Just three months into 2023, two developments are demanding urgent attention from data privacy professionals to review and update their data protection practices.
Firstly, the adoption of a post-pandemic hybrid working arrangement by numerous organisations; and secondly, the phenomenal speed with which ChatGPT has taken the world by storm.
The advent of AI technologies creeping into the workplace is a double-edged sword. Many of these new applications are unique, from small startups, which may not have any privacy-centric objectives or practices, and are quickly becoming integrated into work processes.
This is where data protection and data governance officers may want to urgently declare what constitutes safe, responsible and ethical use of AI tools. On the other hand, established firms' AI augmentation of processes and applications can assist overworked and understaffed data protection functions in handling new risks and incidents more effectively.
A recent study has shown that remote working arrangements can lead to higher risks of data breaches, particularly when there are no supporting practices in place to ensure a secure distributed work and data processing environment.
The Cost of a Data Breach Report by IBM in 2022 revealed that the global average total cost of a data breach had risen to a record US$4.35 million, with costs rising by nearly US$1 million when remote work was a factor in causing the breach. Additionally, organisations with a remote workforce took an average of 58 days longer to identify and contain a breach than office-based organisations.
Furthermore, employees who use their work devices for personal tasks can increase the risk of phishing attacks and malware infections. While some organisations have returned to full-time office work, others have embraced a fully remote arrangement, and some have implemented a hybrid model.
Regardless of the chosen arrangement, it is crucial for organisations to invest in modern cybersecurity measures, such as multi-factor authentication, regular software updates, and employee education, to ensure that their remote workforce is adequately protected.
Organisations must also establish policies around using personal devices for work purposes and implement technology to monitor and prevent the use of shadow IT. Remote workers should have access to encrypted communication and file-sharing tools, and regular backups of data should be made to prevent data loss in case of a breach.
In short, remote working comes with increased cybersecurity risks, but with the right measures in place, organisations can still reap the benefits it offers while keeping their data secure.
Employers weigh risks of remote or hybrid productivity
Privacy concerns in remote work environments
One concern is that employees may not have the luxury of a dedicated, undisturbed workspace in their own homes. This can lead to increased risks, such as data breaches when working from home or in a hybrid capacity. Personal devices and unsecured Wi-Fi networks can pose a threat to data security, making it essential for employees to become more data protection conscious. Organisations must address these challenges and raise awareness about the importance of data protection.
Implementing remote work policies and best practices
Sharing a workspace with family members can also lead to inadvertent exposure of personal or sensitive data, making it crucial for organisations to implement a remote working policy that outlines dos and don'ts for employees. Cybercriminals often exploit remote work situations to carry out phishing and social engineering attacks, so employees must be conscious of these threats and adopt safe practices when handling personal data, such as customer data, financial information, and intellectual property. This is to prevent unauthorised access and potential misuse.
Security measures and employee training
Data breaches have influenced decisions on whether to continue remote working, highlighting the need for strong security measures and better staff training. Organisations can implement measures such as providing secure devices, offering regular training on data protection and cybersecurity, and using virtual private networks, VPNs, and other security tools to protect data. Trends in cybersecurity and remote work environments include increased adoption of multi-factor authentication, zero trust architecture and AI-driven security solutions, as well as a growing focus on employee training and awareness programs.
Balancing privacy and productivity in remote work
As an employer, it is important to consider privacy concerns and productivity measurement as part of your data protection and privacy practices. This includes ensuring that staff surveillance is not excessive and implementing standard operating procedures to comply with applicable data protection and privacy laws. Additionally, taking staff out of a secure office environment can bring about additional risks to adhering to good data privacy practices.
Stout infosecurity is insufficient to safeguard data
Many people may think that having a good info security system would shield your organisation from the multiple risks of securing your organisation’s assets and systems. But you can have security without privacy – for instance, where CCTV is used. Conversely, you cannot have privacy without security: a security breach that results in a data breach can destroy privacy.
What this means is that you may have excellent info security, but you may not be compliant with data privacy laws, such as the personal data protection acts found in several ASEAN countries, China’s Personal Information Protection Law (PIPL) or the General Data Protection Regulation (GDPR) that is part of European Union law.
How you can help your people protect personal data
When it comes to training, instead of focusing purely on teaching privacy law, focus on what your staff should do well to protect data while doing their jobs efficiently and effectively.
Technology that elevates human strengths
Human creativity and knowledge will always be imperative for defence. There are now AI technologies such as Microsoft Security Copilot that can augment your IT professionals’ expertise with speed and scale to handle the management of data breaches. More similar tools will soon be heading to the market for data protection officers.
Simplify the complex with new intelligent AI tools
As data breaches unfold, every minute counts. Put policies and codes of conduct in place that key stakeholders are accountable for and are up to date to respond to. Many organisations faced with a data incident are unable to activate the right resources and people in time to contain, and assess the situation.
AI technologies like Security Copilot can help defenders respond to security incidents within minutes instead of hours or days. They assist by delivering critical step-by-step guidance and context, using easy-to-understand natural language investigation and reporting to accelerate investigation and response. The ability to speed up and customise reporting frees up IT and data protection teams to focus on more pressing work.
Catch what others miss
No time or resources to monitor every detail all the time? Your team can now discover malicious behaviour and threat signals that could otherwise go undetected with intelligent tools that track and analyse data behaviours. AI tools can surface priority threats in real-time and anticipate a threat actor’s next move with continuous reasoning based on global threat intelligence. Such tools also complement the expertise of security analysts in areas such as threat-hunting, incident response and vulnerability management.
Address the knowledge and skills gap
A data protection team’s capacity will always be limited by the team’s size and the natural limits of human attention. Build up your data protection office team’s skills with the latest training and deliver in person, via e-learning or in a hybrid form (with both self-paced and live sessions) to cater to just-in-time training needs.
Leverage new AI tools to get timely answers to data protection and security-related questions – from the basic to the complex. These new genres of AI tools learn from user interactions, adapt to enterprise preferences, and can help form the best course of action to achieve compliance and protection outcomes.
An AI-augmented corporate knowledge base allows even new team members to onboard and learns quickly, with context. And the slew of new, easy-to-use conversational AI-enhanced security and data protection tools will enable data protection officers and relevant team members to do more with less.
