As work from home becomes the new normal, organizations are rushing to keep up with data privacy and compliance regulations. This is the first post in a three-part series about how HDLP (Host Data Loss Prevention) can help your organization for remote working employees.
Employee Safety should not compromise data security
The healthcare crisis has made remote work the new normal for almost all organizations around the world. While work-from-home is not new to the software sector, having the entire organization to do so is unprecedented. Work from home security is still not as robust as it should be. Imagine the security requirements for organizations that prioritize data security and compliance for their clients and have hundreds of controls in place even while employees are working within the office network that is equipped with their own firewalls and other security measures.
The crisis that has been unfolding in front of us requires social distancing and isolation which has necessitated employees work remotely from their homes. Organizations are placing employee health as a priority so they can work from home. But this means weaker security for data that would normally be secure within the organizational environment. Employees are connecting, collaborating, and chatting in new ways to maintain productivity and business continuity even in the face of such challenges. Though commendable, we do have to prioritize work from home security.
There is a complete lockdown in many countries, which may be extended as necessary in the future too. The uncomfortable but a true fact is that most organizations will not be prepared for their endpoints security with regards to data protection, data integrity and data compliance regulations.
There are additional risks that can aggravated in these trying times such as:
- Data theft by a disgruntled employee
- Data breach by a long term employee
- Sensitive corporate data shared on public domain
- Sensitive corporate data shared with third parties
It is not just a question of trust with employees but also ensuring that client data entrusted to your organization is uncompromised for any reasons such as data leakages, IP theft, or even data harassment.
What is Data Loss Prevention (DLP) and Host-DLP?
Data Loss Prevention (DLP) solutions are designed to eliminate the risk of sensitive information leaving the organization. DLP protects data use, data in motion on your employee network, and also data at rest in the data storage devices such as office laptops, mobile phones, and tablets. DLP monitors all the data to protect it through thorough inspection and a contextual security analysis to ensure complete compliance with organizational data security policies. DLP identifies business critical data that is confidential and recognizes any violation of organizational and regulatory policies. It provides a centralized framework to not only prevent unauthorized use and transmission of your sensitive client data by external threats but also against inadvertent employee mistakes that can put your organization at risk. Host Data Loss Prevention is the use of tools to stop intentional and unintentional removal of organizational data by employees or third parties through host systems. Work from home security can be compromised in any of the following ways:
- Employees sharing data via their personal email
- Employees sharing data via their personal drives like Google Drive and Dropbox
- Employees performing data transfers through SSH, FTP and RDP outside the organization’s purview
- Employees storing the confidential data such as customer details on USB drives
- Employees sharing the information like access credentials with third parties with malicious intents
- Employees deleting the data by accident
- Employees storing the details via Screenshots
- Employees sharing the details with third parties like freelancers and agencies without understanding security implications
- Employees giving their mail access to third party platform (like OAuth Logins)
- Employees using social media to share information with other parties
Whether intentionally or inadvertently, any of the above scenarios can have serious implications for your organizational security and reputation. That is why, in the context of work from home security, it is imperative for organizations to have Zero Trust policy.
Work from Home Security Essentials
Most organizations have sensitive data that should never leave the organization. But their data protection strategies are mainly focused on organizational network level, further enforced by preventing employees from accessing data outside their strictly regulated environment.
The truth is that most organizations are not prepared for all their employees working remotely. This has been the most efficient way to handle cybersecurity for data-sensitive organizations to ensure zero compromise. But this data is at serious risk in the chaos of adopting new procedures and policies on the go.
Employees across all levels are logging into company sites, participating in online meetings, and interacting with sensitive computer data through their home networks and mobile phones. Away from the scrutiny of the office network, employees may use new software to make it easy to work that may not be authorized. Moreover, malintent too is always a threat in organizations of any size. Here are some of the types of data categories that can be leaked by or through employees:
Corporate Data |
Transaction Data |
Customer Data |
Personally Identifiable Data |
Price/ cost lists |
Bank payments |
Customer list |
Full name |
Target customer lists |
B2B orders |
Spending habits |
Birthday, birthplace |
New designs |
Vendor data |
Contact details |
Biometric data |
Source code |
Sales volume |
User preferences |
Genetic information |
Formulae |
Purchase power |
Product customer profile |
Credit card numbers
|
Process advantages |
Revenue potential |
Payment status |
National Identification/ passport numbers |
Pending patents |
Sales projections |
Contact history |
Driver’s license number, vehicle registration number |
Intellectual property |
Discount ratios |
Account balances |
Associated demographics |
Unreleased merger/ acquisition plans and financial reports |
|
Purchase/ transaction history |
Preferences |
Legal documents |
|
Payment/ contract terms |
|
Employee personal data |
|
|
|
In the next post, we shall examine the right approaches to addressing these work from home security issues.