Majority of organisations lack a robust identity access management strategy for hybrid office, says BSI
Access controls need to include response plans that can be activated whenever an incident occurs
16 November 2020 | 0
Research by the cyber security and information resilience team at BSI has revealed that 41% of organisations are lacking a robust identity access management process for the new hybrid office dynamic.
Currently, the hybrid working model, a mix of office and home working, is used interchangeably depending on guidelines and can present a range of challenges regarding data governance management. Depending on the technological infrastructure, an access management strategy can include appropriate access control policies, groups, multi-factor authentications and properly configured remote access technologies.
With government guidelines and restrictions meaning continued remote working for many organisations, data governance has never been so important. This involves the continual protection of an organisation’s data and that of their clients to safeguard it against the dynamic and complex threat landscape.
Stephen Bowes, global practice director for data management & security technologies, BSI said: “Having a robust identity access management policy is essential, especially with employees continuing to work away from the office environment. Regulations and evolving legislative frameworks mean that information resilience, which covers cybersecurity, privacy management, data protection and compliance to regulation is crucial. Organisation access controls need to be robust and this includes having a response plan in place that can be activated whenever an incident occurs.”
Data privacy compliance
The pandemic public health guidelines require additional data protection considerations such as protecting employees’ personal identifiable information (PII) when performing onsite health or temperature checks, contact tracing, processing health data, data subject access requests or communicating all Covid-19 related data protection implications or changes to employees.
Focused on data protection, the BSI research revealed that a third of organisations believed that their data protection was insufficient in this regard, while only 19% of respondents felt confidently prepared to comply with privacy regulatory requirements in the current hybrid working environment.
Bowes said: “Data protection needs to be a core focus across all organisations regardless of their size and where their employees are working – virtually or in office. It means knowing what data you are trying to protect and having the assurance that it is being protected 24/7 and that data privacy compliance is in place at all times.
“Right now, data may be recorded and collated in different ways so it’s vital that processes are reviewed and adapted regularly to ensure they are in line with regulations. Likewise, how Covid-19 related data protection implications are impacting an organization needs to be communicated regularly and efficiently and this is where companies may be struggling right now due to remote working.”
Two-thirds of respondents to the BSI research highlighted that they were unprepared when it came to vulnerability management, which could expose external facing assets to potential cyber-attacks. While in contrast 75% of companies highlighted their preparedness with asset management which includes the re-evaluation of bring your own device (BYOD) policies and ensuring that all non-inventoried assets are correctly logged.
Bowes said: “Understanding what assets or devices you have, where they reside, their security levels and password update requirements is essential and it’s good to see that organisations do well in this area. However, the unpreparedness with vulnerability management is very concerning as this ultimately dictates how strong your cyber security posture is. Poor vulnerability management can lead to data breaches which may lead to regulatory fines. Those struggling in this area need to be evaluating their patching postures, managing legacy systems, vulnerability scanning and pen testing planning around information management.
“Working on improving security and data hygiene is about protecting data and people and implementing security and awareness training programmes to support it. Companies need to ensure they have the right people, training, tools, and techniques in place to maintain and strengthen their information resilience as we continue working remotely,” concluded Bowes.
Is this an area of interest? Tailored training for IT Professionals
The Irish Computer Society provides members with the necessary qualifications, skills and training needed to succeed and excel within the profession.
Upcoming courses which may be of interest include:
- Certificate in Business Analysis – offers academic accreditation for business analysts through the use of proven business analysis techniques. Up to 100% funding available.
- European Certified Data Protection Officer (ECDPO) – This programme has been designed to equip Data Protection Officers with the necessary skills and competencies to meet and maintain all aspects of data protection compliance.
- CDPP – Certified Data Protection Practitioner – Be confident that your organisation’s policies and procedures are legally compliant with data protection legislation by completing Ireland’s first certified data protection practitioner programme.