It is indeed a crazy, crazy time at the moment with the COVID-19 and countries implementing lockdowns, travel bans, and restrictions on movement. In order to “flatten the curve”, many companies are opting to allow their teams to work remotely. This is an admirable practice (and one long overdue in my opinion), however, as a business you still need to ensure that your company data is taken care of. Here are three key data protection factors that you need to still be considering when people work remotely.
Implement a policy
Be it part of your Bring Your Own Device (BYOD) policy, part of your IT Acceptable Use Policy (AUP), or a standalone temporary additional policy, make sure you have some sort of guidelines out there. Folks need to know what is expected of them, and you need to have some sort of communication to set this. Working from home is different to working in the office, but it does not need to be less productive. I found that a number of my team members in the past were more productive at home, given the lack of distractions and the eagerness to perform in light of the benefits. You just need to ensure that folks know what your expectations are, both from a productivity standpoint and from a data protection standpoint.
Be sure to use private clouds or company managed services
Many folks may need to use their own equipment to perform their functions, such as home computers, laptops and other devices. These are devices that you have little to no visibility of, and as such pose a risk to your business. The more folks work in public cloud services such as consumer/free subscriptions to Dropbox, Evernote and the like, the more the spiderweb of your data grows – into places where you can’t see. You need to ensure you are using some sort of enterprise edition of these tools, a centralised storage system, or a tool where you can maintain visibility of your data. Many people shy away from the cost of an enterprise system like Office365 or Google G-Suite, making the assumption that it is too expensive without actually doing a cost/benefit analysis. I have found that time and time again these services pay for themselves in the security, management, and functionality they provide. I personally lean towards Office365 given Microsoft’s privacy compliance dashboards, the sheer power of Exchange Server, and the centralised management of Sharepoint, however either offering can work in your favour.
Ensure an adequate level of protection
At the very least, get staff members to self-certify that their home equipment is protected with the same methods that your office infrastructure uses. This can be difficult, and in some cases it may be easier to provide a list of things that are not okay, as opposed to what you expect teams to use. You can’t insist that someone pays for the very expensive endpoint protection you are using in-office, when they are using a perfectly acceptable alternative. Rather mention which alternatives are no-go’s, and let folks self manage. If someone is using an unacceptable tool, it may be worth exploring providing assistance in order to bring their infrastructure up to acceptable levels. Two key items to consider in ensuring adequate protection are those of encryption and two-factor authentication. I would even hazard that having two factor authentication is more important than encryption in terms of employees working from home.
If you need any help drafting these policies and documentation, Ross G Saunders Consulting offers a number of template policies, advisory, and staff education as far as data protection is concerned. Drop me a line or simply select a slot in my calendar below.