John Michael, CEO, iStorage looks at how managers should be securing their business data to ensure the highest levels of security when permitting flexible modes of working.
The dynamic of the workplace has shifted. A hybrid or flexible model has become the preferred method of working for millions of employees, with remote capabilities allowing greater freedom to collaborate and innovate outside of the confines of the 9-5 office. Research into the attitudes of working professionals about the move to remote working as a result of the Covid pandemic found that over half of employees work remotely once a week with 74% of professionals expecting remote work to become standard. A significant 97% of employees do not want to return to the office full-time.
Yet, despite remote working creating various opportunities and benefits for employees and employers alike, the flexible model raises questions about the vulnerability of data and calls into question its security. Rising cybercrime and the emergence of ‘ransomware-as-a-service’ means that the safeguarding of company and personal data has never been more critical. Constantly carrying sensitive data between locations such as home, fixed office and even a co-work space, and using unsecured personal networks, could place companies at huge risk. It is therefore imperative, if the hybrid model is to succeed over the longer term, to consider how security hygiene can be improved.
Transporting files securely
Stories about laptops being left unattended on public transport make news headlines with alarming frequency. Transport for London revealed that an average of two laptops are left on the London Underground every single day. The increase in flexible working means a corresponding increase in the number of devices that are potentially on the move, rather than being kept at a permanent desk within a fixed office. The likelihood of a device being left, or stolen, therefore dramatically increases.
To minimise risk and maximise protection it’s essential to consider encrypting files both in transit and at rest, so that if a device does fall into the wrong hands, the data it contains cannot be accessed or viewed. By encrypting data, businesses can enhance the security of their files as well as any communications that take place between client apps and servers.
Encrypting data in the cloud
The cloud is often the preferred option for remote workers to connect and collaborate. However, cloud security is a concern, meaning that a business might hesitate to utilise its services for the storage of highly confidential information. To ensure data privacy when faced with common threats such as DDoS and malware attacks, data must be encrypted. Yet, this requirement for encryption cannot be dependent on the cloud service provider (CSP). With server-side encryption, the encryption key is stored in the cloud and thus accessible to hackers and cloud staff alike.
The user needs full control of the encryption key in order to ensure the data is kept confidential even if the cloud account is hacked via, for example, a phishing email. Having a key management system will not only provide more control of encryption keys but it’s also more convenient for those using a multi-cloud solution. Therefore, removing the encryption key from the cloud and physically storing it within a PIN authenticated external USB module will allow users to access data stored in the cloud, while also being able to securely encrypt information from a local computer, a network drive, or sent via email or file sharing service.
Authorising access and centralising management
Businesses need a clear procedure that all staff must follow to uphold adherence to data protection regulations. Multifactor authentication is a highly recommended best practice for data protection compliance. If a hacker were to obtain a cloud user’s credentials, the breach would go unnoticed to the cloud service provider as it wouldn’t be able to differentiate a legitimate user from an attacker. The encryption module increases security measures to as much as five-factor authentication.
Use of an encryption module by authorised staff will contribute to reducing the risk of data loss due to human error. Yet, this does not entirely eliminate the possibility of such an occurrence. For example, an individual may lose the encryption module or be dismissed and keep the device. This is where central management is needed. Those responsible for cloud and data security in the organisation should be able to monitor file activity, set geo-fencing and time-fencing restrictions, encrypt file names and disable users’ access to data remotely.
Backing up sensitive information
Finally, regularly backing up encrypted files is essential best practice. Using a 3-2-1 strategy, for example, means having at least three total copies of the data, two of which are local but on different mediums, and at least one copy stored off site. This ensures that businesses always have an up-to-date record of their valuable information, and that even if it falls into the wrong hands, it remains safe and secure.
Consideration should also be given to the means of data storage. A PIN-authenticated, encrypted USB flash drive or HDD/SSD with an on-device crypto-chip and AES-XTS 256-bit hardware encryption offers the highest levels of protection for sensitive company data. Adding an extra layer of security, such as a secure microprocessor that is Common Criteria EAL5+ Certified, brings into play built-in physical protection mechanisms which have been designed to prevent a wide array of cyber-attacks. It is also worth noting the importance of using a secure Wi-Fi connection, and checking that all security software is up to date to defend against attack.
Such considerations and processes will go a long way towards eliminating security risks and helping managers gain fuller visibility of the access and use of data by those working remotely. Retaining full responsibility for data encryption and management will contribute to maintaining business continuity, upholding compliance to data protection regulations and eliminating any complexity associated with flexible working models, resulting in peace of mind and safer data.
Learn more about data security:
John Michael, CEO, iStorage
After constantly reading about increasing data loss incidents, iStorage CEO and Founder, John Michael, saw this was clearly a growing problem with damaging consequences and identified a huge gap in the market to establish a business offering ultra-secure, easy-to-use and affordable data storage devices. Applying his 35 years’ worth of knowledge and experience within the data storage space enabled John to come up with ideas for products that would resolve such problems.