Data Protection Risks of Working from Home 

/ Categories IT Security Best Practices / by

The shift towards remote work, accelerated by the COVID-19 pandemic, has introduced various data protection challenges. Although some companies, such as Boeing and UPS have made high-profile calls for workers to come back to the office five days a week, distance working is now an accepted reality in many industries. As employees continue to work from home, organizations must address the risks associated with the use of personal devices, unsecured networks, and other factors that could compromise sensitive information.

Personal Devices

Remote work has normalized the use of personal devices, such as laptops, smartphones, and tablets, for accessing corporate data. These devices may not have the same level of security as company-issued hardware, making them more vulnerable to cyber threats. Without proper security configurations, personal devices can be exploited by hackers, resulting in unauthorized access to sensitive information.

An obvious first step in mitigating this risk is to keep work and personal devices separate. Use of personal devices for work activities puts company data at risk in a number of ways:

  • Most personal devices do not enjoy the same security standards as work devices and may even be already infected with malware.
  • Accessing personal accounts on a work device, even briefly, could lead to targeted phishing attacks or accidental data leaks.
  • If a personal device that has been used for work purposes is lost or stolen, it will almost certainly contain sensitive data that could be costly to the company if exposed. This is particularly risky given that personal devices often are not as strongly protected as a work issued computer, tablet, or smartphone. 

The best solution is to implement a policy whereby dedicated work devices are only used for job duties. Non-work related software and apps should never be installed on them and other people should not be allowed to use them. 

Alas, in some circumstances a policy like this may not be financially feasible. In situations where employees must use a personal device for work, the company’s IT department should be consulted first. Many companies have successfully implemented a “Bring Your Own Device” (BYOD) policy that requires specific security precautions, including the installation of remote management software which enables full disk encryption, and the storing of work data in a separate user profile or virtual machine.

To mitigate the risks, companies must put in place security policies that require personal devices to comply with specific security standards before being used for work purposes. Examples include requiring employees to install antivirus software, the use of strong passwords, and the enabling of encryption on their devices. 

Virtual Private Network 

A virtual private network (VPN) is essential for all remote workers. A VPN encrypts the internet connection and routes it through a secure tunnel, hiding the IP address and online activity from hackers and the internet service provider.

A VPN allows employees to access company networks and servers as if they were on-site. This allows for the secure use of internal applications and file shares without exposing them to the internet.

Public WiFi 

Working from cafes, libraries, and other public spaces which involve connecting to public WiFi networks is to be avoided. Public WiFi resources present a significant risk of data exposure. These networks are commonly unsecured, making it even easier for hackers to intercept communications between the employee’s device and the corporate network.

Should an employee have no other choice but to use a form of public WiFi when accessing company resources online, he or she should be forbidden from doing so without employing a VPN as a minimum. Organizations should also offer guidance on the identification of potentially unsafe networks.

Stolen or lost devices

Working remotely increases the probability of devices being lost or stolen. If the devices are not properly secured this can put company data at risk. 

Businesses should require their employees to use strong, multi-factor authentication (MFA) to access their smartphones, laptops, and tablets. Encryption should also be made mandatory in order to ensure that even if a device is lost or stolen, the data stored on it remains protected. 

Remote wipe capabilities should be implemented, permitting IT administrators to delete data from a device that has been reported lost or stolen.

Protecting data at home

Home life poses data protection risks due to the presence of shared or unsecured networks, multiple users of a device, and the potential for physical observation by unauthorized parties. Unlike office environments, the average home lacks the necessary security measures to safeguard sensitive information.

To tackle these concerns, companies should offer training on best practices for securing home networks, including changing default router passwords, enabling encryption, and employing separate WiFi networks for all work-related activities. Staff should also be encouraged to avoid sharing devices with their partners or family members and to log out of work accounts when they are not in use.

“Does this look legit to you?” 

Cybercriminals have become adept at exploiting the uncertainties surrounding remote work through phishing and social engineering attacks. Receiving fraudulent emails or messages that appear to be from legitimate sources can prove to be all the more risky for those working from home. 

Employees working from home may be more reluctant to ask for a second opinion regarding a slightly dodgy email than they would be in the office; in an office environment, they would simply ask a trusted colleague at the next desk to take a quick look at an email that they find suspicious. 

Regular security awareness training should be provided for employees to address the dangers of phishing and social engineering attacks. Employees must be able to recognize suspicious emails, verify the sender’s identity, and report any phishing attempts to their IT department.

Compliance 

Remote workers must maintain compliance with data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The regulations require a high level of protection of personal data regardless of where employees are located.

To remain compliant, companies need to ensure that remote work practices align with regulatory requirements. Data protection measures such as encryption, secure data storage, and regular audits of data handling practices must be adequately adapted and enforced for distance workers. Privacy policies may need to be updated to reflect any changes in data processing practices due to remote work.

Collaboration tools

Video conferencing software, cloud storage, and instant messaging platforms are part of the everyday life of the remote worker. Although these tools are invaluable in the facilitation of communication and productivity, they also present new data security risks if not properly managed.

Collaboration tools that offer strong security features, such as end-to-end encryption and access controls, should be chosen. Employees should be educated in the use of these tools, which should be utilized for work-related purposes only. Equally, sensitive information should not be shared through unapproved channels. Timely updates and patches need to be applied to ensure that collaboration tools remain secure.

Remote work security policy

Organizations should implement a comprehensive security policy in order to address the various data protection risks associated with remote working. This policy must outline the security measures that employees need to follow when working from home. As a minimum, this should include guidelines on device security, network usage, and data handling practices.

Transparent procedures for reporting security incidents (such as lost or stolen devices, suspected phishing attacks, or unauthorized access to company resources) should be put in place. Routine training and communication are essential in ensuring that employees are aware of and adhere to the security policy.

The shift to remote working has presented new data protection challenges that organizations need to address to safeguard sensitive information. By implementing security measures for privately owned devices, securing network connections, and providing training re phishing threats, companies can mitigate the risks. A well-defined remote work security policy will help ensure that employees can work remotely without compromising data security.

Photo credits: Pakin, AdobeStock.com

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Eoin Campbell

Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified lawyer. Eoin has moved from practicing law to lecturing. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data privacy. He is an expert on data privacy laws.
LinkedIn

Related News

Stay Connected

  • Twitter
  • LinkedIn
  • Reddit
  • Mastodon

Subscribe

*Our Privacy Policy and Terms & Conditions