Addressing new data risks in the next-gen workplace

By Written by Jon Fielding, Managing Director EMEA, Apricorn

In this new decade, organisations will face a fresh management challenge: how to fully engage and get the best from a workforce that encompasses four different generations working side by side. Each has its own set of expectations, skills, values, experience and priorities – as well as diverse attitudes to work, and how it ought to be carried out.

This multi-generational environment will bring new and enhanced risks to the security of data. Organisations need to figure out how to manage data protection in an environment within which employees possess wide ranging technology skills and levels of cybersecurity awareness.

Meanwhile, trends driven by ‘digital natives’ such as flexible working and bring your own device (BYOD) are becoming the norm, exposing the business to data breaches and losses.

In a 2019 survey carried out by Apricorn, half of the organisations surveyed said they expected their mobile or remote workers would expose them to the risk of a data breach, while 47 per cent said corporate data had been knowingly put at risk by mobile workers in the last year.

The same research confirmed that most businesses let employees use their own devices in the office and on the move, yet only one in 10 takes measures to ensure these are corporately provisioned and approved.

Rethink and redesign

Most businesses have wised up to the fact that policing the way employees work, or trying to limit the movement of data to reduce the risk of a breach, will only inhibit productivity. It can even end up increasing the risk, driving employees to fly under the radar, for instance by bringing their own devices in out of sight and beyond control.

Instead, protecting the enterprise in the multi-generation workplace requires a reshaping of security strategies, cultures and policies to address a wide range of risks and behaviours.

Gaining a sound understanding of how the workforce is made up, and what employees of different ages need and expect, will be beneficial – but delving too deeply into this, and attempting to create separate cybersecurity plans tailored to different generations will only introduce unnecessary complexity.

Instead, the optimal way to safeguard data in a highly diverse working environment is to build a strong baseline foundation of best practice that everyone understands and knows how to apply. This knowledge should be underpinned by appropriate tools and policies.

Enable and educate

As employees increasingly work on the move, it will become a monumental challenge to provide secure access to corporate networks and data, and safeguard information when it’s outside of company systems.

Specific policies should be put in place that set out the steps all employees are expected to follow when they work offsite, or use their own devices and tools for business purposes.

These will remove all doubt, and keep information safe wherever it’s being held, shared or transported, while enabling people to work productively and efficiently. This should include implementing and enforcing an organisation-wide approach to the use of all forms of removable media and mobile devices, including smartphones and laptops.

Educating employees at all levels in good security hygiene is essential, to ensure everyone has an awareness of the importance of data protection, and has the capability to keep data safe. Regular skills training and knowledge refreshes for all staff are vital. Topics covered should extend beyond how employees need to behave or apply technology.

If employees understand the value of the data they handle, and the specific costs involved in data loss or breaches – both in financial terms, and to the company’s reputation – this will help to forge a culture where everyone understands the importance of cybersecurity and commits to playing their part in it.

Ongoing communication is also essential. The whole organisation should be encouraged to ‘talk security’, sharing ideas and feedback that will help cybersecurity teams to understand and drive overall business goals, and ensure employees can perform their roles effectively.

Lock it down

Two thirds of organisations now hardware-encrypt all information as standard, up from just half in 2018, according to Apricorn’s survey. Encrypting data end-to-end, both when it’s at rest and on the move, renders it unintelligible to anyone not authorised to access it; only those possessing the decryption key can do so. This is especially valuable when employees are mobile working.

Article 32 of GDPR specifically recommends “pseudonymisation and encryption” as a means to protect personal data. Additionally, Article 34 notes that if a breached organisation “has implemented appropriate technical and organisational protection measures such as encryption”, it is exempt from notifying the affected data subjects and the resulting administrative costs.

Software can do the job, but hardware encryption is seen as the more secure method. The use of removable storage devices with hardware encryption capability built in will eliminate some elements of the ‘human risk’, as the entire process takes place securely within the device itself. Their use can be enforced by locking down USB ports to accept only corporately approved, FIPS-certified, hardware-encrypted devices.

Seek a different skillset

With the cybersecurity skills shortage biting hard, and an increasing expectation that IT will help drive the goals of the business, enterprises must look outside the industry to recruit the right people.

The most effective way to defend a diverse business against cyber-threats is to build a diverse security team, equipped with a range of different skillsets and experience – including business acumen, and the ability to communicate, collaborate and lead. IT leaders should consider recruiting talent from other departments, and also from other sectors.

It may seem counter-intuitive to recruit non-specialists to a specialist role, but when it comes to cybersecurity, an understanding of the basic, best-practice fundamentals is most important. If somebody has a solid grounding in good security hygiene, and they’re willing to learn, the technical knowledge they need can be built from there.

The workplace of the ‘twenties’ will require organisations to take a new approach to protecting data. A common foundation of policies and tools that standardise the way employees treat corporate data, combined with the use of encryption, will ensure the business can embrace the considerable benefits of an evolving workforce and working practices without increasing risk.