Working Safely Online (Anytime, Anyplace, Anywhere)
Work from anywhere without putting your organization’s data at risk
March 28, 2011
Editor’s note: This article was originally published in the Lasa Knowledgebase which is designed to help community and voluntary sector organizations access the benefits of information technology.
Being able to work from anywhere presents great opportunities, however it’s important to keep security in mind when working away from the office. Here we look at the potential security risks and how to reduce them.
Why Be Concerned About Mobile Security?
With the advent of remote working, cloud computing, ubiquitous WiFi access (often free) in coffee bars, pubs, and other public places, and the wide availability of public access computers in Internet cafes, libraries, and more, the ability to work from literally anywhere 24/7/365 has been a reality for some time. Whether on a laptop, netbook, tablet PC like the iPad, or smartphone (mobile phone with advanced, often PC-like functionality such as the iPhone or phones running Android or Windows Mobile), it is easy to take your work with you and this presents increased risks to the security of your organization’s data.
Anywhere, any time access presents some security risks that your organization's staff, volunteers, trustees, and others need to be aware of so they can take appropriate precautions. People can be the biggest threat to the security of your IT systems whether inadvertently or deliberately. No matter how technically secure your IT systems are, people can often be your weakest link.
While there are other security considerations (for example, security at the cloud service provider's end, security of your organization's remote working infrastructure), here we'll focus on the precautions organizations and their people can take to avoid the main risks at the end-user level.
Safe and Responsible Computer Use – IT Acceptable Use Policy
The first step is to develop an IT acceptable use policy to inform the organization's people (staff, volunteers, clients, trustees, trainees, and so on) of what is expected of them when using the organization's technology resources in the workplace or elsewhere to carry out work on the organization's behalf. See the knowledgebase article ICT Acceptable Use Policies for more information and a policy framework.
Loss and Theft
A big risk with highly portable (and desirable) devices is loss and theft. As well as taking precautions to avoid these mishaps, it’s worth preparing for the worst that could happen.
At the very least, ensure that devices are protected with a strong password. Consider carefully whether sensitive data needs to be present on mobile devices at all. Where it is absolutely necessary, make sure it is encrypted (see below) so it cannot be read by unauthorized persons.
It may be stating the obvious but… if you are using your laptop or mobile device in a public place, never leave it unattended. In the event that this is completely unavoidable, at the very least, secure your device using a suitable lock such as those available from Kensington.
In addition to these basic precautions:
- Insure it. Make sure your equipment insurance also covers laptops and other portable devices when they are off the premises.
- In transit. Don't leave your portable devices in full view while in unattended cars. We would also question the wisdom of using them on a busy subway, train, or bus where potential thieves can see your expensive laptop.
- Case study. Laptop carry cases are easily identifiable by thieves so consider carrying them in something not as obvious.
Sensitive Data? Use Encryption
As stated above, consider whether you need to have sensitive data on your laptop or mobile device at all. Nevertheless if this is unavoidable, it’s a good idea to use encryption. In the event that your laptop is stolen, having the hard drive, and directories containing sensitive information encrypted will at least help ensure your organization's data can't be easily stolen or used.
For memory sticks, portable external hard drives, and disks there are also free encryption tools available. These allow you to encrypt folders or whole drives including hard disks, memory sticks, and portable media such as DVDs. Examples include TrueCrypt.
Remember that any laptop can have any data on it stolen despite the presence of Windows passwords. Encrypting the disks in the laptop is the only way. BitLocker is great for this and is available in Vista and Windows 7 Enterprise and Ultimate Editions, which are not easy to get hold of but do implement BitLocker (and BitLocker to go for memory sticks) beautifully. You also need a TPM (Trusted Platform Module) chip inside the laptop. This needn't mean paying a lot these days.
It is best not to send sensitive information by email as it could potentially be read by anyone en route to the intended recipient – it’s a bit like sending a postcard. However if you do feel the need to send sensitive data by email, be sure to use software to encrypt the message. Examples of free email encryption software include PGP (Pretty Good Privacy).
Bear in mind that as with any software, there’s a bit of learning curve involved in using encryption software so it can be a bit tricky to use, particularly for novices. So avoid sending sensitive data by email or storing it on portable media and devices.
Make sure you always use secure passwords and change them regularly. If your web browser is set up so save passwords, make sure you have a secure master password set to protect this information and it’s always safest to clear out your cookies of saved passwords and change them once in a while. See Password Tips for Privacy.
If you are using your laptop to connect to the internet in a public space such as a coffee shop or hotel lobby, or other free "WiFi hotspot" remember that these types of wireless networks are inherently not very secure. This is because in order to make it easy for users to get onto the network, wireless security measures are often not implemented or are fairly lightweight. You should be especially careful about working in this type of environment as wireless traffic can be easily "eavesdropped" by anyone with the right knowledge and equipment.
You may have to request a security key to allow access to the network which could give a false sense of security – anyone can get one! Indeed, it is the policy of some organizations not to allow their equipment to be used on wireless networks anywhere outside the organization, even home networks.
Publicly Accessible Computers
For many people without access to their own equipment, working on the move may mean having to use computers in Internet cafés, libraries, hotel lobbies, and other public places. It’s particularly important to take extra precautions if using publicly accessible computers is unavoidable. You won’t be able to guard against loss or theft or encrypt the computers themselves, but if you’re using memory sticks or other portable media, consider encrypting them, and definitely do so if they contain sensitive information – portable media are easily forgotten, lost, or broken.
- Take extra care when accessing your network remotely from public computers – perhaps you don't want to use that dodgy looking Internet café after all… who knows whether some key logging software has found its way onto a machine, giving someone else all the information they need to log onto your network.
- Make sure that passwords and other login details are not being saved automatically when you are online. Many browsers and websites offer this option but on shared computers make sure the "remember my ID on this computer" is NOT ticked.
- Clear the browser’s Internet cache and any other personal data such as form data and passwords when you have finished your session. See wikiHow for information on how to do this in different browsers, and Yahoo! Help article How to Clear Your Internet Search History.
- Never leave the computer unattended when you are logged in.
- Watch out for people looking over your shoulder (often called "shoulder surfing") and shield your passwords when entering them.
- Make sure you sign out of any websites and computers completely. It is important that you do this even if you have not requested the computer remember your login details.
- Avoid using shared computers for logging into websites that hold your personal financial information.
Home Computers and Remote Access
If you are using your own computer at home to access work materials or the office network, this should only be with the explicit backing and permission of your organization’s management.
Some good practice pointers:
- Use a personal firewall (get advice from your organization if you are uncertain about what this means) and install and keep updated anti-virus software.
- Make sure any sensitive documents are securely deleted if no longer required to prevent information being stolen or accidentally "escaping" from the recycling bin.
- Don’t leave your home PC unattended and logged in to the office network.
- If you have a wireless network ensure it is secure using WPA security (many routers supplied by ISPs are already set up with WPA which is hard-coded into the equipment).
The benefits of being able to work from anywhere are enormous. By taking sensible precautions to avoid risks such as loss and theft of equipment, insecure wireless hotspots, working on publicly accessible or home computers, weak passwords, and "social engineering," it’s perfectly possible for users to work safely and securely from practically anywhere.