By Alan Bentley, President, Global Strategy, Blancco
In times of uncertainty, enterprises inevitably find themselves with more questions than answers. The COVID-19 pandemic is no exception and unprecedented circumstances have seen a seismic shift in business operations and working culture. Facilitating methods of remote work is now a necessity, but with it comes challenges for these enterprises’ security strategies and data management processes.
History has shown that in times of confusion, opportunists will try to take advantage. And those opportunists have already reared their heads, attempting to sabotage businesses’ work from home IT environments, targeting employees with phishing and spoofing attacks. The fact is that if employees are working from home, they are an easier target as their home IT environment will likely have more exploitable vulnerabilities and employees may be more complacent with data. It’s as crucial as ever now that enterprises protect, audit, backup and appropriately sanitise data to ensure business continuity. Business continuity will ultimately rely on data management, protection and backup, coupled with appropriate sanitisation to avoid compliance failures that could impact bottom lines amidst already significant economic turbulence.
But with most now working outside of the comfort and security of their business’ four walls, what steps should enterprises be following to maintain the proper management of data across its lifecycle?
Here are five key factors that all enterprises need to consider and put plans in place to address.
1. Restricted access for external vendors and service providers
Typically, data centre and desktop decommissioning projects are done using active engagement onsite by external vendors. As lockdown and restrictions on face-to-face contact continue, this becomes a significant challenge to operations. It’s important, however, that enterprises overcome these issues to avoid asset pile-up, which can prove costly both in terms of storing redundant hardware, but also in maintaining compliance and audit trails of the data still in their possession. In fact, deploying efficient data sanitisation processes can be done internally using the enterprise’s own employees. Equally, using remote erasure capabilities with full audit trail enables equipment to be released from the facility without risk of a data breach and allows risk-free collection without unnecessary human interaction.
2. Ensuring sanitisation during unplanned reductions of employees, consultants and temporary staff
The pandemic has brought with it heightened uncertainty and economic turbulence. As a result, companies have had to make unplanned emergency reductions or changes to their workforces. It’s important that enterprises are mindful of the challenge this presents when it comes to proper data management and protection. Company-owned assets used by individuals leaving the business will need to undergo proper data sanitisation with full audit trail when no longer in use. Use of remote methods of sanitisation is crucial here in ensuring that employees do not have to put themselves at risk by leaving their home environment. It also guarantees that a device will not have to travel with sensitive data on it, mitigating compliance risks encountered should a device become lost or stolen.
3. Secure data sitting with at-home workers, following NIST security guidelines
Securing digital data in the home office is of the utmost importance. When the workforce leaves the secure office environment, it is inevitable that more sensitive data than normal will be processed and accessed from less secure remote locations, hence creating an environment where corporate data and personal data may be at risk of a data breach. Providing employees with automated remote erasure tools is one such way to achieve control and compliance in your data management practices. It’s also very important to ensure corporate data stored on BYOD devices is limited, and any data stored on them is removed once it becomes redundant or obsolete. NIST 800-46r2 states that “organizations may find it particularly challenging to address data wiping for BYOD devices. As the devices are used for both personal and work purposes, it may be necessary to scrub the telework data without affecting the personal data.”
In addition, under remote circumstances, it’s likely that enterprises might see increased email traffic containing attachments with sensitive data, or file sharing leading to temporary saves outside of normal physical and network security parameters. Addressing these concerns through access to remote sanitisation tools, and advising employees on how to audit, track and assess this data for its business value, will be essential.
4. Securing data in backup locations and disaster recovery sites
During crises businesses often activate back-up workplaces for critical functions. That has become more important than ever in the current circumstances as some corporate locations may be compromised by affected individuals, and operations may need to move elsewhere. Before moving en masse, devices should be erased to protect against data loss or theft during transportation. Likewise, if the enterprise owns back-up equipment at an alternative location, then the data on those systems needs to be erased when the back-up location is no longer in use. Equally, in a time when enterprises have so many moving parts to monitor, it’s crucial to ensure that critical business data and applications are backed-up and restorable from a central location, should employees encounter IT failures and need to restore their devices or systems.
5. Sanitising temporary assets when no longer needed
With a push towards remote working, companies have had to purchase or rent additional IT assets to help facilitate work in a home environment. Short term laptop leases, for example, make it possible for employees that typically use desktop computers in an office environment to continue working at home. However, before any devices are returned to the lessor, the data on them must be completely and irreversibly removed through appropriate data sanitisation methods. Enterprises should look to obtain a certificate for every erasure on a rented device to prove compliance with a full data audit trail. Additional asset procurement will also need careful assimilation into professional asset management routines, particularly if devices are being shipped back and forth to remote workers or to vendors, putting sensitive data at risk during the chain of custody process. Whether renting or purchasing, remote erasure of these devices is crucial prior to lease or return to the company.
In these unprecedented times, enterprises will inevitably face new challenges that require new and unique processes in order to navigate and maintain business continuity. Maintaining a responsible chain of custody over business and customer data is, however, as important as ever. Securing a remote workforce will mean your data management processes will need to adapt. Maintaining compliance against both internal and external data regulatory standards is crucial if businesses are to achieve continuity. Business is certainly not as usual and adapting to the new status quo is a must for all.
PCR’s 30 Under 30 list 2020: Nominate yourself or a colleague now! All details here.
Read the latest edition of PCR’s monthly magazine below: