CTComms sends on average 2 million emails monthly on behalf of over 125 different charities and not for profits.
Work from anywhere without putting your organisation’s data at risk.
By: Lasa Information Systems Team
March 28, 2011
|Editor’s note: This article was originally published in the Lasa Knowledgebase which is designed to help community and voluntary sector organisations access the benefits of information technology.|
Being able to work from anywhere presents great opportunities, however it’s important to keep security in mind when working away from the office. Here we look at the potential security risks and how to reduce them.
With the advent of remote working, cloud computing, ubiquitous WiFi access (often free) in coffee bars, pubs, and other public places, and the wide availability of public access computers in Internet cafes, libraries, and more, the ability to work from literally anywhere 24/7/365 has been a reality for some time. Whether on a laptop, netbook, tablet PC like the iPad, or smartphone (mobile phone with advanced, often PC-like functionality such as the iPhone or phones running Android or Windows Mobile), it is easy to take your work with you and this presents increased risks to the security of your organisation’s data.
Anywhere, any time access presents some security risks that your organisation's staff, volunteers, trustees, and others need to be aware of so they can take appropriate precautions. People can be the biggest threat to the security of your IT systems whether inadvertently or deliberately. No matter how technically secure your IT systems are, people can often be your weakest link.
While there are other security considerations (for example, security at the cloud service provider's end, security of your organisation's remote working infrastructure), here we'll focus on the precautions organisations and their people can take to avoid the main risks at the end-user level.
The first step is to develop an IT acceptable use policy to inform the organisation's people (staff, volunteers, clients, trustees, trainees, and so on) of what is expected of them when using the organisation's technology resources in the workplace or elsewhere to carry out work on the organisation's behalf. See the knowledgebase article ICT Acceptable Use Policies for more information and a policy framework.
A big risk with highly portable (and desirable) devices is loss and theft. As well as taking precautions to avoid these mishaps, it’s worth preparing for the worst that could happen.
At the very least, ensure that devices are protected with a strong password. Consider carefully whether sensitive data needs to be present on mobile devices at all. Where it is absolutely necessary, make sure it is encrypted (see below) so it cannot be read by unauthorised persons.
It may be stating the obvious but… if you are using your laptop or mobile device in a public place, never leave it unattended. In the event that this is completely unavoidable, at the very least, secure your device using a suitable lock such as those available from Kensington.
In addition to these basic precautions:
As stated above, consider whether you need to have sensitive data on your laptop or mobile device at all. Nevertheless if this is unavoidable, it’s a good idea to use encryption. In the event that your laptop is stolen, having the hard drive, and directories containing sensitive information encrypted will at least help ensure your organisation's data can't be easily stolen or used.
For memory sticks, portable external hard drives, and disks there are also free encryption tools available. These allow you to encrypt folders or whole drives including hard disks, memory sticks, and portable media such as DVDs. Examples include TrueCrypt.
Remember that any laptop can have any data on it stolen despite the presence of Windows passwords. Encrypting the disks in the laptop is the only way. BitLocker is great for this and is available in Vista and Windows 7 Enterprise and Ultimate Editions, which are not easy to get hold of but do implement BitLocker (and BitLocker to go for memory sticks) beautifully. You also need a TPM (Trusted Platform Module) chip inside the laptop. This needn't mean paying a lot these days.
It is best not to send sensitive information by email as it could potentially be read by anyone en route to the intended recipient – it’s a bit like sending a postcard. However if you do feel the need to send sensitive data by email, be sure to use software to encrypt the message. Examples of free email encryption software include PGP (Pretty Good Privacy).
Bear in mind that as with any software, there’s a bit of learning curve involved in using encryption software so it can be a bit tricky to use, particularly for novices. So avoid sending sensitive data by email or storing it on portable media and devices.
Make sure you always use secure passwords and change them regularly. If your web browser is set up so save passwords, make sure you have a secure master password set to protect this information and it’s always safest to clear out your cookies of saved passwords and change them once in a while. See Password Tips for Privacy.
If you are using your laptop to connect to the internet in a public space such as a coffee shop or hotel lobby, or other free "WiFi hotspot" remember that these types of wireless networks are inherently not very secure. This is because in order to make it easy for users to get onto the network, wireless security measures are often not implemented or are fairly lightweight. You should be especially careful about working in this type of environment as wireless traffic can be easily "eavesdropped" by anyone with the right knowledge and equipment.
You may have to request a security key to allow access to the network which could give a false sense of security – anyone can get one! Indeed, it is the policy of some organisations not to allow their equipment to be used on wireless networks anywhere outside the organisation, even home networks.
For many people without access to their own equipment, working on the move may mean having to use computers in Internet cafés, libraries, hotel lobbies, and other public places. It’s particularly important to take extra precautions if using publicly accessible computers is unavoidable. You won’t be able to guard against loss or theft or encrypt the computers themselves, but if you’re using memory sticks or other portable media, consider encrypting them, and definitely do so if they contain sensitive information – portable media are easily forgotten, lost, or broken.
If you are using your own computer at home to access work materials or the office network, this should only be with the explicit backing and permission of your organisation’s management.
Some good practice pointers:
The benefits of being able to work from anywhere are enormous. By taking sensible precautions to avoid risks such as loss and theft of equipment, insecure wireless hotspots, working on publicly accessible or home computers, weak passwords, and "social engineering," it’s perfectly possible for users to work safely and securely from practically anywhere.
About the Author:
Lasa Information Systems Team provides a range of services to community and voluntary organisations including ICT Health Checks and consulting on the best application of technology in your organisation. Lasa IST is responsible for maintaining the ICT Hub Knowledgebase.
Copyright © 2011 Lasa Information Systems Team. This work is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 License.
The latest version of Microsoft Office Professional Plus is an integrated collection of programs, servers, and services designed to work together to enable optimised information work.