By Jon Fielding, managing director EMEA, Apricorn
As people start migrating back to the office, organisations must facilitate yet another major shift in working practices, sustaining productivity and business continuity while keeping critical data and systems protected. Many employees are likely to combine remote and site-based working for some time, even adopting this ‘hybrid’ approach as a permanent model.
Remote workers continue to pose a major threat to data security, according to Apricorn’s latest survey of UK IT leaders, with more than half predicting they will expose their organisation to the risk of a data breach. Over a third admit their remote workers have already knowingly put corporate data at risk in the last year. As the line between home and office becomes blurred, and employees access networks and systems from a mix of devices and locations, organisations will be exposed to more risk.
Putting the right technology solutions in place to enable new efficient and flexible working models, while ensuring the business remains compliant with regulations, is of course essential. However, those that become too fixated on the tools will leave themselves vulnerable to data breaches unless they also pay attention to two key principles: building a culture of individual responsibility, and strengthening their cyber resilience.
Building engagement and accountability
For hybrid working to be successful, all employees must follow information security best practice, and comply with regulations such as GDPR. It will be up to each and every employee to safeguard the company’s security posture by protecting data and being vigilant about threats.
There’s currently a question mark over whether they’re ready to take on this responsibility. More than a quarter of the organisations surveyed by Apricorn believe their remote workers simply “don’t care” about security, which indicates an alarming lack of engagement.
Companies in the finance sector must urgently improve awareness of the specific security risks the business faces, and build knowledge of how to control them. This should involve delivering cybersecurity awareness education, alongside ongoing training – and programmes should include freelancers and other third-party contractors. The approach will need to be rethought, perhaps combining interactive video sessions with short and frequent on-demand ‘bursts’ that keep knowledge fresh.
It’s important that education programmes cover basic security hygiene; many security breaches are down to something as simple as choosing a weak password or clicking on a link from an untrusted source. Employees should be clearly and directly briefed on the company’s security policies, as well as the regulations the organisation is required to adhere to. They also need to be trained in which tools, devices and technologies they’re permitted to use to do their work, and how to implement them safely.
This practical stuff is vital – but to build a culture of cybersecurity best practice deeper employee engagement is required. Education programmes must therefore explain the ‘why’, as well as the ‘what’ and ‘how’: the reasons data protection is important, and the specific risks and consequences to the business of a breach. This context will help to increase accountability and ownership.
Strengthening cyber resilience
We’re all now acutely aware that no organisation is immune to effects of a crisis – whether it’s a pandemic or a data breach. Strengthening cyber resilience is all about being better positioned to prepare for, respond to and recover quickly following an incident. It’s important that organisations shift their focus away from trying to achieve ‘complete security’ to ensuring they have all their ducks in the row if something should occur.
Hybrid working will expand the threat surface, as staff access networks, systems and databases from multiple locations, using a mix of business and personal devices. Organisations are increasingly turning towards the company-wide encryption of data as a straightforward way of managing risk in this complex new working environment.
Encryption is specifically recommended by Article 32 of GDPR as a method to protect personal data, while Article 34 removes the obligation for companies that experience a data breach to inform each individual affected if encryption has been applied. Article 83 suggests that fines will be moderated if a company can show it has been responsible and mitigated damage suffered by data subjects. In short, encryption will give organisations the ability to demonstrate transparency and due diligence.
By providing employees with removable USBs and hard drives that automatically encrypt all data written to them, companies can give everyone the capability to securely store data offline, and move it between office and home safely. The data will be intelligible to anyone not authorised to access it, so whatever happens around the device the information on it will be secure. These devices can also be used to back up data locally, mitigating the risk of targeting in the cloud, and helping the business to get up and running again fast following a breach or other disruptive event.
We expect cyber-attacks will continue to rise through 2021, as hackers take advantage of people once again getting to grips with a new way of working – in particular ransomware, malware and phishing. Building a culture of security awareness and individual accountability, and combining this with improved resilience, will put organisations in the banking and finance sector in the strongest position to weather whatever storms are coming their way.