Click to learn more about author Daniel Santry.
The global pandemic has changed the way some businesses operate almost beyond recognition. Many company headquarters have been all but empty throughout the majority of 2020, and, although the situation is slowly changing in many parts of the world, remote working has firmly established itself. Modern communication systems and cloud services have allowed for a great deal of this digital revolution to take place, but they have also presented certain challenges, not least in terms of data security.
In the face of increased reliance on remote technology, businesses have often needed to augment their cybersecurity work to meet this new mode of working. What should enterprises be doing to ensure their data remains secure when so many of the workforce are performing the majority of their daily tasks from home?
Register New IT Assets
Few IT departments, even those in the largest corporations which plan for disaster recovery, would have predicted the scale or impact of the COVID-19 crisis. As such, policies surrounding IT asset disposition and data protection have either had to be rewritten completely or significantly updated to accommodate new ways of working. Laptops issued by IT departments for remote working may now be the norm, whereas, before the crisis, workers might have been using registered desktop terminals connected over a LAN.
Remember that the fixed asset register of IT equipment being used for work needs to be updated to include all of these new devices. Laptops and tablets issued from the head office are only two examples of what needs to be included to ensure everything is up to date, however. Many people working from home will be using their own computer equipment. They might even be using their personal smartphone to access sensitive data via emails, apps, or even by connecting directly to company servers. By registering such devices, IT professionals should be able to authorize only those with the correct authentication procedures to be able to access such information. Remember that mobile computing devices are often taken out and sometimes lost or stolen, so if they are used for work, they need to be part of your IT fixed asset register and treated as such.
Consider the Security of Cloud Services
The cloud is a great way of working when people are not in the same physical space as one another, but not all cloud services offer the same level of cybersecurity as they ought to. Some servers providing cloud-based services can be accessed by unauthorized personnel, for example. Not every piece of software that was ever written to run a cloud-based service has the necessary protection to afford the privacy you need as a commercial organization.
Therefore, it is often best to choose a cloud service provider based on their ability to provide your colleagues with a genuinely secure platform. Office 365 is a good example of a cloud-based documentation system that users can make use of confidently, safe in the knowledge that what they are sharing remains within strict bounds and that their system is, consequently, compliant with GDPR rules. Essentially, you should look for a service that provides users with the same level of cybersecurity throughout your entire organization. Relying on personal email accounts probably won’t cut it if you are faced with a data audit.
Ensure GDPR Compliance
Avoiding insecure cloud services for passing sensitive data back and forth is a big step in ensuring you don’t face GDPR fines in the future. If you are found by the regulators to have transgressed the rules, then the fines can be very high indeed and can even cripple your business from a financial point of view. Taking an emergency measure during the current crisis will not protect you from such fines if your organization is found to have been negligent in the way it has passed client data around. This is especially so if any of the information you have stored is deemed to be of a personal nature, such as financial records, for example.
GDPR places the onus on organizations to control their data. Ensure that employees working from home can only access the sort of data that is relevant to their job and deny them access to what is not important. This means that the most sensitive forms of data should only be accessible to a small group. If someone needs a particular record, then this can be shared without them being able to access every record in a file. Remember that clients and customers still have the right to access the information you store on them under GDPR, too. This right continues regardless of the new modes of working the pandemic has brought about.
Remove Remotely Held Sensitive Data
Finally, when life begins to normalize once more, and employees come back to the office rather than working from home, data held on remote devices will need to be sanitized. If data is no longer needed on a device, then it should no longer be stored on it. In some cases, this will mean wiping or overwriting hard drives and flash memory sticks. In other cases, a fuller process of data destruction may be in order to ensure the most important records that were held remotely have been fully destroyed.