As organisations and employees have settled into this new way of working, we’ve seen that even routine tasks such as sharing large files or accessing sensitive information via the company network can be difficult to complete while still adhering to company policy. Employees might be looking for ways to send multimedia files or are suddenly having to share more, and different, data via email. Using insecure file transfer solutions can lead to mistakes and loss of control, and ultimately potential breach incidents. In addition, organisations need to consider where data is being hosted when they upload to the Cloud, particularly considering more stringent data residency rules as part of GDPR. Proactively identifying and remediating risks to these changes in working behaviour will help ensure tighter security and compliance.
Right now, we are witnessing a scale of home working on a level that we’ve never experienced before. And as organisations, under government guidance, empower staff to work remotely wherever possible, concerns around how they can continue to keep data safe and secure will be front of mind.
In the initial scramble to get organisations fully operational in the new reality, as well as support ongoing healthcare efforts in the fight against COVID-19, the Information Commissioner’s Office (ICO) recognised that some organisations may struggle to uphold all data protection rules – for example, response times to Subject Access Requests may be delayed and more data may need to be shared with healthcare providers and government bodies. However, the importance of securing personal data remains clear: “During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”
Likewise, the Financial Conduct Authority (FCA) is working closely with Government, the Bank of England and the Payment Systems regulator to take the necessary steps to ensure customers are protected and markets continue to function well. It is advising firms to take all reasonable actions to meet the regulatory obligations which are in place to protect their consumers and maintain market integrity.
Here at Egress we recognise that this is easier said than done. Even in a world that relies heavily on digital, there are still organisations that don’t have VPN access set up or enough laptops or mobile devices to quickly enable home working. These companies continue to struggle to get everything in place, and in the meantime, this creates an environment where workarounds and shadow IT have crept in “just to get the job done”. After all, when productivity is at risk, security will often take a backseat.
Added to this, from individual employees’ perspectives, our routine way of working has changed. There is a blurring of the boundaries between home and work leading to more people communicating beyond their normal working hours and from smaller screens (mobile devices, laptops, etc.), trying to maintain productivity at usual standards or having to amend their routines around personal circumstances, like childcare. So in this disruptive and highly stressed environment, the likelihood of people making a mistake when sharing or collaborating on sensitive data increases.
Even before Covid-19 and large-scale remote working, human error was one of the primary causes of data breaches. Figures published by the ICO and obtained by Egress last year found that 60 per cent of personal data breaches in the first half of 2019 were the result of human error. Our own research, which we conducted in February this year found that:
- 31 per cent of employees who had unintentionally caused a breach said they or a colleague had accidentally sent information to the wrong person, for instance via email
- 45 per cent of employees surveyed said they had received an outlook recall message or an email asking them to disregard a communication sent in error
- 23 per cent of those who had breached data accidentally say they did so because they were working on a mobile device
And this will of course be exacerbated now for all the reasons I’ve outlined above. So, what can organisations do?
Solving advanced risks
1. Look for security software that doesn’t hamper productivity. It’s generally the aim of the game anyway – but right now, employees are feeling increased pressure to prove their productivity. If you’re finding yourself selecting new solutions, it’s never been more crucial to select technologies that don’t add difficult extra steps for them or anyone they’re working with outside the organisation.
2. Choose collaboration/productivity solutions that have security baked into them. The other side to the coin of the point above, really: when choosing any new solution to implement at this time, make sure that security measures are part of a product’s standard design, and not an after-thought.
3. Automate security wherever possible. If it’s possible, take decisions out of end users’ hands to ensure the security of sensitive information in line with policy, reducing the risk of someone accidentally or intentionally not using security software.
4. Engage employees over security best practices. Phishing is a good example of this. Some inbound risks will evade the filters on your network boundary and end up in users’ mailboxes. Effort to proactively engage employees through e-learning and other educational measures can help them to know what to do with emails they think are suspicious (for example, hovering over links before clicking on them).
5. Look to AI and machine learning to help solve advanced risks. Use cases like conversation hijacking, misdirected emails or people attaching the wrong files to documents can now be mitigated by intelligent technology like contextual machine learning, which determines what “good security behaviour” looks like for each individual, and alerts them and administrators to abnormal incidents – effectively stopping breaches before they happen.
6. Implement no-fault reporting. People often don’t report security incidents because they’re concerned about the repercussions. Where it’s appropriate to do so, implement no-fault reporting to encourage individuals to report incidents in a timely manner, so you can focus on remediating the problem as quickly as possible.
Tony Pepper, CEO, Egress