IT leaders are being kept up at night by one big worry: the increased risk of a data breach due to more employees working remotely. Forty percent say this is their top concern when it comes to remote work. 

And with good reason. 

Remote work, especially when accelerated by events like COVID-19 pandemic, compels employees to work on unsanctioned devices, apps, and networks, increasing the attack surface for bad actors, and leaving few checks in place for careless behavior that leads to data leaks. There are a few proactive measures that IT leaders can take to get back on track, and protect valuable information while embracing the reality that remote work is here to stay. 

1. Unsanctioned Apps are Targets for Hackers

Risk: The rapid transition to remote work due to the coronavirus pandemic is driving content sprawl, and more three-quarters of CIOs are concerned about its impact on governance. Sprawl-creators like Microsoft Teams and SharePoint are growing at a rapid clip, and seeing an influx of consumer-grade file sharing apps. As workers find new ways to get their jobs done from home, many bypass time-consuming security measures like VPN by saving more data locally, sending over email, or sharing through unsanctioned cloud apps. Many of these don’t include basic security controls like two-factor authentication or file encryption, and are easy to compromise by even the most amateur of bad actors looking to install malware or steal customer data. 

How to address it: Companies can reduce their content sprawl by focusing on the most valuable kinds of data and repositories (such as a primary file share), and making it easy to securely access and share files without additional hoops. Take a hard line on consumer-grade apps and services that allow users to provision their own accounts and grant external access to files without IT oversight. Then, provide an alternative. Opt for cloud-first, user-friendly services that make it less likely that employees will circumvent policies or introduce new tools into the mix. Deploy passive protections like end-to-end encryption, anomaly detection, ransomware detection and suspicious login alerts that can run in the background without the user experience issues that drive employees to find workarounds. 

2. Sprawling Toward a Larger Attack Surface

Risk: The primary goal of reining in content sprawl is to gain visibility and control, and reduce risk across the organization. But good governance is also about good data hygiene. One byproduct of sprawl is an increase in duplicative data as files are saved locally, emailed, and copied to cloud repositories. ROT (redundant, old, and trivial) content does more than just clutter up the workspace and eat up storage. Given that nearly a quarter of IT leaders report PII or proprietary data inside 75 – 100 percent of company files, ROT also carries very real risk in the event of a breach. The more copies of a consumer’s personal data, the harder it becomes to carry out DSARs and mandatory breach reports, and drives up per-record costs in the event of a compliance violation. 

How to address it: The bottom line is don’t keep old or duplicative files laying around that are low value and high risk. Establish policies that dictate what kinds of data will be archived or deleted, how often, and when. For companies with significant file loads, automation is the only realistic way to enforce those policies. Automate retention, archival, and disposition as much as possible through metadata tags, folder locations, file age, and last accessed date, as well as legal, regulatory, and contractual requirements. When automation isn’t possible, designate department owners as data stewards to regularly purge old and unwanted content, and flag items for retention that must be kept for legal or business reasons.  

3. Personal Devices Are Vulnerable to Data Theft

Risk: IT leaders estimate that 37 percent of employees are now using their own devices to access company files. That may not sound like a big deal until you consider that almost half of corporate files contain sensitive information like credit card information and social security numbers. Employees routinely save this data to personal devices which are open to family members, irregularly patched and updated, and have no enterprise security in place. Many are not even password protected. In fact, only 35 percent of CIOs report having enacted explicit policies requiring passwords on personal devices. It’s scary to consider what happens when that laptop is stolen out of a car, or the iPhone is left behind at a restaurant. BYOD policies can turn opportunistic device-level access into a gateway to massive corporate data theft and ransomware attacks.

How to address it: Setting password requirements for personal devices is the bare minimum, but there are other things you can do to strengthen your security posture around BYOD. Train employees not to leave devices unattended or unlocked, and enable any available MDM services on the apps they use, so files can be wiped if the device is lost or stolen. Find a solution that enables local sync to a cloud server to minimize the amount of data downloaded to a personal machine. If your budget allows, provide employees with hardware that is centrally managed and controlled by IT.

4. Access Control Models Don’t Translate to Cloud Apps

Risk: Insider threat is the number one cause of data breaches worldwide, and it all begins with access to sensitive data. It is essential to know who has access to what information, and quickly be able to revoke that access if an account is disabled or compromised. But 39 percent of CIOs say work from home makes permission management harder. When a mix of cloud apps replace the file share in order to make “remote” work, permission structures are often the first to go. Many cloud services don’t offer the comprehensive, familiar permissions model of a traditional file server. But granular sub-folder permissions can enable, say, a member of the marketing team to have some access to the contents of the finance folder, but not all. Without this level of control, there emerges a scattershot, one-off permissions model with no parity between apps in use across the organization. From there, it’s just a matter of time before the weakest link in your organization gains access to something they shouldn’t. 

How to address it: Standardizing access around a least-privileged model is the gold standard, even in the remote work era. Start by understanding the capabilities and limitations of your cloud stack and set up guardrails to protect and monitor permissions. Do you have a way to quickly identify over-accessed users? What is the default access level for external users? When you end a relationship with a supplier or contractor, how easy is it to verify that access has been revoked? Is it possible to visualize and bulk remediate access issues, or is it handled on a time-consuming, file-by-file basis? By answering these questions, companies can get a better handle on the amount of manual work that goes into permissions management. From there, set a schedule and process to regularly audit permissions and stick to it. 

5. Home Networks are Fundamentally Insecure

Risk: Shockingly, nearly 30 percent of CIOs estimate that their employees regularly access corporate content from unsecured WiFi networks. From man-in-the-middle attacks to network traffic sniffing, the risks of open networks are well established, and home Internet is no exception. Just because you’re not working from a crowded coffee shop in the time of COVID-19, doesn’t mean that your data isn’t at risk. 

Even under the best of circumstances, home networks just don’t provide the same security controls as an enterprise environment. Workers should be wary of malware, worms, and viruses coming from other machines on the network — whether it comes from a teenage gamer or a connected IOT device like an appliance or security camera. Bad actors can easily exploit home routers with poor passwords and outdated firmware to monitor and siphon data from the network traffic or gain access to a device, often evading detection completely. 

How to address it: Only 60 percent of organizations have specific policies requiring passwords on home networks. Do yourself a favor, and become one of them ASAP. The majority of remote organizations utilize VPN as a first line of defense for data-in-transit, but it can be onerous for users, pushing them toward personal email and other consumer-grade apps to complete “simple” tasks like sending a file. If always-on VPN isn’t realistic, centralizing content in a secure cloud environment that utilizes encryption, sharing controls, and a “local-like” desktop experience can be a good option for basic content collaboration. 

Distributed work is more than just the new normal — it is an enormous opportunity for IT departments to lead through digital transformation. As a new slate of tools, technologies, and processes are implemented, staying ahead of risk will be more important than ever.

 

To learn more about WFH security risks and ways innovative IT leaders are working to mitigate those risks, read Egnyte’s 2020 Data Governance Trends Report.

 

Comments are closed.