Jon Fielding, Managing Director, EMEA of Apricorn, pictured, writes of data on the move; and the value of encryption. His firm offers encrypted hard drives, desktop drives, flash keys and software.
Mobile working has notoriously proven to be a huge risk to data security, and the problem has only been exacerbated recently with the vast proportion of the UK’s workforce following strict government guidelines to work from home. With countless businesses given little option but to ‘shut up shop’ and immediately implement remote working strategies, the crisis has been hugely disruptive in more ways than one, and has left many chasing their tails.
Data on the move
The knock on effect of this is that many businesses now need to adapt their working practices to allow for more remote and mobile working in future. A survey from Buffer found that 98% of remote employees would like to continue working remotely (at least for some time) for the rest of their careers. Organisations must evaluate their existing IT infrastructures and implement the necessary changes to support this movement.
Businesses are very quickly expanding their device estates to cope with the increase in remote working, providing employees with new laptops, tablet computers and mobile devices which require additional policies and security measures to address the increased risks posed by data on the move. IT teams must have full visibility over every device, with strict policies and security in place to avoid corporate data falling into the wrong hands. Something as simple as downloading an app onto a mobile phone can very quickly result in the compromise of data. Equally, a lost or stolen device with inadequate protection could have devastating repercussions. Companies need to ensure personal data is secure, but worryingly, a recent survey by Apricorn found that more than half (57 percent) of UK IT decision makers still believe that remote workers will expose their organisation to the risk of a data breach.
Encryption has always been a critical piece of the cybersecurity armoury, but also one that can often be overlooked, particularly when it comes to data on the move. Organisations should analyse their data, identify everything that should be protected, understand where it exists and how it is transported, and ensure that it is encrypted at all stages of its lifecycle. With so much data now moving beyond the corporate perimeter, it’s imperative to address the importance of encryption in protecting sensitive information, whilst giving staff the flexibility required to work remotely. If data isn’t encrypted, its integrity can easily and quickly be compromised. Businesses need to be able to have some level of control over the data when it leaves the organisation.
Encrypting valuable or sensitive data will enable organisations to manage the increased data security risks. Businesses are recognising this, as the aforementioned survey also highlighted an increase in encryption and endpoint control. Nearly all survey respondents (94%) said their organisation has a policy that requires encryption of all data held on removable media. Of those that do, more than half (57%) hardware encrypt all information as standard on all removable media.
Of those with an information security strategy that covers employees’ use of their own IT equipment for mobile/remote working, Forty two per cent said they permitted only corporate IT provisioned/approved devices, and have strict security measures in place to enforce this with endpoint control, which shows a huge rise compared with 12 per cent in 2019. This shift towards endpoint control is a crucial step in securing the remote workforce and avoiding the potential ramifications of a data breach.
Demonstrating compliance
If businesses enforce the use of encrypted devices they may also find themselves in a stronger position to defend themselves if a breach should occur. If they are able to demonstrate the use of encryption practices, there is potential to mitigate fines for non-compliance with regulations such as The General Data Protection Regulation (GDPR). The regulation has clear mandates for data encryption; firstly for compliance (Article 32); secondly to mitigate the impact on any organisation who suffers a breach (Article 34) which removes the obligation to individually inform each citizen affected if the data remains unintelligible. Additionally, article 83 suggests that fines will be moderated where the company has been responsible and mitigated any damage suffered by data subjects.
Organisations can, and will, be audited for compliance and will be required to make changes to their policies and practices when found to be in breach of the regulations. Proactive and comprehensive policies and procedures must be set up, regularly updated, enforced, monitored and maintained – with documentation available for inspection in the event of a breach investigation. These policies must also cover removable media, mobile devices and remote workers.
Defending your data
Whilst many businesses are currently encrypting devices, the Apricorn survey also highlighted that they have no further plans to expand encryption on USB sticks (38 per cent), laptops (32pc), desktops (37pc), mobiles (31pc) and portable hard drives (40pc). This is worrying given the risks posed to corporate data being held on unencrypted devices, particularly when taking into account that employees unintentionally putting data at risk remains the leading cause (33pc) of a data breach, with lost or misplaced devices the second biggest cause (24pc).
Relevant policies should be put in place to include the mandated use of a FIPS-certified, software free hardware encrypted mobile storage device, incorporating practices such as user pin pad authentication and device whitelisting to lock down USB ports to accept only corporate approved devices.
Crucially, employees must also be comprehensively educated on an ongoing basis, on how to use the solutions available to avoid a breach, and also on the likely consequences if they fail to do so. The best defence, overall, is to ensure everything you have is as locked down as possible and that all personally identifiable information (PII) is encrypted, whether in transit or at rest. Businesses should also make certain that they have the ability to retrieve devices when employees return to work, or leave the organisation.
Recognising the value of encryption and endpoint control as part of a robust and rigorous cybersecurity strategy, will put businesses on the front foot when it comes to finalising any ongoing remote working plans and protecting data on the move.
