Cybersecurity and Fraud Protection
Data protection in a changing work environment
No matter whether your company has come back to the office full-time or utilizes hybrid and remote work, take time to review your data protection policy.
When COVID-19 lockdowns forced an abrupt restructuring to employees’ routines, many organizations scrambled overnight to develop or modify controls to reduce risks. Organizations with strong data management, technology and operational response plans were able to effectively manage business demand and/or supply chain disruptions. They developed stronger security protocols, such as secure remote access, video meeting tools and enhanced data protection protocols, to ensure employees maintained compliance standards when processing sensitive information.
Now, many of those temporary fixes have led to permanent changes in operations and business continuity plans as employees return full or part time to the office.
“We’ve seen indicators that some data management security protocols enacted as a result of the pandemic will continue. Within Commercial Banking, our business, technology and operational support centers amplified existing design and security practices to manage data in an efficient, controlled and safe manner,” said John Bassett, Executive Director for Data Management, Commercial Banking.
As organizations adapt to the new normal, use these questions below to guide your data privacy assessment and identify what changes might be needed.
What’s in the data, and why?
Know your data. Identify and inventory the categories and sensitivity of data that is processed by your organization. Certain data elements will require special handling and more stringent controls (for example, personal data of individuals and material non-public information). This inventory will assist in assessing requirements of specific laws or regulations about collection, use, transfer, storage, or retention of data and the impact of such requirements on the organization.
Where is the data?
Are your data, applications and services stored onsite or in the cloud? Are there backups in different locations? How readily can those backups be accessed? Do you have an incident response plan for handling scenarios, such as a cybersecurity attack that results in lost or stolen data? You should also evaluate the security of your data in transit. Even if your server is a fortress, there’s a good chance that employees may access Wi-Fi from an unsecured home network. Consider requiring encrypted connections (using a VPN or remote desktop) for all work-related tasks when connecting remotely.
Who has access, and how?
Employees who have returned to the office may now access and print information that was under a view-only access policy during remote work. Adopt the best practice principle of least privilege, allowing authorized users access to only the specific data they need to complete their duties. Continue to remind your workforce of the need to be diligent when handling confidential data whether in paper/electronic form or being shared verbally. Require users to create unique, complex passwords (with a combination of letters, numbers and symbols) that are changed regularly. Implement multifactor authentication, which adds additional layers of security by requiring the use of a physical token or a one-time password to authenticate the user.
Are continued investments in technology needed?
Evaluating your data protection policy is an ongoing process as new technologies, new regulations and global guidelines impact the way organizations store and share personal information. Business leaders should commit to strategic investments in new technologies that strengthen data security, such as remote security enhancements, encryption tools, data loss prevention tools, collaboration tools and metadata management.
Have you designed the right culture?
The biggest risk often isn’t technology, but the humans who use it. Business leaders should develop a strong culture of data protection and safeguard practices, and stress the importance of continued cybersecurity education and training. Regular training sessions, such as lunch-and-learns or simulated drills, will help all employees understand their role in protecting data. Leaders should encourage teams to quickly report potential data risk issues and gather regular feedback from employees to help strengthen defense strategies.
- Evaluate your organization’s previous short-term changes to data protection standards and enhance them to align with a dynamic work environment.
- Know your data—where it is stored, how it is used and who has access to it.
- Continuously invest in technology and data loss prevention tools.