Are flexible workplaces safe?
The new flexible workplace presents new challenges for data protection. Usually, more employees working remotely means more employees using personal devices and a variety of servers to access company data. Will everyone use a secure connection and keep their devices safe? How can you be sure people store personal and sensitive data properly?
Indeed, for some organisations that process large amounts of very sensitive data, remote work may just be a no-go. But for most of us, following a few best practices can offset the risks. This makes it possible for you to offer your employees the flexibility of working from home while still protecting your data.
Best security practices for a flexible workplace
Here area few areas you can focus on to make sure you keep data safe in a flexible workplace:
- Strong access control
- Encryption, passwords, and multi-factor authentication
- Data minimisation and retention policies
- Regular risk assessments
- Education and training
Let’s take a look at how each of these can help you keep personal data safe, and how you can implement them in your company.
Strong access controls and policies
Cloud environments have made it easier than ever for people to work with company data from anywhere in the world. However, just because you can easily give everyone access to all company data does not mean you should. While you want to make sure everyone can access what they need to get their job done, not everyone needs access to personal and sensitive data, for example.
How can you tighten up your access controls? First, find out which storage locations and folders contain sensitive data and who has access to them. Second, decide who really needs access. Third, implement “the principle of least privilege”. The principle of least privilege is a security concept that requires that every user, program, or system process is granted only the minimum access privileges that are necessary to perform its job functions. Each user gets access only to the data and resources they need to perform their job function, and no more.
This can help to reduce the risk of unauthorised access, data breaches, and other security incidents. If an attacker breaks into a user account with only limited privileges, most of your personal data will still be out of their reach. The damage they do will be much more manageable, compared to if they broke into an account with full access.
Once you’ve decided who should have access to what, you can enforce your new access controls with strong data access policies, access management tools, and other security mechanisms.
Encryption, passwords, and multi-factor authentication
Sensitive data should be encrypted both in transit and at rest to protect against unauthorised access or interception. This includes encrypting emails, files, and other communications that contain sensitive information.
Data minimisation and retention policies
Data minimisation and data retention limits help protect individuals’ privacy and limit the potential for misuse of personal data.
Less data stored means less data compromised in a data breach. Data breaches can be devastating, but data minimisation can reduce the potential harm caused by such incidents.
Data retention limits can help keep data safe by reducing the amount of time that sensitive information is stored. This, in turn, limits the exposure of that information to potential threats.
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
Risk assessments
Risk assessments are an essential component of any information security program. In a flexible workplace, they are even more critical. Your risk assessments will help you identify and mitigate any unique security risks that may arise for your company when people work from home.
Create a simple risk assessment for your flexible workplace by doing the following:
- Identify sensitive data. What types of sensitive data do you handle, process, or store? This includes personally identifiable information (PII), protected health information (PHI), intellectual property, financial data, and other sensitive information.
- Identify potential threats. List potential security threats that could arise when people work from home. Using unprotected servers can make phishing and hacking easier for the bad guys. Taking phones and computers out of the office could expose them to loss, theft, damage and unauthorised access.
- Perform an impact analysis. Give yourself a vulnerability score for how likely you are to suffer a data breach. Then, access the potential damages. How much sensitive data could be accessed? What would be the cost of financial losses, reputational damage, and legal liability?
- Mitigate and manage risks. What will you do to reduce the likelihood and impact of a data breach? What security controls, policies and procedures, training and awareness, and incident response plans can you set up?
By conducting a thorough risk assessment you can identify and mitigate common security risks associated with remote work. This prepares you to protect people’s personal data and other data assets in a flexible workplace.
Education and training
All your efforts and the best of policies will be for nothing if people don’t understand them. Security awareness training is critical for any organisation, but it is especially important in a flexible workplace where employees may be using a variety of devices and networks to access company data and systems. Here are some topics that should be included in security awareness training for a flexible workplace:
Phishing and social engineering
Educate employees on how to identify and respond to phishing emails and other social engineering attacks. Provide examples of common phishing emails. For example, emails that appear to be from a trusted source but are not quite right. Encourage employees to report any suspicious emails.
Password security
Reinforce the importance of strong passwords and multi-factor authentication. Encourage employees to use unique passwords for each account and to change passwords regularly. Provide guidance on how to create strong passwords and how to use a password manager.
Device security
Provide guidance on how to keep their devices safe. This includes laptops, smartphones, and tablets. Encourage employees to use device encryption, install antivirus software, and keep software up to date.
Public Wi-Fi dangers
Warn employees about the risks of using public Wi-Fi networks, such as those in coffee shops or airports. Encourage the use of a virtual private network (VPN) when accessing company data over public Wi-Fi.
Data handling
Provide guidance on how to handle sensitive data in a flexible workplace, including the proper storage and transmission of data. Encourage the use of secure file-sharing tools and the use of encryption when transmitting sensitive data.
Incident reporting
Encourage employees to report any security incidents, such as lost devices, suspected data breaches, or other security incidents. Provide clear guidance on how to report incidents and who to contact.
Keep your security awareness training up to date with the latest threats and security best practices. Provide regular refresher training to ensure that employees are aware of the latest security threats and how to protect against them.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
You can keep data safe in a flexible workplace
In summary, the new flexible workplace requires organisations to take a proactive approach to data protection. Implementing access controls, encryption, data retention and data minimisation policies. Perform regular risk assessments and train your employees. Combining all these practices can reduce the risk of data breaches and improve your compliance with data protection regulations.
The right tools can make it a lot easier. DataMapper lets you monitor how your employees store personal data, no matter where they are in the world.
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →