Amazon announced that the company is extending its work-from-home policy until January 2021, continuing a trend that many organizations have adopted since the onset of COVID-19. It's not clear yet whether other companies will follow Amazon's lead, but given the trajectory of the virus, it's likely that plenty of people will be working from home for some time to come.
This steep increase in remote employees, brings several challenges, especially when it comes to privacy and potential data security risks. Safeguarding data within a secure corporate environment is difficult enough. Doing so remotely can challenge even the staunchest security teams.
Work-from-home (WFH) employees bring numerous risks to data at rest and in motion, and organizations must take whatever steps necessary to protect sensitive data and prevent compliance violations.
Risks to data and storage caused by remote workers
Employee behavior is often regarded by organizations as the weakest link in data protection. Moving employees outside of the office can weaken that link even further, especially with a sudden increase in people working out of their homes.
The data security risks they bring can be grouped into the following six broad categories.
- People working in less secure environments. Although some WFH employees have secured their homes, many have not, which exposes multiple attack surfaces that can range from Wi-Fi printers to the web interfaces they use to administer their routers. Some people assign weak passwords to their Wi-Fi networks or don't use passwords at all. Physical security might be nearly nonexistent, with doors unlocked or windows half open. Home computers are also more likely to be infected with malware than systems within the corporate firewall.
- The lines between workplace and home have blurred. With the sudden shift to working from home, more people are using their personal devices to do their jobs. They shop, text friends, email relatives and search the web on the same computers they process confidential data. Even if they work on corporate devices, they're still more likely to carry out personal tasks when working from home. Social networking can represent a particularly strong data security risk, as employees become increasingly lax about the information they share online.
- Workers are more likely to misuse applications and services. One of the biggest concerns is shadow IT, in which workers select their own applications or services, rather than those sanctioned by IT, often to perform their jobs faster and more efficiently. For example, they might store sensitive data on a unsanctioned cloud platform or use sanctioned cloud storage but misconfigure the service or not tell anyone the data is out there. WFH employees might also collaborate with each other via unsanctioned services, sharing sensitive data across unsecured channels.
- Employees at home are more likely to adopt informal work habits. They might download more files than they need at a time, or they might fail to upload or back up their data on a regular basis. Some might leave their devices and peripherals laying around unlocked or share them with other people in the household. They might also be careless with printed documents, or they might share credentials with other employees to expedite a project.
- People are adjusting to new ways of working. Many employees are probably not used to working at home. But those who are might also have to learn new ways to perform their jobs. They might face numerous distractions, such as kids being home from school or daycare. Under such conditions, it's easy to make mistakes. They might, for example, send emails with sensitive data to the wrong recipients, or they might be more susceptible to social engineering attempts such as phishing. At the same time, many are under significant pressure to get work done, while not having proper guidelines, policies or training on how to safely store and transfer data when working from home.
- Insiders have more opportunities to carry out malicious behavior. Security teams have a harder time catching WFH employees trying to steal data or intellectual property because the teams have less visibility into what workers do at home. At the same time, the current circumstances can lead to a more disgruntled workforce, as they face limited hours, lower compensation and uncertainty about their future. This frustration can translate to more attempts to steal sensitive data.
Minimizing data and storage risks
IT teams can take steps to help mitigate the storage and data security risks that come with WFH employees. Although the exact protections will depend on circumstances, the steps themselves can be grouped into the following categories:
Implement endpoint security protections
When possible, organizations should provide their home workers with company devices that IT can manage and fully secure. However, they must do so in a way that does not violate the employee's privacy, as governed by applicable compliance regulations. When an organization can't provide its WFH employees with devices, IT should ensure that employees have the security protections they need to safeguard their personal devices, such as antimalware software or the ability to enable firewall protections.
Secure data at rest and in motion
Data must be encrypted whenever it is transferred and wherever it resides, employing storage security best practices at all times. If employees are using their own computers, a member of IT should instruct them on how to implement encryption. Organizations might also consider giving pseudonyms to data before transferring it in order to remove personal information that could identify individuals. In addition, IT teams should make VPNs available to employees and implement virtualization technologies such as virtual desktop infrastructures where possible and practical.
Implement rigid access controls
A comprehensive identity and access management framework is essential to controlling user access to sensitive data. IT teams should apply the principle of least privilege when granting access to storage resources or other assets, while adopting strategies such as strict password policies, two-factor authentication and, where possible, biometric authentication. They should also monitor for credential sharing and other risky behavior. In addition, organizations should consider password management to help users store and generate their passwords.
Provide workers with the tools they need
If WFH employees have what they need to do their jobs, they're less likely to implement shadow IT or take other shortcuts. IT should ensure that workers can easily access their documents and effectively collaborate with each other, without having to store sensitive data on their local systems. To this end, organizations might consider centralized cloud storage or collaboration platforms, or similar services housed in their own data centers. They should also ensure that centralized backup and disaster recovery services are in place to support WFH operations.
Provide IT with the tools they need
Without the right tools, administrators cannot effectively safeguard data. For example, an IT team might benefit from unified endpoint management. IT also needs to be able to audit file access, monitor for threats, set alerts on suspicious login activity, scan emails and carry out several other operations. In addition, IT should be able to patch remote systems as well as control what software employees install on corporate-owned devices, and they need tools to track and inventory these devices.
Prepare employees for working at home
The better prepared employees are for working at home, the more effectively they'll protect sensitive data. Organizations should provide their workers with clear guidance on how to safeguard data and what's at stake if they don't. Proper training should be a top priority so that everyone understands the organization's WFH policies and what is acceptable behavior. The goal is to help them develop secure work habits, while providing them with the feedback and support they need to encourage those habits.