With World Backup Day etched into our calendars for 31 March, a timely two years on from the onset of the unprecedented lockdowns brought about by Covid-19, it’s worth taking stock of how businesses have met the challenges for data protection caused by the pandemic.
Despite taking place in difficult circumstances, the lockdowns accelerated a move to remote working and digital transformation – bringing fresh challenges but also many benefits. The realisation that many of us can work productively from the comfort of home has created a far more flexible working environment, especially for those with caring responsibilities or living far from the office.
Remote working has also borne fruit on the digital front, notably by accelerating digitalization and driving new opportunities through technological solutions and data use. There are, however, key challenges to overcome for organizations to build digital trust.
Challenge 1: Securing corporate data
Securing corporate data is easier when staff, data and equipment can be accounted for in physical buildings or designated data centres. Over the past 24 months, corporate environments have been extended into homes, including home networks and personal devices.
The immediate need to remotely enable workforces across the globe resulted in the security of corporate data becoming a secondary priority in some situations. This expanded the threat surface for corporate networks beyond what even the most comprehensive risk assessments would have likely documented previously, as vulnerable home networks and smart devices integrated with office infrastructure.
Another risk was brought about by the rapid rise of online collaboration tools used to enable team communications and video calls. Employees joining meetings at the click of a button created a false sense of security, potentially exposing business and corporate data residing on their machine or network to ransomware attacks.
Challenge 2: Protecting staff privacy
A key challenge was designing privacy into the changes required for staff who were now working from home (in many cases in their bedrooms) – an issue that prevails to this day. Indeed, in a recent LinkedIn poll BSI ran, 22% of respondents said the invasion of employee privacy is the biggest mistake organizations are still making around data.[i]
The installation of invasive employee monitoring tools such as keyloggers, screenshots or video surveillance platforms to enable monitoring could have given rise to privacy violations. Cameras and microphones on IT equipment could also have infringed on privacy, taking in information on the domestic environment but also other people and children, as well as providing audio-visual cues to health and wellbeing, which normally employers would not be exposed to or have a requirement to collect or process.
Challenge 3: Managing sensitive data
Whether purposefully or not, sensitive staff data has been gathered throughout the pandemic. Data is typically considered sensitive when it pertains to racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetics or biometrics, health, or sexuality. This type of data is particularly protected by jurisdictions around the world, for example under the UK and EU’s GDPR.
The use of monitoring tools, employee surveys during remote working, and general monitoring of Covid-19 infection rates and employee health within businesses (including those immunocompromised) led to many organizations holding sensitive data without having the security infrastructure in place to protect it or the appropriate privacy protecting measures to mitigate risks. This remains a vulnerability for many organizations, with 27% of respondents to the same survey saying lax controls over sensitive data remains the biggest data mistake businesses are making.
Drawing lessons for resilient data
A very large majority of organizations are doing their utmost to learn from the data challenges posed by remote working but the same poll on issues that continue to exist around data shows that a poor understanding of the cloud (29%) and data not being a board priority (21%) remain concerns. To address these, digital trust ought to become a strategic business priority, with all levels of an organization educated about technology and data best practices.
The imperative of sustaining commercial operations against an avalanche of government-enforced lockdowns meant decisions that might ordinarily have taken years were taken at speed as businesses mobilized for remote working, often without due consideration for the data implications. With businesses finding their feet again, now is the perfect time for them to grapple with these questions and implement robust data policies.
In the first instance, this means carrying out comprehensive risk assessments accounting for everything from cybersecurity to employee privacy, including sensitive data, cross-border data transfers, and data localization. This key exercise will help organizations understand what they are doing well on data as well as identify vulnerabilities and create clear paths to minimizing risk. In undertaking due diligence on remote connections and helping upgrade security policies for remote workers, employees themselves would learn more about data best practices to keep both personal and corporate data more secure.
Given the sheer volume of data generated by day-to-day business activity and the large number of tools and equipment which many organizations are using, knowing where to start can be difficult. Security and privacy requirements should be addressed from a risk-based approach, identifying clear priorities and acting on them to obtain the highest return with limited resources.
Identifying valuable or sensitive datasets (both personal and commercial data) and how it is held and used will likely be among these priorities. While it may seem reasonable to ask staff to provide pandemic-related information like positive test or vaccination status, it may be very hard to justify the collection, retention, and use of this data beyond very limited and time-bound circumstances. With the situation around the pandemic hopefully becoming more normal, businesses should re-evaluate what sensitive data needs to be kept and only retain it where it can be stored securely for essential use.
Last but not least, education must be prioritized. This means regularly engaging employees on data best practices, scheduling meaningful and relevant training sessions for managers and business leaders, putting data on the boardroom agenda and, ideally, all of these. True digital trust is built from the top-down and bottom-up through regular training and policy re-evaluations.
Many organizations have retrospectively performed assessments on the privacy and security risks introduced by remote working and those that do will have implemented mitigation measures to reduce those risks. Businesses are undoubtedly in a stronger position now with their data than they were in the early months of the pandemic. But doubling down now by strengthening their understanding of these types of risks will enable organizations to exploit the opportunities that exist to sustain and expand digital trust.
World Backup Day is the perfect opportunity to re-assess the importance of safety and security within data governance and take the next steps in building robust digital trust throughout your business.
* BSI conducted a LinkedIn poll from 10 March to 24 March 2022, which received 433 votes. The poll question was: "Two years on from lockdown and mass remote working, what is the biggest data mistake you think organizations are still making around data?". The answers were: Poorly understanding the cloud (29%); Lax controls to sensitive data (27%); Invasion of employee privacy (22%); and Data not a board priority (21%).
