Modern workforce: Information security for the 21st century business
When the in-person operations of many companies were mandated to close to slow the spread of COVID-19, businesses got creative. The most popular approach was to implement telework or remote work arrangements, a change expected to stay once businesses resume normal operations. However, if remote work programs continue, it is imperative employers are aware of the privacy and data protection risks they will encounter.
Smart Business spoke with Megan E. Stamm, an attorney at Semanoff Ormsby Greenberg & Torchia, LLC, about how businesses can better protect their information as more employees work outside the office.
How does working remotely create privacy and security issues?
When employees access business information from multiple locations, the information is being retrieved by various servers and networks that may not be secure. In order for business information to be safe from unauthorized users, each employee’s home network needs to be secure.
If a company stores personal information on an unsecure network, a third person can access that personal information and steal an employee’s or customer’s identity, drain bank accounts, sell this personal information to other individuals, and generally cause chaos.
Personal information is not the only valuable information stored on business networks. Customer or client lists can be valuable assets to steal.
What are the legal consequences of a breach?
Some states have implemented privacy laws that protect the use of personal information. These privacy laws hold companies liable if their systems are breached and result in consumer information being accessed.
Pennsylvania’s Breach of Personal Information Notification Act requires entities to notify any affected residents of a security breach involving personal information. Although, the Pennsylvania act does not penalize an entity for the breach (unlike California), notifying each affected resident can be costly to the business. The amount of liability in each circumstance will depend on the business’ safeguards and security measures, how the business remedied and mitigated the damage, and whether affected individuals were notified.
How can businesses better protect their information?
To better protect information from data breaches, businesses should provide employees with company computers/devices to use at home. Although expensive, this will ensure the device is automatically updated and protected with proper firewalls, anti-virus software and encryption technology. If this is not possible, require all employee devices to be updated and installed with proper software or meet with IT to verify the devices are protected.
Businesses can also utilize virtual machine software to only allow employees access to particularly sensitive data from within this virtual setting, allowing the data to be stored only on the company’s systems.
Two-factor authentication should be required for email and other logins. This adds an extra layer of security by utilizing two login credentials that fall into three categories: something you know, such as a password or PIN; something you have, such as a phone number, or key fob; and something you are, such as biometric data.
There should also be procedures put in place to mitigate security breaches. Install features that can remotely render business data unreadable — through encryption software, for instance — and automatically backup or upload saved information to the cloud so that if a device goes missing, saved files can still be accessed.
Also, require employees to only use secured Wi-Fi networks. Unsecured networks, such as public Wi-Fi, are risky because it’s unclear who is using it or who has the ability to access a device from the shared Wi-Fi.
Companies should also distribute privacy policies and train employees on safe searching practices so they don’t fall for phishing scams, download viruses, or inadvertently disclose sensitive or confidential information. This training can benefit employees personally, as information security is just as important for the individual as it is for the company.