for how long? Should they?
- Are you ready to respond if you are under attack?
- Do your employees fully understand their responsibility and accountability?
- Where is all your data: you cannot protect what you cannot find
Robust systems and robust processes are a requisite part of good data management and therefore good data security.
What should you do?
To continue working with a widespread workforce, many organizations uploaded much of their data (files / databases / documents etc) to “the cloud” in a very short space of time early in “lockdown”.
As a result, a review of the business operations should be undertake to determine how data have
been affected, and how the policies and processes may have been abandoned or compromised.
What changes have been made since lockdown and remote working?
- Who is where?
- What data is where?
- Are your data systems robust?
- Have you undertaken a risk assessment?
These are all areas that require attention by staff and the board of directors.
Working from Home
If your staff are using their home Wi-Fi to access your systems, consider the risk that other mobile
devices on the home WiFI network may be infected, which may lead to other computers or devices on the network being infected as well. If that risk becomes a reality, there is a further risk that the home computer used to access your systems, even via a VPN for example, may infect all the other machines in your business as well. It is unlikely that the security measures taken at home are as comprehensive as in your business, so it is more likely that a family member’s computer is more easily compromised.
Sharing the home WiFi network does increase the vulnerability to a work-related computer.
The following measures can mitigate the risk:
- secure passwords
- a guest-WiFi at home to isolate your machine and not connect to the family WiFi
- Multi Factor Authentication on all your devices and all Apps,
- a standard virus-checker,
- consider encrypted and protected remote hosted desktops, so even if the home machine gets infected, the remote hosted desktop does not get infected
In summary, work-related computers using home WiFi networks are at risk of being infected over
that home network from other computers or devices, as they may not all have the same level of
security you would have at work. The consequence may be that, when subsequently connected to the work network, the computers that have been connected to home WiFI networks may infect the rest of the devices connected to the work network.
So you must mitigate the risk to all data – commercial and personal – residing on machines that are connected, starting with the work-related computers used at home.Business continuity
Companies have been forced to undertake a review of their working methods caused by this
enforced digital transformation and now need to prepare for post pandemic business continuity.
Remote working can bring considerable benefits to the organization and the workforce:
- Reduced fixed workspace costs.
- Reduced travel costs
- Employees not commuting so more productive in the working week--less stress and increased wellbeing
But is the organization ready for this?
It is critical that robust systems are in place together with the right policies and processes to protect the key company assets, e.g., data.
Having a senior accountable officer responsible for Data Protection (or an outsourced support) is
key, as is training of the personnel.
Many organizations are opting for an outsourced managed service which offers a simple frictionless way to identify and protect all their data, wherever it is.
A final thought- if you do suffer a data breach and / or cyber incident, are you ready to respond
appropriately and in line with data protection regulations?
It is essential to train staff so ideally they know how to mitigate Data Breaches but also know how to manage them. They need to be able to recognize a breach: data loss can be accidental or careless as well as malevolent.
Your organization needs an Incident Response policy and program, with backup and recovery
together with a compliance and notification procedure. However, the key priority for all organizations is: Know where your data is: you cannot protect what you cannot find