Digitalization efforts have forced businesses to build increasingly complex systems to manage the mounting number of computers and devices operating on office premises in the last decades. These company networks have, in time, become the norm for enterprises and large organizations and the focus point of data protection and cybersecurity efforts. The COVID-19 pandemic, however, has turned things on their head.
As companies rushed to adopt work from home strategies to ensure the continuation of business operations, work computers headed out of the security of company networks into less controllable home environments. While measures such as the use of Virtual Private Networks (VPNs) and Virtual Desktop Infrastructure (VDI) have kept endpoints connected and dependent on company networks for data access, companies cannot monitor the security of personal spaces. This has always been a point of contention for companies advocating against the adoption of remote work, especially those falling under the incidence of stricter data protection regulations and standards such as PCI DSS, HIPAA, or GLBA.
However, the pandemic has compelled all businesses to adopt work from home on a scale greater than even its biggest supporters had ever anticipated. Worse still, because it had to be implemented at such short notice, many companies found themselves accepting security compromises or generic strategies that may prove inadequate in the long term.
Data security concerns while working from home
Although some data protection authorities have announced that regulations would be relaxed to accommodate work from home due to the extraordinary circumstances companies need to operate in, it does not mean data protection requirements are no longer mandatory. Data protection authorities may be more lenient during these times, but they will not turn a blind eye to intentional disregard for data protection.
Work from home makes data more vulnerable primarily due to the absence of a controlled work environment. In an office, work computers and their data can only be accessed by employees, in spaces entered using company badges, monitored through cameras, and on-site security personnel. Companies cannot control who comes and goes in the home of an employee, whether third-parties have access to a work computer or employees choose to work on the road while traveling or in public places such as parks or cafes. This opens work computers up to the possibility of physical theft and outsider tampering.
Data stored locally on work computers is particularly defenseless. If an employee chooses to connect to a public WiFi to check personal emails, falls victim to a phishing attack, or connects an infected device to the computer, that data can be easily targeted by malicious outsiders and stolen. Companies cannot prevent employees from using personal and public internet networks and indeed many do because solutions such as VPNs can sometimes slow down internet connections leading to frustration.
Many data protection policies may also stop working when an endpoint is no longer connected to the company network or the internet. This means that employees can easily bypass any restrictions applied to sensitive data by disconnecting their devices.
Protecting data at the endpoint
While companies cannot monitor security practices in personal spaces, they can secure work computers through solutions applied at endpoint rather than the network level. In this way, they can ensure that data is protected whether a computer is connected to the company network or not.
Data Loss Prevention (DLP) solutions, when applied at the endpoint level can help mitigate the risks of data stored locally, regardless of whether a computer is connected to the internet or not. Through complex scanning tools that inspect data based on both content and context, DLP solutions can identify where data is being stored locally on work devices and encrypt or delete it where it is found. They can also block their transfer over the internet or to removable devices.
These policies can be applied not only locally on work computers, but also in VDI and Desktop-as-a-Service (DaaS) that allow employees to connect to a virtual desktop from their computers and perform their work there rather than directly on their devices. While these services reduce the chance of data being stored locally, they do not control how employees use and transfer that data outside the virtual desktop.
Companies have the possibility to take things one step further and, through DLP solutions such as Endpoint Protector, apply Outside Network and Outside Hours policies that strengthen the protection of sensitive data when employees work from home. It allows them to set stricter monitoring and control policies when a work computer is taken outside the company network or is used outside of regular working hours, thus adding an extra layer of data security.
The current pandemic has been a testing ground for remote work as a viable alternative to office environments. If many companies previously argued against working from home, especially in the context of data protection regulations, they have now been forced to find quick methods of implementation to keep their operations running. With its feasibility on a large scale now undeniably proven, work from home is likely to become a widely accepted practice. Companies must therefore add data protection, with all its requirements, to their remote work plans as they have done to all their cybersecurity strategies in the past.