The telecommuting arrangements that organizations adopted in response to COVID-19 are rapidly becoming a staple of the American workplace. Globally, 52% of workers work from home at least once every week, according to Owl Labs.
The new normal has introduced challenges to data protection, however. IT organizations have powerful tools for securing and governing data inside the firewall but less oversight and control once it is scattered to thousands of home computers and mobile devices. Data protection is about more than just securing data; it ensures that only authorized personnel can access information while protecting data from attackers, leaks, and errors.
To ensure that data is protected regardless of its location or who possesses it, Veritas recommends that organizations follow these tried-and-true guidelines and regularly review standards and policies.
Communicate data protection policies and obtain signed agreements of understanding from all employees. Data protection is everyone’s job. The IT organization must ensure that all employees have been trained and informed about best practices for securing and managing data responsibly. Obtaining signed agreements provides a measure of protection if rules are violated.
Conduct a risk assessment to understand the value of different types of data in your organization. Not all information demands the same protections. Financial records probably merit a higher level of care than marketing collateral, for example. A periodic risk assessment determines the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. Assigning categories of risk helps you make more informed decisions about what protections are appropriate and reduces costs by avoiding over-use of expensive protection solutions.
Review access policies and controls on data duplication and deletion. File and record access privileges should be assigned by roles, not individual identities. A policy review weeds out and corrects the one-off exceptions that are commonly made but never revoked. Sensitive data should also be protected from unauthorized deletion and duplication. Depending on business needs, this may require the use of third-party tools that go beyond native access controls.
Review relevant compliance policies regarding data protection retention and sovereignty. Compliance has become more complex as identity protection regulations have proliferated around the world. Many jurisdictions also restrict where data may be physically stored. Regulations change constantly, so compliance reviews should be conducted regularly, and appropriate remediations should be applied.
Standardize on a set of individual and collaborative software applications supported and controlled by the IT organization. “Shadow IT,” or the provisioning by business users of applications and services without the knowledge of the IT organization is a threat to security and data integrity. Information may be inadvertently exposed or duplicated. In addition, multiple versions of data may be introduced, creating confusion about which records to trust. Business users should have a choice of applications and services, but their selection should be limited to a list that is curated and approved by the IT organization.
Limit copying of data to personal devices. Modern collaboration platforms enable many people to share and work on documents and workspaces at the same time. This reduces the need for copies to be made and thus limits the risk of inadvertent exposure or version control problems. However, with 55% of global workers using personal smartphone or laptops for their work at least some of the time, companies should consider restricting or eliminating the ability for remote users to download data to devices that IT doesn’t control. If downloads are necessary, implement encryption of data both in transit and at rest and ensure that users are aware of their data protection responsibilities.
Implement automated backup. Backup is the best protection against inadvertent deletion and external threats like ransomware. Don’t rely on individual users to back up their data; IT has many options for conducting remote backups regularly.
Data protection should be neither intrusive nor time-consuming for users. A combination of automated protections, education, and periodic assessments can protect against most vulnerabilities. IT should lead the effort, but everyone needs to participate.
- 5 Ways NetBackup Helps You Defend Against Ransomware: https://www.veritas.com/content/dam/www/en_us/documents/at-a-glance/TS_5_ways_netbackup_defends_against_ransomware_V1364.pdf
- Multi-layered Protection for SaaS Application Data: SaaS Backup and Archive Solution (veritas.com)
- Enterprise Data Protection for the Cloud: https://www.veritas.com/content/dam/www/en_us/documents/white-papers/WP_netbackup_data_protection_advantages_over_native_cloud_backup_tools_V1450.pdf