As remote working looks set to become the new normal, businesses need to ensure their corporate information and data protection is secure. In the first in a series of Covid-themed articles this week, Andy Beverley outlines some of the key considerations.
As countries continue taking tentative steps to re-open parts of society, popular media are reporting that the term “working from home” is fast becoming part of normal business culture for many.
Recent COVID-19 lockdown restrictions, combined with the access and convenience provided by cloud services and on-line applications, has raised questions about the real need for physical office space, the time required for commuting to and from business premises, and whether virtual meetings are actually more productive than physical gatherings.
It is reasonable to assume that some may transition to allowing more personnel to work remotely, and those that do need to remember their corporate information security and data protection requirements as part of the planning.
Let’s take a moment to highlight some of these important considerations so that they may support the identification of acceptable approaches to each subject.
Living room vs meeting room
Comparing the security of the home environment with the robust controls of the corporate office is essential.
The physical space of the employee’s residence used for home working should be sufficiently isolated from other family members and allow for the secure storage of documents and media when not actively being used.
“The growth of ‘shadow IT’ or the temptation to use privately-owned devices must be challenged”
Office-based practices of locking screens should continue, and remote workers should use Virtual Private Networks (VPN) to secure their network traffic being transmitted via the internet.
While on the subject, it’s worth checking how many of your staff have changed the default password on their domestic wireless network and provide them with assistance if that presents a challenge.
We need to be confident that personnel are using approved corporate devices for their work activities. The growth of “shadow IT”, or the temptation to use privately-owned devices (perhaps a tablet for working in a sunny garden) must be challenged.
These are unlikely to be monitored or protected by the robust antivirus and network protection of corporate assets, and there is the possibility of information being saved locally that may never be fully retrieved or deleted by the organisation.
Clear guidance needs to be provided, including reminders about the mandatory requirements of the organisation’s data protection, acceptable use and asset management policies.
Cloud’s silver lining
The growth of cloud services has played a significant role in the success of home working during recent months and has transformed many a theoretical business continuity plan into something that actually works.
There are a few important considerations here too – starting with the assessment of whether each cloud service has been approved for use by the organisation.
There are contractual considerations, data protection clauses, geographic assessments, licensing models and operational costs to understand, and every possibility that unapproved services may have crept in quickly as individuals sought to remain productive when lockdown commenced.
“Cloud also presents us with questions. Where is the hosted data actually stored? are there backup or snapshot copies being taken which need to be accounted for?, and is the cloud service provider contractually required to inform you of any security incidents?”
Personnel need to understand these risks, and organisations need to identify an approach to keeping fully informed about the contents of their cloud estate.
Cloud also presents us with questions. Where is the hosted data actually stored (especially if it is personal data requiring full GDPR compliance), are there backup or snapshot copies being taken which need to be accounted for, and is the cloud service provider contractually required to inform you of any security incidents or personal data breaches? Validate that the cloud service has sufficient capacity and resilience to serve peak demand – during COVID-19 some of the largest global providers were clearly challenged.
Some employees are now starting (and possibly ending) their employment virtually, and there are controls which need to be addressed. New starters need to be issued corporate assets (laptops, tokens, documentation etc) remotely, and supported with assistance in the form of information security training, data protection (GDPR) awareness, and help with setting up their corporate IT assets securely.
At the end of their employment, leavers need to have their assets collected promptly (not having a reliance upon them to return them themselves) and accounts closed off immediately at the point of termination.
This may be more complex than before when removing a single active directory account may have sufficed.
Most cloud services use unique user credentials which will need to be updated individually. It is important to keep records of individual users of cloud services, and to ensure that each cloud service is configured such that the organisation retains an administrative capability over its user estate.
Suppliers need careful assessment too. You would like to trust that as a customer you will be promptly informed of any disruptions, challenges or incidents that they experience whilst working through a lockdown situation, but that is rarely the case and often shortcomings are only discovered when they are already affecting your product or service delivery. Lightly worded COVID-19 preparation statements are unlikely to satisfy all your questions, so a review of your Supplier Capability Assessments (enhancing their contents) on a regular basis is one approach to staying better informed.
Using standards to help
Many organisations have some form of Information Security Management System, whether informally or subject to external certification against ISO27001 or similar. A core activity remains risk management, and individual risk assessments should help with identifying the effectiveness of security controls from ISO27001 Annex A (or ISO27002) which, done well, will mitigate the numerous emerging threats and vulnerabilities which are being associated with the recent increase in remote working.
Another option is to use the extended control set aligned to ISO27017 (which addresses the security of cloud services), comprehensive risk assessments for both cloud service providers (“suppliers”) and cloud consumers (“customers”) can be completed, with any identified findings requiring prompt resolution.
If an organisation is moving personal data into third-party cloud services, a formal Data Protection Impact Assessment will be required to identify any risks associated with the personal data being processed. workflows help in delivering compliance with Article 35 of GDPR.
Technical innovation and cultural change are combining to present a new default working day for many. If businesses remain aware and understanding of the changing risk environment associated with this, robust risk management will help to inform top-level decision making and ensure that data, infrastructure, personnel and customers remain fully protected.
by Andy Beverley, Chief Technology Officer and co-founder of InfoSaas