Is Encryption the Answer to Data Security Post Lockdown? #NCSAM

Remote work and working from home has grown exponentially over the past decade. In fact, a 2018 study from Apricorn found that 100 per cent of surveyed IT decision makers noted that they had employees who work remotely at least some of the time.

However, the COVID-19 pandemic and resulting lockdown have forced a large number of employees into unfamiliar territory, not just remote work, but full-time working from home (WFH). While some businesses may have long adopted remote work strategies as part of increased flexibility, others have resisted due to the risks posed to data security and compliance efforts.

Worryingly, a more recent (2020) survey by Apricorn found that more than half (57 percent) of UK IT decision makers still believe that remote workers will expose their organization to the risk of a data breach. Employees unintentionally putting data at risk remains the leading cause of a data breach, with lost or misplaced devices the second biggest cause.

More than a remote risk

Whilst some are already transitioning back into the workplace, many are questioning whether WFH could become the new norm. The issue remains however, that remote working brings a number of challenges to data protection: be it an increased risk of external attacks, or employees’ tendency to relax security practices when working from home. Whatever the case, sensitive information leaving the confines of the office walls will always be more vulnerable than when it is safely secured on the corporate network.

Employees may well be tempted to use personal devices when working from home, or businesses may have introduced the need for video conferencing tools, or document sharing services, but it is critical that businesses take the onus on securing information before employees further put data at risk.

Our survey found that, of those with an information security strategy that covers employees’ use of their own IT equipment for mobile/remote working, forty two per cent said they permitted only corporate IT provisioned/approved devices, and have strict security measures in place to enforce this with endpoint control. Additionally, seven percent tell employees they’re not allowed to use removable media, but don’t have technology in place to prevent this.

Every organization should cover the use of employees’ own IT equipment for mobile and remote working in their information security strategy. If businesses want to secure data on the move, it is essential that encryption and endpoint control is applied to all devices, whether that be laptops, mobile phones, or removable devices such as USBs.

Data must remain on lockdown

Despite COVID restrictions showing some signs of easing, data must always remain on lockdown. Whether working from home or not, the GDPR has clear mandates for data encryption; firstly for compliance (Article 32); secondly to mitigate the impact on any organization who suffers a breach (Article 34) which removes the obligation to individually inform each citizen affected if the data remains unintelligible.

Additionally, article 83 suggests that fines will be moderated where the company has been responsible and mitigated any damage suffered by data subjects. Businesses will find that they are in a stronger position to defend themselves in the event of a breach should they be able to demonstrate the use of encryption practices.

The good news is that we have seen an increase in encryption and endpoint control. Nearly all survey respondents (94%) say their organization has a policy that requires encryption of all data held on removable media. Of those that encrypt all data held on removable media, more than half (57%) hardware encrypt all information as standard.

Businesses are seeing the value of encryption, but this is an ongoing process and it needs to cover all devices. The research highlighted that a number of those surveyed have no further plans to expand encryption on USB sticks (38%), laptops (32%), desktops (37%), mobiles (31%) and portable hard drives (40%). With so much data now moving beyond the corporate perimeter, it’s imperative to address the importance of encryption in protecting sensitive information, whilst giving staff the flexibility required to work remotely.

The value of encryption

Hardware encryption offers much greater security than software encryption and PIN pad authenticated, hardware encrypted USB storage devices offer additional, significant benefits. Being software-free eliminates the risk of keylogging and doesn’t restrict usage to specific Operating Systems; all authentication and encryption processes take place within the device itself, so passwords and key data are never shared with a host computer. This makes it particularly suited for use in highly regulated sectors such as defense, finance, government and healthcare.

By deploying removable storage devices with built-in hardware encryption, a business can roll this approach out across the workforce, ensuring all data can be stored or moved around safely offline. Even if the device is lost or stolen, the information will be unintelligible to anyone not authorized to access it.

The pandemic has thrown up many challenges this year, but data protection should not have been one of them. It should not be an afterthought, something incorporated into the business strategy as a result of an incident, but one that’s core to business operations and security best practice.

Organizations should analyze their data, identify everything that should be protected, understand where it exists and how it is transported, and ensure that it is encrypted at all stages of its lifecycle. Encryption and endpoint control can ensure that data remains secure and businesses can be prepared for the risks that come with an enduring remote workforce.  

What’s Hot on Infosecurity Magazine?