A recent article in the Times caught my attention. I was discussing the notion of “extreme jobs.” I think most of us can agree that there has been an inexorable increase in pressure on us to always be available, working longer and longer hours and still ready to answer the cell phone for a client or boss until late hours at night. on weekends and even holidays. Coupled with the ready availability of increasingly sophisticated mobile technology, it is inevitable that many of us will take our work home with us, or at least, outside of the safety of the office environment.
For many of us, that means we’re taking sensitive information with us, and the consequences of losing that data could be catastrophic. One of my current assignments is preparing security training for colleagues working in a large public sector offering. We will be providing this training to highly-skilled and experienced IT professionals, but looking around me, I am reminded that what is obvious and necessary for a security specialist is often an annoying distraction to others at best. . We must all remember that the mishandling of confidential information can have serious contractual and even legal consequences for both an individual and their employer.
So, take a look at these 5 simple precautions to make sure you’re not the one making the headlines.
1: Pay attention to the physical security of your laptop on the go: Any attempt to work outside the office almost inevitably means taking a laptop, loaded with project data (including sensitive business and even personal data), while traveling. No matter how you travel, it’s bound to present plenty of opportunities for your laptop to get lost or stolen. It’s fair to assume that, in general, the motive for the theft is to sell the laptop going forward, rather than a concerted attempt to obtain the data stored on it. However, you should take reasonable care not to advertise that you might be a valuable target. For example, do not use your company pass outside the building. The risk is higher when you have to leave the laptop unattended:
- While driving, keep your laptop out of sight in the trunk of your car.
- When staying at a hotel, store your laptop in a safe, if one is provided in your room.
- When using the notebook in a public place, secure the notebook with a Kensington lock.
2: Use full disk encryption to protect your data: If your laptop is lost or stolen, the cost to replace the hardware is relatively minor, and you’re insured anyway, right? The real cost of the incident is the loss or disclosure of sensitive information stored on the laptop. To protect against this, you should install full disk encryption software. This ensures that all data on the laptop’s drive is encrypted when the laptop is turned off. Only when the laptop is powered on and the authorized user completes pre-boot authentication is the data on the drive decrypted and available for use. Commercial software is available through a number of well-known vendors, including PGP and DESlock. You should be aware that unless you are careful, even the authorized user may not be able to decrypt the data on the disk. You must make sure that:
- Runs the operating system’s disk maintenance utilities to defragment the disk and check and mark any bad areas on the disk;
- You must make a full backup of the disk volumes before installing encryption software;
- The installation process will give you the opportunity to create emergency recovery information: be sure to write this ERI to a CD or other removable media and keep it in a safe place;
- More importantly, the encryption software only takes effect when the laptop is turned off or in hibernation. You should never travel with your laptop on standby.
3: Protect yourself from eavesdropping when working in public places: One of my favorite tech commentators is Peter Cochrane, who writes a regular column for Silicon.com. Earlier this year, Peter reported on how easy it was to collect sensitive information from fellow passengers on the train. Anyone who regularly travels on commuter rail services will be familiar with prying conversations and (even worse) one-sided phone conversations, which provide far more sensitive information than they should.
Resist the temptation to discuss sensitive matters in public places, and try to limit calls to your cell phone until you can find somewhere more private. Let’s go back to Peter Cochrane again. During his frequent plane trips, he noticed that people used mobile phones to photograph other people’s laptop screens. His blog shows how it’s possible (with enough patience and a bit of experimentation) to get a reasonable image of someone’s laptop screen. This situation is easily remedied with a modest outlay, through the use of a privacy screen. These clip over the laptop screen and make it impossible to read the screen unless you’re directly in front of it. These shades work the same way as polarized sunglasses: make sure they are on correctly.
4: If you must use removable media, be especially careful: It’s almost an immutable law of nature that if you copy sensitive data to removable media, eventually that media will be lost. The simplest remedy, of course, is to not use removable media. My current employer prohibits the use of these devices on public sector projects, and at one point at least one UK government department filled USB ports on laptops with super glue, just to be absolutely sure. Of course, a blanket ban isn’t always practical, so if you need to use a memory card, removable drive, or the like, here are some suggestions:
- Never allow the use of personal removable devices – you have no idea how or where they have been used before or will be used next.
- Have a set of memory devices for your project, clearly marked and with some kind of unique identifier. Have team members check them in and sign them off (with a signature) when they need them, and make sure lost or expired devices always get prompt follow-up.
- Always encrypt the device. As we discussed earlier in this article, using full disk encryption when dealing with sensitive information is absolutely vital. So if everyone on your team has the ability, it’s crazy not to use it for removable devices as well.
- It is worth the effort to select only the minimum amount of data to copy to removable media. It may be faster to export the entire contents of a database, but you should do everything in your power to limit potential loss.
5: Always use a secure connection over public networks: Finally, when you’re out of the office and need to work, take care to secure your communications. Assume that all networks—in hotels or other public spaces, at customer sites, and even at home—are hostile. Always use a virtual private network (VPN) connection to encrypt all your traffic when connecting to your organization’s intranet from outside, and never use a public computer or your home computer to connect to the intranet. So, to summarize, a combination of sensitive procedural precautions, along with some simple and inexpensive technical additions, can go a long way to control the risks of taking sensitive information outside of the normal office environment. These measures may be a little inconvenient, but they will go a long way to ensuring that you are not responsible for a data loss, resulting in massive reputational damage, loss of contracts, and potentially huge fines for your employer.