June 24th 2020 – By Danny Reeves

How do organisations balance data security and productivity in the world of remote working?

Originally published in SC Magazine.

With the country in lockdown, most desk-based information workers are now working from their homes. As digital borders are stretched to their limits, the concept of a perimeter to secure is over, which brings a raft of new risks that data security and governance professionals need to deal with.

Insider threats and data policy violations have always ranked amongst the top sources of security incidents for many businesses. So I find it really interesting that traditionally, data security technology has focused on minimising the threat of an external or malicious hack, rather than protecting the data on the inside.

At a time when homeworking has increased significantly, companies are being forced to open their digital borders in a way they may not have prepared for, which is leaving them more exposed than ever.

Working remotely, security looks very different:

  • There is no longer an IT ‘perimeter’.
  • Getting true visibility of devices, users and who owns them is almost impossible.
  • There are questions around how secure people’s home networks are.
  • If employees are working on personal laptops, what are they doing to stay connected?

Exonar’s research shows that over a third (36 percent) of UK homeworkers have downloaded unapproved software onto computers to communicate with colleagues during Covid-19 homeworking.

This use of shadow-IT is a huge and often unnecessary risk for users in an organisation to take.

We don’t yet know how long this situation will last – and even when we fully emerge from lockdown, the potential is there for remote working to remain prevalent within organisations. Many companies, including Twitter and Square, have already announced that staff can continue to work from home forever.

So what does this mean for data security?

Every enterprise holds sensitive information about its customers, it’s products and commercial activities. It only takes one mistake by one employee to leave that data open to being breached, which has the potential to do massive reputational damage if handled incorrectly.

It means there’s a balancing act to be undertaken, which weighs the merits of robust data protection against productivity of workers who need the data to do their jobs. Organisations need to provide the right methodology, technology, and processes to enable the workforce to continue to operate without participating in risky practices.

Organisations need to find, track and secure their data

One way to help the organisation to do better with data, is to gain total visibility of their data at scale. Given the vast volume of data managed by organisations these days, almost all of them admit that they simply don’t know, at scale, exactly what is in the data they are holding, where specific data is. This means that when employees do the wrong thing with data while trying to get their jobs done, it’s very likely that nobody will notice, or be able to secure it effectively afterwards.

The ability to know your data as an organisation has huge potential going forward. When an organisation knows exactly what data it has, where it is and who has access to it, data security becomes much easier and the risk of data being compromised is dramatically reduced.

It’s all about your people and their behaviours while working remotely

It would be fine if employees didn’t need to be able to access, manipulate and share sensitive data as part of their jobs – we could simply lock it away and secure it forever.

However, in reality data is a valuable resource and it’s necessary in our digital world. Because employees need to access, manipulate and share data together to get their jobs done, the majority of data breaches are due to some form of human error, a lapse in process, or of course in some cases the deliberate actions of disgruntled employees.

Research of remote workers found that nearly three-quarters (72 percent) claim to need to access, share and receive sensitive customer information to allow them to perform their job role. This means that data is very much part of business as usual.

The research found that more than 1 in 10 Covid-19 homeworkers (14 percent) claim to have little to no understanding of their company’s data protection policies, and nearly a quarter (24 percent) admit they ‘rarely’ or ‘never’ consider data protection policies or regulations when they share information with colleagues as part of their work.

Information security professionals are looking to tackle data itself – the missing puzzle piece?

As information security adapts to an ever-changing landscape, it’s become apparent that it’s a matter of when, not if, your organisation is going to suffer data breaches, large and small. I believe the focus is shifting from protecting the perimeter and monitoring intrusion, to focusing on the data itself.

Our customers tell us that the way forward is a combination of knowing your data better as an organisation, reducing the amount of sensitive data that employees leave lying around unprotected, together with targeted education of employees to change their behaviour.

Pursuing this combination of people, process and technology, with the ability to find and protect information, while monitoring adherence on a daily basis with policy, is a recipe for success for information security and data governance professionals alike.

What’s happening today is driving the digital agenda

In a digital world, data is becoming the lifeblood of every business. Some of that data is sensitive, and alas, a large number of remote-working employees need access to it to get their jobs done every day.

Data security professionals have a difficult balancing act to perform. They need to allow employees access to sensitive data, but they also need to protect the organisation. There are a range of technologies can help protect information, but people and process are equally important.

Gaining broad visibility of all types of organisational data is a crucial tool in making all of this work. Knowing your data means being able to find data has been left exposed by employees. It means better understanding how employees are operating sensitive data and then opens up more targeted training and awareness, as well as protective technologies, to deliver a sustainable future.

In a world where remote working is the norm, it’s the measures taken to embed awareness of data security into business-as-usual that will enable an organisation to allow its employees to get on with their jobs.

Finally, let’s remember that data also gives employees and organisations the freedom to take advantage of new opportunities where can use information and insights to drive decision making and productivity. By doing this every organisation can get a much clearer understanding of what data they have, where it is, how it’s developing, how it’s moving, changing and growing.

Research based on a survey of 2,000 UK Covid-19 homeworkers, conducted in May 2020 by Exonar, in partnership with market research house, OnePoll.