Unfortunately, I see it far too often – organisations regularly underestimate the threat of data loss posed by remote and hybrid working. Employees conduct business at airports, coffee shops and even commercial shared workspaces. The risk of data being exposed, compromised or lost has never been higher.
Remote working doesn’t only increase the risk of a leak. It also exacerbates the potential fallout. A recent report from Gartner on Data Loss Prevention Actions states that it takes on average “135 days to contain data breaches when more than 50% of the workforce is remote and an additional $1.07 million in mitigation costs when remote work was a factor in the breach.”[1]
Despite this, over half (51%) of mid-market organisations don’t have solutions designed to protect remote workers[2]. The threat landscape has expanded, but small-to-medium sized organisations don’t have the right tools in place.
Unsurprisingly, the same Gartner report found that IT teams are shouldering the responsibility for ensuring remote workers can access data securely. IT teams that are, especially in the mid-market, already over stretched. On average, these teams are already managing 24 security point-products which are producing 716 alerts a day. With only 102 seconds to assess each one, it’s understandable that 42% of IT professionals have suffered the fear of a missed cybersecurity alert[3].
Factoring in remote working to this fractured environment complicates data protection even further. Remote working means employees operate outside of the traditional perimeter and work patterns – i.e. 9-5 at the office. It transforms visibility into data usage and storage patterns, and with it increases the risk of data loss.
So, what’s the answer?
#1 Create or Evolve Existing Remote Working Policies
The first step is building solid foundations. This either starts with creating a dedicated remote working policy or continuing to evolve your existing policies to meet demands. A strong remote work policy makes expectations clear and guarantees everyone is singing from the same proverbial hymn sheet.
Policies created at an organisational level can also assist with writing cyber security policies. For example, Stevens & Bolton recommend “employees should be prohibited from working remotely from a location outside of the UK without having first sought their employer’s written permission.”[4] This means you can start using context-aware Multi-Factor Authentication (MFA) to restrict access based on location. For apps that natively support MFA authentication, it’s simple.
With an integrated cyber security platform, you can take this one step further. For example, Censornet’s Autonomous Security Engine (ASE) and its native integration between Identity-as-a-Service (IDaaS) and MFA, means you can set up MFA even in the app in question doesn’t support it. IDaaS puts MFA in front of any cloud app that support federated identity standards, and then ASE can be used to geofence it. Suddenly, cloud applications are a lot safer – even for remote workers.
#2 Set your employees up for success
The way employees use technology has dramatically changed. Whilst most end users want to do the right thing, ultimately too many are left in the dark about the risks.
All too often we assume employees are practising perfect cyber hygiene without proper training. As employees surged to embrace remote working, there was not the same rush for education.
Now, work and home devices are often used interchangeably. Sometimes personal information is saved on a work device, or a password is reused, or you go shopping on a work device. Cybercriminals know this and are “evolving their methods to directly exploit the psychology of end users”[5]. Employees need to be able to understand the threat and stay safe with regular, interactive bite-sized training that embeds cyber best practise.
Censornet’s Security Awareness Training (SAT), for instance, is an automated cyber security training programme that takes up a total of 60 minutes over the course of 12 months in monthly instalments. It even has a prebuilt “Working from Home” course that focuses on the specific challenges remote workers face. Cyber security is everyone’s responsibility, but security teams need to set them up for success.
#3 Don’t forget the physical environment
Physical security has a substantial impact on cyber security. Something as innocuous as the placement of a computer screen could result in a major breach. It doesn’t matter if only the right person can access customer data, if the wrong person can then see it over their shoulder.
Some easy to implement measures include:
- Use privacy screens to reduce visual access to data
- Make shredders accessible for printed documents
- Implement policies for secure document storage
- Periodic home setup evaluation to make sure obvious things aren’t missed
#4 Evaluate Workstation Setup
Just like your physical workstation, your cyber workstation needs to be standardised and secure. There are two baseline configurations recommendations you can implement with minimal effort:
- Restricting USB Access
Disabling USB storage is a simple way to eliminate one data loss route. Even the biggest organisations aren’t immune to a rogue USB. The US Government themselves fell foul of a compromised flash drive which was plugged into a military laptop and established a “digital beachhead” for a foreign intelligence agency[6]. Take the simple steps of using a group policy template can save a lot of heartache down the line.
- Bring Your Own Device (BYOD) Setup
If you are operating a BYOD policy then you should consider replacing network-level VPN access with application-level, context-aware, identity-based zero trust network access (ZTNA). A ZTNA controller could come in the form of an identity broker, which forms part of IDaaS. You should also prioritise strong authentication methods, such as MFA.
#5 Make the Most of Tools like Data Loss Prevention (DLP)
Serious about preventing data loss? Then you should also be looking at other tools like cloud-focused DLP (Data Loss Prevention). This will ensure your data is not lost, mishandled, or accessed by unauthorised users.
With an integrated autonomous platform, like Censornet’s, DLP natively integrates with existing services, such as web, email or cloud application security. It supports the creation of GDPR-compliant security policies across major data loss points, such as preventing the emailing of customer numbers or personal information.
Want to learn more about mitigating the remote worker risk of data loss? For a limited time, we are offering complimentary access to Gartner Report “5 Tips to Protect Data for Midsize Enterprise Remote Workers”. Download now.
[1],[5] 5 Tips to Protect Data for Midsize Enterprise Remote Workers, Gartner, Partick Long, November 2022
[2],[4] UK Mid-Market on Code Red, Censornet
[3] Remote Working from Overseas: Sounds Idyllic But Beware Of The Legal Pitfalls, Stevens & Bolton
[6] Defending a New Domain: The Pentagon’s Cyberstrategy, Foreign Affairs