Some 1.5 billion people are estimated to be working remotely. This means that employees are accessing an increasing volume of personal and often sensitive data outside the office to perform their duties while also complying with social distancing measures. With many organizations rushing to implement new remote working strategies, data protection can be overlooked, with employees discussing sensitive information while at home; potentially taking documents away from company premises, which can then be lost or stolen, and using applications or software that have not been approved. The use of personal devices, which may lack robust anti-virus software, security patches, or may connect to unsecured Wi-Fi, could result in organizations being at greater risk of cybersecurity incidents, which, in turn, could result in substantial fines. Companies need to ask themselves:
- How are people accessing data?
- How are they working?
- When they create or access content, does it need to be protected?
Organizations with an ISO 22301-compliant business continuity management system can improve customer confidence in the organization’s ability to successfully respond to incidents including natural disasters and man-made disasters. Plan4Continuity’s useful compliance plan templates are ideal to implement well-defined disaster responses and detailed reporting so your organization can show that it is taking the necessary steps to comply with regulatory requirements, such as the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), the Stop Hacks and Improve Electronic Data Security Act (SHIELD), and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., as well as the Personal Information and Electronic Documents Act (PIPEDA) in Canada.
1. How are people accessing data?
Where employees are granted remote access allowing them access to their employer’s network from home or an off-site location, it is necessary to understand that giving such access creates a potential weakness in the overall system. This is particularly the case where access at home or off-site is from a wireless network. Employees should therefore take extra care with devices, such as laptops, tablets, phones etc. Recent guidance published by the Data Protection Commission has highlighted those provisions that employees should be instructed to comply with which could be helpful.
2. Are employees aware of their responsibilities?
Often the most effective security measure an organization can put in place is to ensure that all employees are aware of their responsibilities. Organizations should therefore ensure they have a remote worker security policy in place to refresh and inform employees of what’s expected of them when working remotely.
3. When they create or access content, does it need to be protected?
Often employees simply do not know. It is therefore important to adhere as least to the following data protection measures: (i) perform all transactions on a secure, password-protected network; (ii) every account should have a different password; (iii) chat apps should be chosen based on their encryption strength; and (iv) company data should always be encrypted.
If you found this post interesting, you might enjoy these too: