SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
In the sprint towards digital transformation, don’t neglect your data
Wed, 18th Nov 2020
FYI, this story is more than a year old

COVID-19 tested business' ability to pivot, and quickly, to remote work. Regardless of size, location or sector, organisations were left with only one choice to achieve business continuity -- sprinting towards digital transformation, regardless if they were ready to do so.

In fact, according to a study by Boston Consulting Group, 75% of executives agreed that digital transformation became more urgent in light of the global pandemic, with 65% saying they anticipate increasing their investments in digital transformation as a result.

But the sudden pivot to long-lasting virtual operations brings with it a unique challenge for IT business leaders: understanding where all of an organisation's data resides, especially considering the amount of dispersed employee workstations today.

While many leaders trust their employees to not intentionally disclose sensitive information, there are unintentional actions that can have severe consequences. For example, where are sales professionals storing prospect proposals, contracts and other information needed during onboarding? Where are legal contractors saving signed contracts and highly classified documents?

The answer is muddled, as employees will store these sensitive materials across a range of locations: within localised folders; synced onto cloud storage folders; uploaded onto CRM systems; archived in emails chains; captured in temporary locations by applications and shared via internal chat apps. For this reason, there's never been a more critical time to get a better grasp on where corporate data resides - here's how.

Establish clear device ownership

When the drastic shift to remote work occurred earlier this year, 61% of employees reported using personal devices as their primary method to access company networks while home. Given the recent uptick in BYOD, it is important to establish a clear company position on device ownership. Generally, an organisation will fall into one of three device ownership categories:

  • All devices used are owned by the company
  • All devices used are owned by the employee
  • Some devices are owned by the company, while others are owned by the employee

The ideal scenario for most IT leaders is establishing complete device ownership by the company, as it poses the least amount of security risk and allows total control over all devices, enabling remote monitoring to validate any device is safe and secure for use. However, this option is often accompanied by high costs and continuous maintenance.

With remote work being implemented on such short notice, some organisations have been forced to allow employees to use their own devices for business -- although this is a low cost option, it comes with high security risk. As employees store corporate data on personal devices, the potential for data loss and compliance regulations are exponentially high.

Finally, there's an IT team's worst nightmare -- a hybrid approach of company-owned and employee-owned devices will create an IT team's worst nightmare. Without the ability to determine ‘safe users' from ‘rogue users', they create splintered security policies that cause internal confusion and an overall lack of visibility.

Start with a clear, concise device ownership plan so employees understand where it's acceptable to house corporate data -- and as a general rule of them, try to avoid a hybrid approach where it's often too difficult to track all data.

Set a security standard

Once device ownership has been defined, take the policy a step further by implementing a security standard. As part of these guidelines, ensure remote employees have WPA2 encrypted WiFi and encourage ‘digital distancing,' where all non-essential personal devices are moved to a guest network, and a main, more secure network is reserved for business use.

Next, if supplying a company-owned device, ensure only employees use the device. By giving family or roommates access, it increases the chances of visiting unsecure sites. Perhaps worse, if an organisation employs corporate proxy logging, the employee needs to understand the company logs everything for security purposes - if a family member starts visiting non-productive websites, that is under the employee's log.

Lastly, as part of the security standards for all employees, highlight that a device is an extension of the trusted company network. Do not use it to access personal storage, including portable drives, or copy personal media onto the device. Have all employees read the standards and sign off on them. Re-circulate the guidelines a minimum of once every quarter, so employees understand the importance of a secure approach to remote work.

Understand your data, regardless of its location

Once an organisation defines which devices can be used, and proper security measures when working on them, it must also conduct regular housekeeping of the data stored across the workspaces -- a process called data discovery. It's critical to take the time to conduct a data discovery sweep across servers, databases, workstations and in the cloud. Ensure sensitive data is being housed in a responsible, compliant manner, and that employees are not being negligent with those valuable assets. Gaining a better understanding of your data is the first step to bolstering security and achieving compliance.

During this step, it's also important to re-assess an organisation's existing data backup strategy, which has traditionally been a challenge for most businesses. Now is the time to ask:

  • Will it continue to operate as is, or does it need to be changed to factor in the remote nature of work?
  • If an employee loses valuable data or does not have a working device, how can they get back up and running in minimal time?
  • Does the company have a default save to server / save to company cloud policy to limit data being saved on local devices? And does the company policy support this?
  • Are remote devices regularly backed up? If not, or not possible to implement, what mitigating controls can be implemented to circumvent this risk?

Data is the key to business success, but it's important to understand it and have a plan for any interruption. Right now, fast decisions are being made and these choices can have a lifelong impact on an organisation. Do not let security risk posture fall off the list of priorities -- use the remote workforce as a means to make it stronger than ever before.

About the Author

Stephen Cavey is cofounder and chief evangelist at Ground Labs, where he leads a global team empowering its customers to discover, identify and secure sensitive data across their organizations. He leads its worldwide product development, sales - marketing, and business operations and was instrumental in extending Ground Labs' presence with enterprise customers. Stephen has deep security domain expertise with a focus on electronic payments and data security compliance. He is a frequent speaker at industry events on topics related to data security, risk mitigation and cybersecurity trends and futures.