By all current data and projections, the distributed workforce is no longer a trend but a permanent adjustment to new technologies and employee preferences. While permanent remote and semi-remote arrangements track well with increased productivity and employee satisfaction, they introduce cybersecurity and information security risks that many organizations are still struggling to mitigate.
When businesses shifted in haste to remote work during COVID-19 restrictions in the spring of 2020, the proliferation of millions of new remote access points to corporate databases and applications precipitated a 600% spike in global cybercrime that persists to this day.
For businesses that handle sensitive or regulated private information – a legally defined category of data known as personally identifiable information – hardening systems and practices against escalated and variated threats has become a critical priority.
1. Develop a PII Policy
According to the U.S. General Services Agency (GSA), personally identifiable information (PII) is any form of information – either a single data point or an inference from an aggregate of data points – that allows third parties to trace and pinpoint an individual’s identity. The GSA declines to specify a set of information categories that constitute PII, leaving interpretation and responsibility to organizations that handle potential PII.
To limit the risks of exposing PII to third parties, organizations can enforce PII policies that regulate how employees handle sensitive information.
Generally, these policies aim to restrict unnecessary access to PII through monitored authorizations and to prevent the storage and exchange of PII on public-facing applications and through email. Commonly adopted guidelines for PII policies include the following:
- Users should not store PII on publicly accessible web or email servers.
- All requests to access PII should fall under oversight and maintain sufficient logs or audit trails.
- Databases that store PII must conform to industry standards for access and authentication.
- IT staff should have regularly scheduled protocols for removing or disabling any applications that do not comply with the previous standards.
2. Leverage Cybersecurity Technologies
Securing PII from public breach involves a two-pronged approach encompassing technologies that protect information from outside attacks – cybersecurity – and practices that reduce the risk of unintentional exposure – information security.
Cybersecurity tools used to prevent criminal ingress include a wide variety of software and hardware components such as firewalls, intrusion detection systems, and various system activity monitoring devices. Of these, one of the most powerful is a simple identification process known as multi-factor authentication.
In short, multi-factor authentication refers to any access protocol that requires two or more user-identifying data points for successful authentication. According to recent studies, consistent application of multi-factor authentication throughout an organization effectively blocks 99% of automated cyberattacks and, conversely, 99% of compromised accounts lacked multi-factor authentication.
To address the specific needs of the distributed workforce, cybersecurity measures should also focus on securing all types of remote devices used by employees to access systems containing PII. Such measures include:
- Enforced device encryption
- Deployment of a mobile device management (MDM) platform to track devices, automatically push updates, and detect irregular activity
- Required use of virtual private networks (VPNs) for access from mobile devices or over public networks
3. Information Security Training
In contrast with cybersecurity, information security addresses employee and organizational practices that mitigate the risk of information breaches. As such, information security is primarily a matter of training and reinforcement. While it may sound simple, the data suggests otherwise.
Studies continue to reinforce the importance of strongly enforced and reiterated information security, as 88% of data breaches originate with human activity. Currently, the single most important threat vector to focus on in employee information security training is the use of email.
Email phishing scams – emails making false representations with requests for information or links to malware infections – make up the first-line failure in 90% of successful cyberattacks. Preventative training for employees should focus on scrutinizing email addresses and URLs before interacting with them in any way. Additionally, employees should know never to exchange PII over email, even with trusted correspondents.
Secondary information security practices should enforce:
- Locking of laptops and mobile devices as well as logging out of sessions
- Strong account credentials
- Maintenance of updated anti-malware systems on all devices used to access PII
Secure File Sharing With FileInvite
FileInvite’s SOC-2 Type-2 compliant file sharing and document portal platform give organizations a strong line of defense against data breaches. Eliminating the need for employees and clients to exchange documentation over email and offering 256-bit end-to-end encryption for all files in transit and at rest, FileInvite enables sound information security practices for your organization.
To learn more and request a demo, visit FileInvite today.
Related Posts: