Data Protection Best Practices for a New Remote Workforce

Businesses must address risks associated with an expanding remote workforce. Getting started can be daunting, but in this guest post Forcepoint’s Romeo Gain outlines what you need to know to build an effective data protection action plan.

Business leaders are grappling with the challenge of increasing numbers of remote or distributed employees who need secure access to sensitive data and internal resources to get their work done. The data protection challenges businesses face today are credible and arise from many sources, including malicious external or internal attackers and accidental data loss.

Your data is the lifeblood of your company. You have compliance data, such as customer or employee records, and you have critical business data, such as intellectual property, that could include commercially sensitive information like pricing, contracts and formulas. Depending on your industry, there may be numerous compliance requirements and you may even conduct yearly audits to ensure they’re being met. As businesses grow and expand their employees and offices, their critical data has also increased and oftentimes is stored within online cloud solutions. Whether data is stored on your company’s protected network or at a third-party data center, visibility and protection of that data is important.

Accessibility to your data is also a key consideration. When users are given rights to view and use your data, are they accessing the data from a company asset, a personal device or even a public device? How is the data being used? Is it being shared externally, taken from the cloud storage to an untrusted individual or is the data being copied onto a local USB device? Situations like these are where visibility and the ability to protect the data from exfiltration is paramount. Preparing a plan that provides visibility and control of your data, no matter where it may live, will help strengthen the protection of your sensitive information.

When it comes to developing a data protection strategy in a volatile world, it isn’t enough to eliminate day-to-day challenges; it’s about making sure your strategy helps you effectively achieve your business goals. Policies should focus on people’s interactions with data, including endpoints, network storage, email, webmail and even personal devices and cloud apps that you don’t manage. Data protection goes well beyond simply tracking and blocking the movement of files.

An effective data protection strategy starts with understanding who is accessing your data. Based on the user’s role in the company, it can be determined if he/she needs access to sensitive data. For example, if the user is a financial analyst, he/she will have access to the company’s financial data but if the user is a custodian, he/she more than likely should not have access to any company financial data.

The strategy also needs to consider what data is being accessed. If a user is trying to access a file that contains this evening’s grocery list, the risk is relatively low or even nonexistent. However, if the file that a user is trying to access contains client information or intellectual property, security needs to be established around the file to protect it from being accidentally or maliciously exfiltrated. Properly identifying data as critical is important because we want to protect data that is truly sensitive and not block benign information.

Keeping false positives low is also key to any data protection strategy. The last thing we want to happen is to break normal business processes because of false positives. Equally important, this strategy needs to help the company understand what risks the user poses. In many cases, data leaks are accidental. However, when data exfiltration is malicious and sourced from an internal user, the company then needs to investigate further.

These are all activities that could lead to data exfiltration, posing a great risk to the company. Once a company understands the user’s risk level, actions can be taken to prevent data exfiltration by a risky user before it happens, such as automating procedures to eliminate the need for an administrator to make those changes.

Wherever your users may be, whether they are working in the office or remotely from home or a hotel, a strategy around how the company will protect its critical data needs to be in place. This strategy needs to provide visibility into who is accessing your data, what data they are accessing, whether that data is critical to the company and whether the user should have access or be able to move the data around based on the risk they pose to the company.

Your data protection action plan:

Human-centric cybersecurity changes everything and can mean the difference between data leaks and safeguarding data for your company.