The ransomware crisis is getting worse as we become numb to once-shocking reports of data breaches affecting the world’s most trusted brands. From mom-n-pop stores to governments and Fortune 500 conglomerates, it seems no one is immune to data breaches.
Throw remote working into the mix and you end up with a large attack surface for would-be cyber criminals. And as the saying goes, humans are the weakest link in any security system.
This is why it is crucial to prepare for a data breach; as unfortunately, it’s not a matter of if, it’s a matter of when. Fortunately, there are a few steps that businesses and employees can take to protect their data and privacy.
This is why we’ve identified eight best practices for ensuring data privacy in the modern workplace.
Encryption of data in both transit and rest is essential to privacy and online security. A workplace policy requiring employees to store sensitive information on the employer’s devices (instead of their own) should go a long way in protecting data.
There are a few difficulties your employees will have to overcome when deploying organization-wide encryption. These two friction points are:
Difficulty for the average user: Your employees will have to manage passwords to access protected data. They may also require certain tools to manage encrypted data correctly on different devices.
Undefined policies on what information to encrypt: It may not always be obvious to employees what data to encrypt and what not to encrypt. Most organizations encrypt data at rest; this is to prevent leaks in the event the device is lost. But when documents are sent from the computer to third parties, the files emerge unprotected. This is why it is important to create a policy that instructs employees on what information needs to be protected.
Provide Remote Employees with Secure Devices
From becoming a necessity during the global pandemic to now becoming a trend, working from home is here to stay. Most privately owned personal computers and mobile devices lack important malware and encryption protections. This will increase the risk of their data being accessed from those computers (including data stored in the employer’s servers remote).
Given the sensitivity of the data, employers can enforce policies requiring employees to keep all work-related data on employer-owned devices and restrict the use of cloud apps that haven’t been vetted for privacy and security. Make sure to also limit access to entertainment websites and online video games because they are often vulnerable to security breaches. This will limit the company’s overall attack surface and lower the likelihood of a data breach.
Require Multi-Factor Authentication to Employer’s VPN
Implement multi-factor authentication (MFA) for all your employees, especially if they are accessing your virtual private network (VPN). Employees should understand that MFA is there to protect their accounts and their data. If this is not feasible across the entire organization, you should roll out MFA for all authorized users (managers, admins, and others).
This is because admin accounts are high-value targets and must be secured. Review these users and the privileges they have – there are probably different degrees of privileges depending on the roles and responsibilities of your employees.
Evaluate company roles where losing access to data, or sending an unauthorized email, will have a major impact on security. Then gradually roll out MFA to employees who have different levels of security access. Take your time to properly strategize the deployment of MFA so as not to affect the productivity of mainstream employees.
Assess all Company Data
Make sure to evaluate all the data that your company generates and figure out which aspects of the information are sensitive to your employees and customers. What may be sensitive for data in fintech or healthcare may not be in manufacturing or retail. As mentioned earlier, it’s not always straightforward for employees to know which data should be protected and which data doesn’t need protection.
Once you have assessed the data, create a solid set of policies around the data that is to be protected.
Create a Scheme for Data Exchange
Your data will inevitably leave your servers to third-party recipients. This means you should create policies and processes that account for the fluidity of data. Permissions should be defined as to which employees can use the data and move it around.
You will need to monitor the data and enforce them to make sure that only the employees that are allowed to see certain data can move it.
Require Employees to Use Stronger Passwords
A password is strong if it’s difficult for humans and machines to guess it. Password strength is increased by incorporating different characters including:
- At least eight characters, the more, the better
- A mixture of uppercase and lowercase letters
- A mixture of numbers and letters
- A mixture of special characters
It goes without saying that a strong password should be easy for your employees to remember, no matter how many of the above characteristics are used.
Don’t use a password that can be found in a dictionary, examples include ‘computer’, ‘mouse’, and ‘piano’.
It’s also important to require all employees to change their passwords every three to six months, especially when you hear reports of data breaches.
Train Employees About Phishing Attacks
Remote employees will notice higher traffic in email as they work from home. Hackers will use this knowledge to their advantage and deploy new phishing schemes that prey on employees. To protect against these phishing schemes, send a reminder to your employees about not clicking on links that come from unanticipated email messages.
This is especially true if the email requests for funds. A dead giveaway that you’re dealing with scams is when the sender asks you to buy gift cards. If needed, contact the purported sender on their phone or social media to verify if they indeed sent the email.
Keep Track of Employer Devices
It may be necessary to track the movement of data within employer systems. At the same time, employees should be required to apply physical measures to secure their devices to protect the employers’ data. Such stems may include locking their home doors, placing devices in a safe place while traveling, and locking their screens before stepping away from the computer.
As the idea of remote working expands, what is considered to be sensitive data will also change. Organizations need to ensure data privacy is implemented throughout the workplace and remember that employees are the weakest link in any security system.
Need further help with data policies in the workplace? Our data security experts will analyze your data security needs and provide you with customized policies.