Pandemic protection for your IT infrastructure – is your data secure and compliant?
By Johan Scheepers, Country Head at Commvault South Africa
The COVID-19 pandemic forced many businesses to swiftly adapt to a digital world. Working from home is set to become the ‘new normal’ for many workers who previously went into a corporate office environment. But protecting businesses from the effects of the pandemic goes beyond simply keeping employees safe and healthy. In addition to driving a growing work from home (WFH) movement, the rapid digital shift also sent cyber crime into overdrive. Businesses that do not prioritise data management in this digital world place themselves at a serious risk of security and compliance issues.
Data governance has not changed
Although the physical boundaries of many organisations have shifted to include a remote workforce, the policies around data governance and data protection have not changed. In fact, it is important to be more vigilant than ever, and actively work to extend these policies and processes to the edge.
WFH makes data more vulnerable, because of the many new toolsets it introduces as well as the potential for data to be stored in unsanctioned locations and on unsecured devices. Collaboration tools by their nature require the sharing of data, which can create a sensitive data risk if these tools are not brought into the data management strategy. Remote workers may also be saving sensitive files on the endpoint devices, which further complicates data governance. Endpoints are one of the biggest data risks, especially when it comes to highly targeted spear-phishing attacks.
Access and permissions need to be managed
WFH highlights the risk of data access and permission – for example, a person may download a file, and then e-mail it to their personal account, save it on their laptop and then send it to colleagues for comment. This generates multiple versions of files that may contain sensitive information. In turn, this not only creates additional vulnerabilities, but makes compliance with the Protection of Personal Information Act (POPIA) and other data protection legislation like the General Data Protection Regulation (GDPR) practically impossible.
Organisations need to be able to identify sensitive data as well as whether or not employees actually need to be able to access it. It is also important to put policies in place around what can be done with the data if it is permissible to access it. Should employees be able to download it? Where should they be able to save it? How should they be permitted to share it? This is crucial for governance as well as compliance purposes.
On the hotlist
Security and compliance are always essential, but even more so in the current climate. South Africa is a hot target at present, and many large organisations have been hit with ransomware in recent times. Security is obviously paramount, but alongside it is the need to educate users about security risks. An organisation’s network is like an egg – the shell is tough, but once it is penetrated, the insides are an easy target. The WFH movement has simply increased the attack surface, or the soft part of the egg, and bad actors are using this to their benefit to speed up ransomware attacks.
Compliance regulations enforce the protection of company data by law, but the reality is that data management is necessary and even beneficial, even without the risk of fines and reputational damage. Data protection itself has come a long way over the years and is now offered as a service that runs seamlessly in the background, so it is not an invasive practice. This needs to be combined with a single, cohesive view of data across the organisation, to improve efficiency and mitigate risk.
At the edge
The edge is the most vulnerable point of any network, and with the edge now extended into homes and remote offices, data management is key. This multi-cloud hybrid environment means that data is scattered across locations, so a proper toolset to provide a single view of risk is paramount. If you cannot see your data, you cannot manage it. It is essential to identify data, understand where you are at risk and what your exposure is, and know how to apply regulations to ensure adherence and compliance. Preventing the pandemic from affecting your business is about more than social distance – you need to look after your data as well.