Protecting Data Outside the OfficeSeptember 4, 2010 at 11:58 pm | Posted in Data Protection, Human Factors in Security | 1 Comment
Tags: DESlock, disk encryption, Kensngton lock, PGP, phishing, security, sensitive information
A recent article in the Times caught my eye. It was discussing the notion of “extreme jobs”. I think most of us can agree with the idea that there’s been an inexorable increase in the pressure on us to always be available, working longer and longer hours and still prepared to answer the mobile phone to a customer or the boss late into the night, at weekends and even on holiday.
Coupled with the ready availability of increasingly sophisticated mobile technology, it’s inevitable that many of us will take work home with us, or at least, outside the safety of the office environment. For many of us, that means we’re taking with us sensitive information and the consequences of the loss of that data could be catastrophic.
One of my current tasks is preparing security awareness training for colleagues working on a large Public Sector bid. We’ll be delivering this training to highly skilled and very experienced IT professionals, but looking around, I’m reminded that what is obvious and necessary to a security specialist is often at best an annoying distraction to others. We all have to remember that mishandling sensitive information can have grave contractual and even legal consequences both for an individual and for their employer. So, take a look at these 5 simple precautions, to make sure it’s not you that makes the headlines.
1: Pay attention to the physical security of your laptop while travelling
Any attempt to work outside the office almost inevitably means taking a laptop, loaded with project data (including sensitive commercial and even personal data) with you while you’re travelling. No matter how you travel, it’s bound to present plenty of opportunities for your laptop to be lost or stolen. It’s fair to assume that, generally the motive for theft is to sell the laptop onwards, rather than a concerted attempt to obtain any data stored on it. However, you should take reasonable care not to advertise that you might be a valuable target. Don’t for example wear your company pass outside the building. The risk is greatest, when you have to leave the laptop unattended:
- While driving, keep the laptop out of sight, in the boot of your car.
- When staying in a hotel, keep the laptop in a safe, if one is provided in your room.
- When using the laptop in a public place, secure the laptop with a Kensington lock.
2: Use whole disk encryption to protect your data
If your laptop is lost or stolen, the cost of replacing the hardware is relatively minor – and it’s insured anyway, isn’t it? The real cost of the incident is the loss or disclosure of sensitive information stored on the laptop. To protect against this, you should install whole disk encryption software. This ensures that all the data on the laptop’s disk is encrypted, when the laptop is shut down. Only when the laptop is powered up and the authorised user completes pre-boot authentication, is the disk data decrypted and available for use. Commercial software is available from a number of well-known vendors, including PGP and DESlock. You should bear in mind that, unless care is taken, even the authorised user may be unable to decrypt the data on the disk. You should make sure that:
- You run the operating system’s disk maintenance utilities to defragment the disk and check and mark any bad areas on the disk;
- You should make a full backup of the disk volume(s) before installing the encryption software;
- The install process will give the opportunity to create Emergency Recovery Information – make sure you write this ERI to a CD or other removable medium and store it somewhere safe;
- Most importantly, the encryption software only takes effect when the laptop is shut down or hibernated. You should never travel with your laptop in standby.
3: Protect yourself against eavesdropping when working in public places
One of my favourite tech commentators is Peter Cochrane, who writes a regular column for Silicon.com. Earlier this year, Peter reported on how easy it was to collect sensitive information from fellow travellers on the train. Anyone who travels regularly on commuter train services will be familiar with indiscreet conversations and (even worse) one-sided mobile phone conversations, that give away far more sensitive information than they should. Do resist the temptation to discuss sensitive matters in public places and try to curtail calls to your mobile until you can find somewhere more private.
Back to Peter Cochrane again. During his frequent air travel, he noticed people using mobile phones to photograph – or even video – the screens of other people’s laptops. His blog shows how it’s possible (given enough patience and a bit of experimenting) to get a reasonable picture of someone’s laptop screen. This situation is easily fixed for a modest outlay, through the use of a privacy screen. These clip over the laptop screen and make it impossible to read the screen unless you’re directly in front of it. These screens work along the same lines as polarising sun glasses – do make sure they’re fitted the right way round.
4: If you must use removable media, take extra care
It’s almost an immutable law of nature that, if you copy sensitive data to removable media, eventually, that media is going to get lost. The simplest remedy of course is not to use removable media. My current employer bans the use of these devices on Public Sector projects and, at one time, at least one UK government department filled the USB ports of laptops with superglue, to be absolutely sure. Of course, a blanket ban isn’t always practicable, so, if you do need to use a memory stick, removable drive or similar, here are a few suggestions:
- Don’t ever allow the use of personal removable devices – you have no idea how or where they’ve been used before or will be next
- Have a pool of memory sticks for your project, clearly marked and with some sort of unique identifier. Make team members check them in and out (with a signature) when they need them and make sure that missing or overdue devices are always followed up immediately.
- Always encrypt the device. As we discussed earlier in this article, the use of whole disk encryption when dealing with sensitive information is absolutely vital. So, if all your team members have the capability, it’s crazy not to use it for removable devices as well.
- It’s well worth the effort to select only the minimum amount of data for copying onto the removable media. It might be quicker to export the whole contents of a database, but you must do everything in your power to limit the potential loss.
5: Always use a secure connection over public networks.
Finally, when you’re out of the office and you need to work, be careful to secure your communications. Assume that all networks (in hotels or other public spaces, in customer sites and even at home) are hostile. Always use a Virtual Private Network (VPN) connection to encrypt all your traffic when connecting to your organisation’s intranet from outside and never use a public computer or your home computer to connect to the intranet.
So, to summarise, a mixture of sensible procedural precautions, together with a few simple and inexpensive technical additions can do much to control the risks of taking sensitive information outside the normal office environment. These measures might be a little inconvenient, but they will go a long way to ensuring that you’re not the one found responsible for a data loss, resulting in massive reputational damage, the loss of contracts and potentially huge fines for your employer.