What were the chances the world would be hit by a pandemic in 2019? Well, no one knew for certain, but here we are, almost 2 years into the pandemic, slowly trying to get back to our pre-pandemic lives, making the shift back from being entirely digital to a little analog. Data was something that was always at risk, but this shift of working from home put it at even more risk.
With this extended risk that data was introduced in incases they were breached, it was the Data Protection Officer who would’ve been answerable to the supervisory authorities and we know for a matter of fact that it isn’t an easy thing to deal with them. But ever since things have started getting better, we’ve heard many companies decide to still work from home or even make that an entirely permanent option for their employees. Hence in this article, we will discuss the role a DPO can play in ensuring to minimize the risk of a data breach, other such practices along with how can a DPO take advantage of the work from home situation.
Role of a DPO in ensuring minimization of risks
It certainly is a fact that remote working would lead to an increase in the cost of a data breach which can also be seen in IBM’s recent report on Cost of Data Breach, where 70% of the respondents agreed to this. The primary reason for this is that if you are not on-site to deal with a security event, it takes longer to identify and then respond to it. In terms of practicality, the most successful DPOs are those who have worked closely with their IT teams to ensure that the necessary safeguards are in place to secure data.
Consider the following scenario:
- Not allowing access to everything:
Even though it’s tempting to give everyone access to everything, it’s important to strike a balance between the need to work remotely and acceptable data access and security. It is extremely important for distinguishing who has clearance to access what kind of information and through whom, this ends up creating a hierarchy that ensures that the number of users who have access to such data is minimised.
- Discouraging local storage of data:
It’s still important to use approved online tools and educate staff about the advantages of having central access. It should be made sure that there shouldn’t be the use of storage tools that haven’t been able to pass the penetration testing and other such safety tests.
- Regularly reviewing security standards:
It is necessary to ensure minimum security criteria for distant devices, such as disc encryption, strong passwords, VPN for internet access, and privacy screens, are still required.
Best Practices to Minimize Risks:
While it is important to keep in place practices that ensure that there is a minimization into the risk the data might suffer, it is equally important to realize that such practices only ensure reduction of risk and help companies stay in compliance with government policies and that they are not a guarantee regularly of data security.
Therefore, below we suggest a few practices that a DPO can ensure are in place in their organization to ensure minimization of risks.
Ensure Compliance with Remote Access Policy
- Protect data both in transit and at rest
Data in transit is information that is moving from point A to point B, such as between a SaaS application and a user’s device. Data at rest refers to information that has been saved, such as information on a user’s laptop hard disc. Data must be protected in both circumstances.
The key technologies for data protection are access control and encryption. Remote employees, like other employees, must have a legitimate justification for accessing personal information, and that access must be documented and managed. Identity and access management (IAM) solutions help protect data from illegal access and modification.
Further, data transmitted through networks, such as the Internet, should be encrypted using HTTPS, a VPN, or another technique. Furthermore, data must be encrypted while being stored or “at rest” on servers and hard drives. To do so, the DPO must work closely with the IT departments and must impose encryption policies across all devices, including personal devices used by employees in some situations.
- Protect employee endpoints
Because a malware infection could result in a data breach, remote employee endpoint devices (such as laptops, desktop computers, and cellphones) must be safeguarded from cyber-attacks. Anti-malware software should be installed on all devices. Employees can also be protected while surfing the web with the use of a secure web gateway.
Lost devices, such as laptops or smartphones with sensitive data saved locally that employees inadvertently leave in a public area, are even more common than malware infestations. Another reason why device encryption is critical is this.
Data Breach Incident Monitoring
Sometimes data breaches might occur despite the employer taking requisite security measures. Therefore, businesses should develop a response framework that includes provisions relating to communication of the breach, containment, and analysis of the incident that results in a post-incident report. The same must be recorded carefully and used as a point of reference for future investigations. Breaches also reveal gaps in a company’s security framework, thus having an effective framework to deal with them would ultimately lead to better security overall.
This seeks to keep a safe backup of all company data using proper techniques so that even if data is lost as a result of a breach, it may be simply restored from the applicable duplicate. To that end, all laptops should be backed up on a regular basis, and backup data should be categorized according to their level of confidentiality. Any data backed up to hardware devices like external hard drives or USB drives must be kept in a secure location outside of the office.
Remote Work Access
Several businesses have taken steps to ensure that their employees have access to company-owned equipment. They’ve also put in place safeguards to ensure that their employees’ home networks are safeguarded by virtual private networks (VPNs) (Virtual Private Networks). This encrypts data during transmission from the home network to the company’s core infrastructure, ensuring data security. VPNs also hide the sender’s and receiver’s IP addresses, hiding the sender’s and receiver’s locations. It’s worth noting that the VPN service in use employs a high level of encryption to ensure that the system is not vulnerable to hackers.
Another solution implemented by businesses in this area is MAC (Media Access Control) binding, which assures that work can only be done on company technology. It connects the MAC addresses of the company hardware’s LAN and WiFi interfaces to the VPN, allowing only authorized MAC addresses to access the VPN interface.
Client Services Contract Review
While the above measures relate to ensuring company data is secure, this one addresses liabilities the companies might have concerning their vendors, clients, and service providers. All contracts must be reviewed to see what rights and obligations are affected by remote work. Companies must then speak to the concerned party to request for a waiver or agree on a stop-gap arrangement until normal working conditions resume. Reviewing risk allocation is essential to ensure that disputes do not arise as they would be an added burden in challenging times.
How can DPOs make the best use of WFH culture?
Other than the fact that this pandemic has led to an increase in the issues that a DPO has to deal with and how they handle such issues added to the compliances and possible threats it is equally important for a DPO to realize the manner in which they can take advantage of the work from home. Below are a few methods through which a DPO and ensure taking advantage of the work from home situation:
- The key principles do not change:
The very first thing to keep in mind is that the essential principles of excellent data protection management – such as those described above – remain in effect, and it is critical that individuals continue to apply them in their daily work.
- Make the permanent move to a digital data storage system:
One of the most significant benefits of increasing the usage of digital solutions is that it can significantly reduce the perceived requirement for paper-based systems. This shift in behaviour – from an antiquated “hard copy” method to having all data saved on a secure online platform – is critical for organisations to improve efficiency and security.
- Use time more wisely:
People may have more time to devote to compliance-based activities if they spend less time commuting or traveling. Schedule a data protection check-up in people’s calendars on a regular basis to ensure that everything is still compliant.
- Be more flexible:
DPOs can use digital tools to be more flexible and mindful of people’s unique circumstances by scheduling virtual training sessions or updates that are convenient for them to attend.
- Find common grounds:
Having a shared digital platform for individuals to interact on and with can go a long way toward increasing compliance-related activity engagement.
The most important part in all of these is to remain visible – even if that isn’t technically possible, the DPO still needs to be the “go-to” person for help and support, and effective communications will be critical.
In totality, the savior of data in the present digital world for any company who is designated as a Data Protection Officer seems to have faced more troubles than what they were ready for. The threat that data faced in these times was a record high.
Hence, it can be said that those who were able to curb the risk the data could potentially be put at were those DPOs who had previously or had decided to work along with their IT teams and also made sure that they could be available for sessions, activities and any other matter for all the employees. So to ensure that companies continue to work with ease while minimizing the risk to the data that they store, the DPOs must ensure that they keep in mind the pointers given above.
This article has been written by Ayush Sahay.