By Allen Drennan, Co-Founder & Principal, Cordoniq
Addressing the security challenges associated with remote work is critical for today’s Chief Information Security Officers (CISOs). Along with data breaches and ransomware attacks, another top concern is whether company or customer data or other sensitive information is being shared via remote work environments.
Data theft is climbing rapidly. A recent report from Identity Theft Resource Center shows that 2023 is on pace to set a record for the number of data compromises in a year, passing the all-time high of 1,862 compromises in 2021. Also, IBM reports that the average cost of a data breach in 2023 is $4.45 million, a 15% increase over 3 years.
Tools that make remote work easier have increased data breach risks. The significant increase in devices and networks has also expanded attack surfaces. Data storage, including information collected and stored by various cloud applications, adds even more uncertainty.
Meanwhile, heightened cybersecurity regulations are making it more imperative to protect data in order to meet strict compliance regulations such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Digital Operational Resilience Act (DORA), Sarbanes-Oxley (SOX), or California Consumer Privacy Act (CCPA).
Data encryption is a critical part of securing data. However, the type of encryption may vary depending on the software application. It’s crucial to understand how your data is being protected in different instances.
Data Collection and Storage Concerns
Data collection and storage is more complex now than ever before. For instance, data is used and stored in various locations, including devices, the cloud, in databases, on premises, and in data centers. Meanwhile, data is categorized by three different states (data at rest, data in motion, and data in use) that can change quickly depending on how it’s being used or accessed. Comprehensive data security strategies must address all of these instances.
The widespread use of third-party cloud and SaaS applications adds another layer of complexity to many environments. Organizations must be aware of how data is protected by the third-party apps they’re using.
For example, applications do not always protect data in each state of use. For instance, some off-the-shelf products for collaboration and communication indicate that they provide encrypted communications. However, in some cases, the application may only encrypt data in motion.
Data at rest, with some apps, may not be encrypted. Data at rest, or stored in a third-party cloud, may not be adequately protected. For instance, some video conferencing and collaboration tools do not provide full control of where data at rest is stored.
Many software products don’t offer encryption for all of their cloud services. As a result, data such as audio and video files or recordings, documents or other media could be at risk depending on how and where they’re stored. This can provide hackers the means to access customer data, company secrets, or other sensitive information.
Best practices and additional safeguards for third-party apps
Remote and hybrid work environments rely on a variety of third-party apps that provide employees and teams with the tools they need for an engaging and productive experience. But it’s critical for organizations to apply security strategies and additional safeguards to protect their information with third-party apps or SaaS tools.
Some additional security measures to implement for cloud-based applications include the following:
- Apply the principles of zero-trust for data management and storage as part of an overall zero-trust strategy. This includes data stored on devices.
- Limit access to data by using principles of least privilege, access control and comprehensive Identity and Access Management protocols for any type of third-party or cloud-based application.
- Consider tools that allow complete control over where shared data is contained and stored, including tools that support the use of private cloud storage when necessary.
- Provide consistent encryption across devices connected to any company infrastructure, network or cloud application.
In addition, be sure to follow complete due diligence and best practices for vendor risk assessment when considering any third-party software. Every third-party software application should be reviewed by internal security teams to make sure it meets company standards. Organizations should consider software that is secure by design, meaning software with security built in and not added as an afterthought.
It’s also important to follow the software vendor’s recommended security and other software updates and monitor any other changes in the software vendor’s performance. Finally, be certain to understand how and where any software application is storing – and using – your data and information.