Like businesses in other highly regulated industries, defence organisations are having to tread an increasingly precarious line between data availability and data security. More and more people are working out of the office, and need to be able to access and share information when they do: over a third of UK employees already work remotely at least some of the time, according to research from Apricorn. Data volumes are also rising, with organisations across all sectors gathering, handling and using more than ever.
These trends have led to a growing need to securely store, move and access larger amounts of confidential data and IP outside the controlled perimeter of the corporate network. For businesses in defence, this need is at odds with the requirement to ensure that all the data they handle remains absolutely secure at all times – both at rest and on the move.
Remote working is risky. Almost all respondents to the Apricorn survey agreed that their organisation still had problems with it, with a third admitting they had already experienced a data loss or breach as a direct result of mobile working.
Transporting data offline, by storing it on mobile, portable and removable media devices such as USBs and external hard drives, can help to defend against threats such as targeting in the cloud. Devices are easily lost or stolen, however, so the act of physically carrying information outside the workplace comes with its own set of risks.
Some organisations have taken radical steps to mitigate the risks of remote working, such as clamping down on flexible working practices, limiting the use of mobile and cloud platforms, and banning the use of removable media devices. This may seem like a sure way of reducing the attack surface – but it comes at a cost in terms of compromising efficiency, and limiting the availability and accessibility of data to employees who need it.
By following these four steps, organisations can control, monitor and securely manage data when it’s outside of their central systems, without restricting the productivity and responsiveness of your mobile workers.
Begin by identifying the specific risks your organisation is exposed to from employees working remotely. Audit all the data you hold, and map out its journey, not forgetting to include the partners in your supply chain.
Establish how information is being used, who is authorised to access it, when and why, and the controls applied to it at each stage in its journey. This will bring visibility of any ‘gaps’ in the security strategy, and highlight points at which data might be vulnerable to attack or loss.
Update, create and enforce (as appropriate) policies and processes to address any chinks you discover in the organisation’s armour. Apricorn’s survey found that one in ten companies do not currently have security policies that cover storage devices such as USBs, or remote working and BYOD.
The mobile and flexible working practices employees are required to follow must be clearly set out, along with the types of device allowed by the business and how they are to be used. Policies should be rigorous but also uncomplicated in order to encourage buy-in from users.
Protecting data is a collective effort. Every employee needs to take responsibility for safeguarding the information that passes through their hands, and this requires education and culture change. In addition to reducing the probability that employees will inadvertently expose data to theft or loss, this will increase engagement and accountability across the business.
Training programmes should cover the rules and processes remote workers must adhere to, along with the technologies and tools they are permitted to use, so every individual understands exactly what is expected from them.
Just as important, however, is making sure that employees at all levels are aware of the value of the data they work with, the specific risks of non-secure mobile working, and the consequences of data breaches for the organisation. Leaders who act as role models by ‘walking the talk’ also play a key role in building a culture of data security.
More than half the organisations that responded to the Apricorn survey said that one of their three biggest problems with remote working is the complexity of the technology they have deployed to keep data safe on the move. Devices provided to employees, or sanctioned for their use, must therefore be intuitive and hassle-free to use.
A straightforward approach to providing reliable protection for high volumes of confidential and valuable information is to mandate the use of a corporate-standard USB storage device that automatically encrypts all data written to it with military-grade hardware encryption. The business can monitor and enforce the use of such devices by whitelisting them on the IT infrastructure, blocking access from all non-approved media.
A device that is software-free will eliminate the risk of software hacking and keylogging: because all passwords and commands are entered via the PIN pad, and all authentication and encryption processes take place within the device itself, passwords and key data are never shared with the host computer.
Implementing strong encryption will lock all data down, on the move and at rest, so that if a device does get lost or stolen the information on it will be unintelligible to anyone trying to access it. Encryption is a particularly useful part of an organisation’s GDPR toolkit; the encryption of personal information is specifically recommended in Article 32 of the regulation’s framework.
As mobile and flexible working practices continue to evolve to drive improved agility and efficiency, businesses that decide to impede the flow of information to ensure security could easily get left behind. The numbers of employees working remotely will continue to rise, as will the need to quickly and securely transfer large volumes of data.
It is possible to control data when it is outside the organisation’s central systems, while still allowing mobile workers to be efficient and productive. Identify the specific risks of remote working, address them, educate users in their responsibilities, and apply encryption as standard to give you full confidence that any sensitive or valuable data leaving the premises will never be exposed to compromise.
If you would like to join our community and read more articles like this then please click here