By all current data and projections, the distributed workforce is no longer a trend but a permanent adjustment to new technologies and employee preferences. While permanent remote and semi-remote arrangements track well with increased productivity and employee satisfaction, they introduce cybersecurity and information security risks that many organizations are still struggling to mitigate.
When businesses shifted in haste to remote work during COVID-19 restrictions in the spring of 2020, the proliferation of millions of new remote access points to corporate databases and applications precipitated a 600% spike in global cybercrime that persists to this day.
For businesses that handle sensitive or regulated private information – a legally defined category of data known as personally identifiable information – hardening systems and practices against escalated and variated threats has become a critical priority.
According to the U.S. General Services Agency (GSA), personally identifiable information (PII) is any form of information – either a single data point or an inference from an aggregate of data points – that allows third parties to trace and pinpoint an individual’s identity. The GSA declines to specify a set of information categories that constitute PII, leaving interpretation and responsibility to organizations that handle potential PII.
To limit the risks of exposing PII to third parties, organizations can enforce PII policies that regulate how employees handle sensitive information.
Generally, these policies aim to restrict unnecessary access to PII through monitored authorizations and to prevent the storage and exchange of PII on public-facing applications and through email. Commonly adopted guidelines for PII policies include the following:
Securing PII from public breach involves a two-pronged approach encompassing technologies that protect information from outside attacks – cybersecurity – and practices that reduce the risk of unintentional exposure – information security.
Cybersecurity tools used to prevent criminal ingress include a wide variety of software and hardware components such as firewalls, intrusion detection systems, and various system activity monitoring devices. Of these, one of the most powerful is a simple identification process known as multi-factor authentication.
In short, multi-factor authentication refers to any access protocol that requires two or more user-identifying data points for successful authentication. According to recent studies, consistent application of multi-factor authentication throughout an organization effectively blocks 99% of automated cyberattacks and, conversely, 99% of compromised accounts lacked multi-factor authentication.
To address the specific needs of the distributed workforce, cybersecurity measures should also focus on securing all types of remote devices used by employees to access systems containing PII. Such measures include:
In contrast with cybersecurity, information security addresses employee and organizational practices that mitigate the risk of information breaches. As such, information security is primarily a matter of training and reinforcement. While it may sound simple, the data suggests otherwise.
Studies continue to reinforce the importance of strongly enforced and reiterated information security, as 88% of data breaches originate with human activity. Currently, the single most important threat vector to focus on in employee information security training is the use of email.
Email phishing scams – emails making false representations with requests for information or links to malware infections – make up the first-line failure in 90% of successful cyberattacks. Preventative training for employees should focus on scrutinizing email addresses and URLs before interacting with them in any way. Additionally, employees should know never to exchange PII over email, even with trusted correspondents.
Secondary information security practices should enforce:
FileInvite’s SOC-2 Type-2 compliant file sharing and document portal platform give organizations a strong line of defense against data breaches. Eliminating the need for employees and clients to exchange documentation over email and offering 256-bit end-to-end encryption for all files in transit and at rest, FileInvite enables sound information security practices for your organization.
To learn more and request a demo, visit FileInvite today.