Why Remote Work Data Protection Matters More Than Ever

The way many businesses operate has changed. After successful – if enforced – experimentation during Covid lockdowns, the traditional model of being in the office nine-to-five, five days a week is increasingly out of fashion for many organizations.

Instead, fully remote and hybrid working, which sees a mixture of in-office and at home working, is in. But while this offers many benefits in terms of productivity, work-life balance and employee morale, it also creates a new set of headaches for cybersecurity professionals – namely how to make sure company and customer data is fully secure when used by these employees.

Hackers often find it easier to attack businesses by taking advantage of remote workers, as they may often be less protected than those in the office. Therefore, remote work data protection efforts need to be a top priority for every enterprise if they are to avoid highly damaging issues such as data exfiltration and ransomware.

Although some large companies have pushed workers to return to the office in the last year or so, including big tech firms like Apple and Amazon, for many others hybrid working in particular is here to stay. According to Gartner, for example, almost four out of ten knowledge workers (39 percent) globally will be hybrid workers by the end of 2023. In the US, the figures are even higher, with 51 percent of these individuals being hybrid and one in five fully remote.

This includes key roles such as IT that will require access to highly sensitive data when working remotely. As such, many firms will find that mission-critical and highly sensitive data is being accessed in locations and via networks outside their full control, making a specific remote work protection strategy a must-have.

Hybrid work refers to working patterns where users split their time between office and home working. In a typical example, an individual may come into their workplace two or three days a week, and spend the rest of their time at home.

This may prove especially challenging because of how it will affect the way in which users access data, as they will need to access it from multiple locations, and sometimes on multiple devices, depending on the organization’s setup.

Therefore, ensuring people can safely access the right tools to do their jobs effectively outside the office is a key area that firms will need to address as, according to Gallup, having less access to work resources and equipment is the number one disadvantage of hybrid working.

If it’s too difficult to use applications or information on approved solutions outside the office, workers may resort to unapproved workarounds, such as emailing data to personal accounts or using consumer-grade file-sharing solutions to retain access when working from home.

This is known as ‘shadow IT’ and can be particularly hard to counter, as in many cases businesses may not even be aware that company data is being accessed or stored outside of their network perimeter. As well as the fact they cannot be protected by firms’ security systems, consumer-focused software often lacks the same robust in-built protections as enterprise-grade applications.

Any device that’s used to access corporate data poses a potential security risk, but with remote and hybrid working, where individuals are more likely to be using personally-owned equipment, the risk may be increased as the company is less likely to have adequate data security controls in place to monitor activity and alert them to any suspicious behavior.

Hackers have long seen remote workers as weak links when they are looking to gain access to systems and steal data. There are a number of key risks that these practices create, and cybercriminals will always move quickly to take advantage of them.

For example, one study by cyberinsurance provider Hiscox found that when many firms moved to remote working in 2020, 61 percent of ransomware claims it dealt with that year involved open remote desktop protocol (RDP) ports. This illustrates just how quickly hackers can adapt to new opportunities, and little has changed since.

As well as targeting less secure shadow IT solutions, another key way in which cybercriminals can look to exploit a remote worker is through the lack of direct oversight and communication they have. This makes tactics such as business email compromise highly effective. In such attacks, they may pose as a user’s boss or a senior executive and the company and request information or for the user to follow a link.

While in the office, such requests may typically be done in person, making them easier to verify. However, this isn’t the case for remote workers. Instead, if they are used to keeping in touch via email, they may naturally follow such a request without checking whether a message is legitimate.

One concern many businesses may have about the rise of hybrid and remote working is the potential impact it may have on their regulatory requirements. In recent years the EU’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) have both introduced strict data protection rules that ensure all firms have to take extra care about how they access and use data.

Therefore, some firms may be especially wary about allowing employees to access sensitive information from outside their tightly controlled network perimeter. However, while rules like GDPR do not offer specific guidance on how to implement data-secure remote working policies, neither do they prohibit it. Therefore, firms should follow a few key guidelines to ensure they remain compliant when dealing with information such as personal data outside the office.

This should include ensuring that any data sent to and from home workers is fully encrypted when in transit and when at rest on their devices and the drafting of a clear policy with sections on how to access data and creating secure connections.

These challenges can have serious consequences if they aren’t addressed properly. Indeed, one study by Proxyrack suggested that companies where more than four out of five employees work remotely see an average cost of $5.54 million from a data breach, whereas those with only ten to 20 percent see these costs drop by over a million dollars. As a result, remote work data protection should be a top priority.

The first step for any business should be to develop a specific policy that governs what remote employees must do to maintain data security. This should include a number of elements that cover both physical and digital security.

For example, there should be clear guidelines on what devices may be used to access data, and if a personal device is being used, employees should be required to allow the use of cybersecurity software. This should include monitoring tools that can observe any data flowing in and out of the device, as well as tools for laptops or smartphones that can allow data to be wiped remotely if the item is lost or stolen.

If firms are deploying these tools, a policy on how they may affect the employee’s personal data will be vital. It’s best practice to ensure that personal and business files are fully separated in order to maintain data privacy.

Firms should also take steps to ensure strong access management and user verification solutions of what applications or databases are being accessed from beyond the network perimeter. Basic steps such as two-factor authentication and the use of tools like secure VPNs are must-haves, especially if users will be connecting via public or unsecured Wi-Fi.

The majority of data breaches can still be traced back to human error, and this is especially the case when individuals are working away from the office. As noted above, it’s easy to fall victim to phishing or business email compromise attacks when individuals can’t speak to their colleagues easily in person. Therefore, comprehensive training should be essential for every employee that wants to take advantage of a remote or hybrid working policy.

This should ensure all employees are familiar with rules and procedures for remote working, from how they access documents to what key signs they should look out for that an email may not be genuine. To ensure this is being done effectively, there should be a named individual responsible for managing this (usually, this would also be the data protection officer that is required under GDPR rules) who can ensure that this is an ongoing process with frequent refreshers and phishing tests to ensure people are following the guidelines.

While training is essential it can only take firms so far. There will always be hacking attacks that are able to bypass defenses and catch out even the most aware users. Therefore, you need a second line of defense that is able to spot malicious activities within your network – and chief among these will be attempts to exfiltrate data from the business.

Legacy data protection tools may struggle to effectively spot and block suspicious behavior on personally-owned mobile devices. Many services rely on sending data back to centralized servers for analysis, which can be slow, resource intensive and inefficient.

Therefore, firms need specialist anti data exfiltration solutions that can be deployed directly onto users’ mobile devices, whether these are company-issued or personally-owned items. In order to work across a wide range of different products, these must be lightweight and vendor-agnostic and have the ability to spot suspicious activity in real time.

To do this, such tools cannot rely on traditional detection methods such as signature matching, as this is impractical for mobiles – and increasingly ineffective as hackers continue to evolve their tactics. Instead, behavioral tools that use machine learning technology to build a picture of what normal activity looks like are essential. This enables the solutions to spot anything that deviates from the norm and block it before data has a chance to be infiltrated – all without any data leaving the device.