Research¹ by the cybersecurity and information resilience team at BSI has revealed that 41 per cent of organizations are lacking a robust identity access management process for the new hybrid office dynamic. Currently, the hybrid working model, a mix of office and home working, is used interchangeably depending on guidelines and can present a range of challenges regarding data governance management. Depending on the technological infrastructure, an access management strategy can include appropriate access control policies, groups, multi-factor authentications and properly configured remote access technologies.
With government guidelines and restrictions meaning continued remote working for many organizations, data governance has never been so important. This involves the continual protection of an organization’s data and that of their clients to safeguard it against the dynamic and complex threat landscape.
Stephen Bowes, Global Practice Director for Data Management and Security Technologies at BSI explains: “Having a robust identity access management policy is essential, especially with employees continuing to work away from the office environment. Regulations and evolving legislative frameworks mean that information resilience, which covers cybersecurity, privacy management, data protection and compliance to regulation is crucial. Organization access controls need to be robust and this includes having a response plan in place that can be activated whenever an incident occurs.”
Data privacy compliance
The pandemic public health guidelines require additional data protection considerations such as protecting employees’ personal identifiable information (PII) when performing onsite health or temperature checks, contact tracing, processing health data, data subject access requests or communicating all COVID-19 related data protection implications or changes to employees. Focused on data protection, the BSI research revealed that a third of organizations believed that their data protection was insufficient in this regard, while only 19 per cent of respondents felt confidently prepared to comply with privacy regulatory requirements in the current hybrid working environment.
Stephen said: “Data protection needs to be a core focus across all organizations regardless of their size and where their employees are working – virtually or in office. It means knowing what data you are trying to protect and having the assurance that it is being protected 24/7 and that data privacy compliance is in place at all times.”
“Right now, data may be recorded and collated in different ways so it’s vital that processes are reviewed and adapted regularly to ensure they are in line with regulations. Likewise, how COVID-19 related data protection implications are impacting an organization needs to be communicated regularly and efficiently and this is where companies may be struggling right now due to remote working.”
Alarmingly 66 per cent of respondents to the BSI research highlighted that they were unprepared when it came to vulnerability management. Which could expose external facing assets to potential cyber-attacks. While in contrast 75 per cent of companies highlighted their preparedness with asset management which includes the re-evaluation of bring your own device (BYOD) policies and ensuring that all non-inventoried assets are correctly logged.
Stephen said: “Understanding what assets or devices you have, where they reside, their security levels and password update requirements is essential and it’s good to see that organizations do well in this area. However, the unpreparedness with vulnerability management is very concerning as this ultimately dictates how strong your cybersecurity posture is. Poor vulnerability management can lead to data breaches which may lead to regulatory fines. Those struggling in this area need to be evaluating their patching postures, managing legacy systems, vulnerability scanning and pen testing planning around information management.”
“Working on improving security and data hygiene is about protecting data and people and implementing security and awareness training programmes to support it. Companies need to ensure they have the right people, training, tools, and techniques in place to maintain and strengthen their information resilience as we continue working remotely,” concludes Stephen.
The Consulting Services team at BSI provides an expansive range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance. For more information visit bsigroup.com/cyber-ie