Dispersed employees mean dispersed data

May 5, 2020
Understanding security risk posture across a remote workforce

Employees around the world have recently been asked to work from home in response to COVID-19. While this isn’t new for many — globally, 52% of employees work from home at least once every week — this new period of regular remote work represents uncharted territory for millions of staffers and thousands of organizations worldwide, spanning all industries.

Remote work brings its specific challenges, ranging from finding an ideal workspace to ensuring communication between customers, prospects, vendors, and colleagues continues to remain fluid. But one of the largest obstacles associated with remote work is also one of the most overlooked — ensuring organizations understand the risk of dispersed data.

For example, in order for an organization to stay in close communication with employees, it might host regular company-wide video conferences. During these virtual meetings, an executive might screen share sensitive information, such as future product roadmaps, sales figures, legal happenings and more. Many leaders trust their employees to not disclose this information, but is trust ever enough? What happens when a staffer screenshots or screen records this information and saves it to their personal drive on the cloud? While a harmless act, it presents a new unknown data vulnerability that can be exploited if not secured correctly.

In another scenario, as sales professionals move prospects to clients, where are they storing proposals, signed contracts and other sensitive information needed during the onboarding process? Most will store materials in several locations, with some of the most common including within local “My Documents” folders; synced onto cloud storage folders; uploaded onto CRM systems; archived in “Sent Items” emails; re-downloaded onto a “My Downloads” folder; shared via internal chat apps, leading others to store it in other locations, as well.

Just as much as the workforce is spread across the globe, so is the organization’s data, now more than ever before. With the following best practices, your business can proactively create systems and policies to create a more secure remote work environment:

Whose Device Is It, Anyway?

When working remotely, it is important to begin by establishing a clear company position on device ownership, particularly as BYOD has only increased in the workplace over time. Generally, an organization will fall into one of three device ownership categories:

●    All devices used are owned by the company

●     All devices used are owned by the employee

●     Some devices are owned by the company, while others are owned by the employee

Complete device ownership by the company is the ideal scenario for most organizations, as it allows total control over all devices, which enables remote monitoring to validate any device is safe and secure for use. This poses the lowest risk. On the other hand, this option also comes at the highest cost, as it requires the company to maintain a laptop and proper security software for each staff member.

Sometimes, an organization does not have a choice and employees are forced to use their own devices when working remotely. While this is a low-cost option and the deployment time is rather short, it also brings with it significant consequences. Working from employee-owned devices poses the highest security risk, as sensitive company data will inevitably be stored on non-company devices. This can also lead to potential privacy and compliance violations, which can lead a company to its end.

Organizations that implement a hybrid approach, meaning a range of company-owned and employee-owned devices are used on the job, will face significant challenges. For one, IT teams lack the proper visibility to differentiate a “safe user” from a “rogue” one, and it creates internal confusion of how certain policies apply to each device. Furthermore, companies who want to fully eliminate personal device usage are challenged due to supply chain issues. Hardware deliveries continue to be delayed due to supply chain disruptions, meaning even if companies want to deploy managed, locked-down devices that are within the corporate standard, they’re resorting to temporary measures -- the use of unmanaged employee devices -- to not disrupt productivity.

Regardless of the devices, an organization is using, one thing remains a constant -- leadership must establish a clear company position. Employees either provide their own equipment or the company will provide it, without the murky waters of a hybrid approach. This will then allow the organization to shape proper security policies around the devices used, getting all staff on the same page.

Set and Share the Security Standard

Just as essential as a quiet workspace and strong internet connection is a security standard for remote employees to follow.

As part of these guidelines, organizations should ensure remote employees have WPA2 encrypted WiFi. It’s recommended to enable the Guest Network feature and move all non-essential devices (such as your smart fridge, television, streaming services and more) to that network. Keep the main network clean for business use.

Next, if supplying a company-owned device, ensure only employees use the device. By giving family or roommates access, it increases the chances of visiting unsecure sites. Perhaps worse, if an organization employs corporate proxy logging, the employee needs to understand the company logs everything for security purposes - if a family member starts visiting non-productive websites, that is under the employee’s log.

Lastly, as part of the security standards for all employees, highlight that a device is an extension of the trusted company network. Do not use it to access personal storage, including portable drives, or copy personal media onto the device. Have all employees read the standards and sign off on them. Re-circulate the guidelines a minimum of once every quarter, so employees understand the importance of a secure approach to remote work.

Do Not Forget About Printers

It is important to factor personal printers within an organization’s security standards. If there is a need to print out physical documents during remote work, the organization must consider the following in order to provide a policy and position on printing:

●     Should the use of personal printers be permitted?

●     Should staff move business documents to a personal computer to print it? Would this inadvertently violate the policy on handling personal data on non-work systems?

●     Will there be any justified business need to consider this?

●     If your corporate default is to lock down the device, how will you permit the setup of a personal printer via USB or network?

There are multiple ways to address the challenge of printing, which are not mutually exclusive, including:

●     Establish technical controls where practical. For example, both Google and Office365/Azure cloud platforms provide options to help limit printing and download of documents to reduce data leakage.

●     Think about scenarios where printing is a genuine requirement, such as the signing of documents with original signatures. Ask: Can you mitigate this requirement? Can traditional paper-based users be trained to rely solely on on-screen document review? If not, what level of seniority or roles have a truly justified reason to print?

Most importantly, regardless of the approach, ensure the organization’s security policy clearly articulates the position on the printing of documents. Support this with clear training, and ensure refreshers are delivered for all remote staff covering key relevant risk areas, including printing, or saving of company data to local devices.

Conduct Regular Workstation Scans

Once an organization defines which devices can be used, and proper security measures when working on them, it must also conduct regular housekeeping of the data stored across the workspaces. Regularly, and especially in today’s remote work environment, take the time to conduct a data discovery sweep across servers, databases, workstations and in the cloud. Ensure sensitive data is being housed in a responsible, compliant manner, and that employees are not being negligent with those valuable assets.

Now is also the appropriate time to re-assess an organization’s existing data backup strategy, which has traditionally posed as a challenge for many organizations. Now is the time to ask:

●     Will it continue to operate as is, or does it need to be changed to factor in the remote nature of work?

●     If an employee loses valuable data or does not have a working device, how can they get back up and running in minimal time?

●     Does the company have a default save to server / save to company cloud policy to limit data being saved on local devices? And does the company policy support this?

●     Are remote devices regularly backed up? If not, or not possible to implement, what mitigating controls can be implemented to circumvent this risk?

Typically, the best strategy is to eliminate or minimize the risk of data being saved on endpoint devices; however, this is often not impossible to avoid. This reinforces the need to monitor for sensitive data across all possible locations, including endpoints. By ensuring the spread of sensitive data is minimized, the associated risk of a data breach can be contained and mitigated.

Right now, fast decisions are being made and these choices can have a lifelong impact on an organization. Do not let security risk posture fall off the list of priorities -- use the remote workforce as a means to make it stronger than ever before.

About the Author:

Stephen Cavey is a co-founder of Ground Labs, leading a global team empowering its customers to discover, identify and secure sensitive data across their organizations. As the Chief Evangelist, he leads its worldwide product development, sales and marketing and business operations and was instrumental in extending Ground Labs’ presence with enterprise customers. Stephen has deep security domain expertise with a focus on electronic payments and data security compliance. He is a frequent speaker at industry events on topics related to data security, risk mitigation and cybersecurity trends and futures. He started Ground Labs after holding engineering and leadership positions at Paycorp Holdings (now part of MYOB), a provider of integrated electronic payments solutions and Webpay, a payment services provider later acquired by Fidelity.