Originally published in Credentialing Insights – The online journal for ICE
As working from home becomes mainstream, organizations are presented with the challenge of keeping confidential data secure, while also making it available to employees working remotely from disparate locations. Through implementing and maintaining a security program that includes organizational policy, employee education and technical security controls, organizations considering a move toward more remote located employees can significantly reduce the risk for a data-related security event.
While best practices suggest that organizations review and update their security-related policies at least annually, organizations experiencing a sudden shift from employees working in an office to working remotely should plan to review, update or even establish policies outside the normal review cadence. Policies an organization should review and update include: digital information safeguards, clean desk and bring your own device (BYOD).
Digital Information Safeguards
While no organization is immune from hacking, many hackers are opportunists looking for a weakness to exploit. Digital information safeguard policies are used to keep an organization vigilant in continually identifying and securing private information. While these policies can be extensive, at a minimum, they should identify the common types of information that your organization deemed confidential. Additionally, policies should provide instruction for accessing, handling, storing and archiving this information. Finally, policies should outline the proper methods for information disposal.
Some items for consideration within digital information safeguard policies and procedures that may impact employees working remotely include:
- Identifying confidential and private data, their use within the organization, who requires access and any limitations on access, including working outside the office
- Protecting systems and data through using strong passwords, multi-factor authentication methods and secure connections to a network via a Virtual Private Network (VPN) provides increased security, regardless of where work is completed
- Proactively using software like anti-virus and firewalls for prevention and detection of potential security-related issues
- Installing patches (computer and software updates) on a monthly or more frequent schedule, and after a major patch release that fixes a known exploit, regardless of where the employee is located
- Listing and enforcing the appropriate use of work computers including approved software, web browsing and social media practices (tactics to enforce this may vary but can include anything from employees signing agreements to software that restricts certain activities)
- Providing procedures for accessing and storing data on high-risk devices like laptops and external storage drives
- Following appropriate procedures for disposal and destruction of data, and sanitizing of devices on which data was stored
- Providing the appropriate resources for employees to contact, to obtain support with securing information or to report a potential concern
Clean Desk
As working remotely becomes the new norm, organizations need to take into account other environments in which their employees may work, whether it be coffee shops, parks or other public places. The clean desk policy should ensure employees monitor their workspace before they step away by properly securing all paper and electronic documents, and protecting access to their computer. This includes carrying the device with them when leaving it would present a potential risk. Employers should consider limiting data on employees’ machines to only the projects on which they are working and provide guidelines for storing and archiving previously completed projects. This helps limit exposure in the case of a lost, stolen or broken laptop.
Bring Your Own Device (BYOD)
As a blending of working from the office and home becomes commonplace, so too does the use of personal devices, such as mobile phones and tablets, to view email and complete work-related tasks. This creates a conundrum for employees (who often store personal data on these devices) and employers if email or other confidential data is accessed and stored on these devices.
A BYOD policy establishes the guidelines for when and how a personal device can be used for work purposes, which devices will be permitted, and how data can be accessed, stored and removed securely on these devices. The BYOD policy should also put appropriate limits on what data can be accessed and who can access this data. Employers who permit employees to use their own devices should have the proper technology in place to manage these devices without overstepping bounds to retrieve employees’ personal data and information.
Employee Education and Technical Security Controls
Employee negligence consistently ranks as one of the most common causes of security breaches, regardless of work location. Annual security training helps ensure that employees are aware of organizational security policies and reminds them of the role they play in securing company information and data. As social engineering becomes more prevalent, employees need to recognize attempts to lure them into providing personal or company information that can be used in future hacking attempts. For example, a seemingly innocent social media post where one provides their favorite color, first car and birth month often align with the questions used to reset or retrieve a lost password on many websites.
Organizations can also leverage technology to assist employees in securing information. Implementing multi-factor authentication, which requires additional verification beyond a password to access secure data, protects against hackers using only a password to retrieve secure information.
It is also essential to encrypt laptop hard drives. If a computer is lost or stolen, the content of the drive is not easily accessible by removing the drive and connecting it to a hard drive reader. Organizations should also consider leveraging endpoint management software to provide centralized control for managing employee laptops. This software can help organizations review and manage the software, computer policies and patches running on employee laptops wherever the employee is working.
Summary
An organization’s confidential information and data are only as secure as its weakest link. It is essential to recognize and adapt to changing work environments. In the never-ending struggle to stay vigilant against security threats, organizations should use a combination of policy, education and technology to protect confidential information and data.