We featured Heidi Shey in our recent webinar, What to Prioritize During Uncertain Times and sat down with her afterwards for a Q&A session to delve deeper into today’s most critical security risks and how to keep data protection and privacy top-of-mind.
What is the current state of data protection and privacy (due to work-from-home and budget cuts that may place businesses at higher-risk during uncertain times)?
Many businesses are on shaky ground. They very likely don’t know what they don’t know in terms of data sprawl, on top of facing added risks from work-from-home. Sensitive data isn’t just what is in files or databases. It can also include but is not limited to content shared via messaging apps and information that others in the household may overhear or see left out in the open. The threat surface has significantly expanded with this influx of remote workers, some now outside of the company’s typical security controls and many who may be struggling to do their jobs remotely now in their home environment.
For those not accustomed to having a work-from-home workforce and even those that had some, but then suddenly the entire workforce is now home, they were building the plane as they tried to fly it. Businesses concentrated their early efforts on ensuring business continuity and secure access to corporate resources because they had to; for many, the next priority is an additional focus on data protection.
What is the most critical security risk facing organizations today, and what mitigation efforts do you recommend?
Uncertainty. Financial distress, fear of layoffs, and disgruntlement toward employers create a perfect environment for insider threats. How you treat employees overall — how you communicate reduction in pay, handle layoffs with compassion, and create a safe workplace — will reduce or grow your risk of insider threat. Aggressive or misguided efforts to monitor employees for productivity not only violate employee privacy but also torpedo employee morale and trust.
Keep a sharp focus on employee experience. Be human. A safe workplace is not just one that is physically safe, but also psychologically safe. Security and privacy leaders cannot tackle this alone; it requires a coordinated effort and approach across your business. Security and privacy leaders can take the lead in championing employee privacy and focusing on how data handling policies and controls affect the employee experience.
What tools, processes, and measures are most important for data protection and privacy?
Know your data, mainly what it is that you have and its location. You cannot protect what you don’t know you have. It’s also important to understand why you have this data, and the appropriate use of this data. Understanding what you have and where it lives is the foundation for effective governance and controls for data protection and privacy.
Processes and tools to support sensitive data discovery and classification are critical to helping establish this foundation. When you know your data, you will be in a better position to manage its lifecycle (appropriate handling, use, storage, retention) and determine the proper measures and controls you need to have. These measures and controls may be dictated by business, contractual, or regulatory requirements.
How do you recommend keeping data protection and privacy top-of-mind for employees, staff, and students when new threats are popping up daily?
Your organization can and will be targeted in many ways. Help employees, staff, and students recognize an array of likely threats like phishing and social engineering and its consequences. Empower individuals with guidance about cybersecurity awareness, privacy, and appropriate data handling that is relevant to their current situation and environment. Please don’t assume that people will know what to do and how to do it, whether that is enabling two-factor authentication or setting access permissions for a shared document. For employees and staff, data handling practices are an essential partner for your technical controls. Peoples’ actions are an important line of defense.
What do you recommend for organizations that face measures that are intended to control the pandemic but undermine data privacy and security?
Organizations everywhere are taking measures to ensure their workforce’s health and safety. While this is a key priority, it includes collecting, processing, and storing employees’ sensitive data — such as body temperature or medical history – which has implications for employee privacy. And regardless of the approach — mobile app, wearable device, badge card, or manual methods — contact tracing is another measure that comes with significant privacy challenges. Assessing the specific risk to your organization requires a detailed understanding of data protection rules and labor laws in every location your business operates.
In terms of handling this type of employee data:
- Maintain the data collected for this emergency separate from existing employees’ files
- Ensure that health-related communication only transpires through defined channels
- Be clear on which policies apply
- Collect and share only the data that is strictly required to trigger specific policies
- Allocate data access only to specific individuals and educate them on data-related risks
- Set retention policies that reflect the emergency nature of the data collection and make it binding for your organization as well as every third party involved in this project.
What has surprised you about data privacy and security amid the pandemic? Even if we do go back to some semblance of normal, what lessons can people take back to their organizations when they return to the office?
Not much in terms of surprises. What I found encouraging was how some companies made sure to include data privacy and security as a core part of the digital transformation efforts that they accelerated at this time. This has to continue. The critical lesson is to continue to strive towards building capabilities that enable your business to:
- Know your data
- Protect your data regardless of where and how your employees need to access that data
- Protect your data wherever it needs to go
Be transparent with employees about the data you collect, how you intend to use it, and how long you are going to keep it.
This will help to support a flexible and agile work environment while maintaining robust data privacy and security – whether your employees are working inside or outside of the office.