How to keeping your data secure in a WFH world
How do you manage sensitive information when your staff are spread out across the country? Steve Cassidy investigates a timely conundrum
How do you manage your company’s sensitive information when your staff are spread out across the country? Steve Cassidy investigates a timely conundrum.
It’s said that possession is ninetenths of the law. As a society, we understand that there’s a significant distinction between things you can grasp and manage, versus things that are under the gaze and control of others – and we need rules to handle cases when real-world practicalities don’t line up with abstract principles of property.
It’s a situation that can easily apply to company data when people are working from home (WFH), using self-managed hardware on domestic network connections. It’s a tricky topic, and it’s only going to get more complicated as businesses begin phased returns to the office. This is likely to see people hopping back and forth between company and personal resources, and needing to move information back and forth between the two – or access it from both.
The specifics of data protection will be unique to every company, but there are some issues that every firm ought to be considering. Issues to help minimise the likelihood of sensitive information being put at risk, and to avoid being the next company forced to put out a humiliating statement admitting to a data leak.
The “who’s Mum?” rule
The first step is to take stock of who’s actually controlling what data. To explain what I mean by that, think about buying an plane ticket (if your memory goes back that far). From your perspective, the process may involve nothing more than a few clicks on a travel website, plus off-site authorisation from your bank. But behind the scenes, there are many more real-time transactions going on, involving the airline itself and its own internal seat management, luggage handling, catering systems and so on.
The same hidden world applies to a great number of business processes in 2021. You might spend half your time on the website of your partnered courier company, raising orders that in turn affect delivery schedules, staffing rotas and who knows what else. What you need to ask is: “who’s Mum here?” In other words, who’s framing and managing the interaction that brings together all the strands of a completed service?
This is not to say that you necessarily want to be Mum. The role can involve a lot of expense and maintenance, and may make you subject to all sorts of obligations relating to the data that flows through you. This is why smaller businesses are often lured by the siren call of cloud platforms: you’re effectively paying for someone else to take care of all the Mum-type duties, from database management to backup.
“Who’s Mum here? Who’s framing and managing the interaction that brings together all the strands of a completed service?”
And because such services are typically internet-hosted, they’re minimally impacted by whether your staff are logging on from the sixth floor of a busy office building or sitting in their garden with a laptop, making them even better for a future where working from home part-time is the norm.
The more you outsource, though, the more exposed you are. If you’re not Mum, you need a Plan B for what happens when Mum is unreachable or unreliable, and you need to be able to communicate emergency measures to all affected staff as quickly as possible – which can be a challenge in itself when everyone’s WFH.
Physical storage
Not that long ago, the humble flash drive used to be the IT department’s nemesis. To users, it was the perfect way of taking a load of spreadsheets or invoices home for a spot of weekend working, costing just a few quid and small enough to fit onto a key ring. For managers, it was a gaping security hole, allowing for the unseen exfiltration of any amount of confidential data.
Things have changed. As internet services have matured, few people bother carrying around physical
storage devices. If they do, it’s for specialist purposes: my Hitachi G-Drive, rated to be dropped off a helicopter onto the deck of an Alaskan trawler, offers a generous 512GB over a USB 3 connection – enough to back up not just a few years of accounting records, but also a VM of the accounts server to process them on.
In this brave new world, physical media could actually become a partner in data protection. A USB storage device popped into the post, or picked up from the office on a Tuesday and returned on a Friday, offers few opportunities for man-inthe-middle attacks, accidental CCs or ad-hoc personal backups to insecure cloud services. For extra security, there are plenty of secure drives with features such as a numeric keypad built-in, so that if the drive falls out of your pocket during your morning constitutional, no one can pick it up and access the information.
When working with portable media, there’s always the risk of proliferating or conflicting versions of files, though it’s arguably no worse than with the numerous remoteaccess and cloud sync services you might otherwise rely on. Perhaps a bigger concern is the infamous 12% statistic – the supposed proportion of users who simply click on everything they see, no matter where it may seem to be from. Of course, it’s not a rule that one in every eight of your workers will fall into this group, but if you’re not confident in the vision of a carefully rehearsed, professional workforce all tapping at the keypad on their USB sticks when they want a work document on their home computer, your particular team might be served better by a different approach.
Let the apps and data stay put
One small business I visited during lockdown took an early, rapid decision about the safest way to implement working from home.
They left all of the office PCs running with a cloud-based remote access application installed, allowing home users to log in using their regular company credentials and get their machine’s screen up on whatever equipment they had at home. A few even managed to use nothing more than an iPad.
This might not have been the most energy-efficient approach, but with monitors turned off and no travel, it was more environmentally friendly than business as usual. And for this particular business of under 50 seats, the arrangement didn’t seem to disrupt employees’ productivity at all – it was certainly neater than trying to replicate everyone’s applications and server access at home.
Best of all, it ticked all the boxes when it came to the safety of their data – or at least, it didn’t untick any that had been ticked. After all, whatever state the network had been in before the switch to WFH, that was how it remained. The firewall was still there, the antivirus scanner was still scanning, and the data never physically left the building.
Naturally, a setup like this needs to be properly and securely configured in the first place, and thereafter needs someone like me to drop in from time to time to check on the infrastructure and clear up any issues, but that’s not an unreasonable ask.
The other requirement is a decent population of home PCs: you need to be prepared to support people who don’t have a machine of their own that’s suitable and available for work use. In this case, some power users requested a dedicated work laptop, even though they already had tech that was technically capable of opening a remote access session: for some, the separation between work and personal resources remains clear-cut. It’s easy to get the ideas of encryption and security mixed up. They certainly have a relationship, but they’re far from synonymous, and while security needs to be everywhere, that doesn’t necessarily mean you need to enforce pervasive encryption. It can be extremely valuable in lots of backend and infrastructure roles – such as VPN links – but it’s not realistic to try to conduct business with laboriously managed encryption software holding sway over every document your staff needs to work with.
This is a frustrating observation, because by now this was all supposed to be transparently handled by digital rights management (DRM) platforms. Five or ten years ago, we envisioned staff logging into an authenticator that would allow them freely to open, edit and save files, while blocking any sort of unauthorised access and keeping a complete record of who read and changed what and when.
“My suggestion for any end user concerned that they might become the conduit for a data leak is simply this: learn to lie”
Alas, that technology still hasn’t materialised. To an extent, the move to the cloud has made it less pressing: we all know how to log in to Google to authenticate to some distant cloud service, and ditto Amazon Cloud. But it’s not a consistent standard that you can manage yourself. Shift across to Azure and that becomes immediately obvious: here, the online model is effectively reversed, with a focus on emulating and extending people’s on-premises Active Directory configurations up into the cloud.
So DRM is of limited help, not because the features aren’t available – Adobe Acrobat is a great example of what can be done – but because the market is simply too fragmented and complex. I know of a hotel that took the opportunity of a lockdown to undertake refurbishment works. The interior designers applied DRM to their blueprints, wanting to keep tight control of access by contractors; unfortunately, one of these was a Romanian lady with a nice online business representing an army of lace curtain makers back in the old country. The communication and technical barriers to getting her into the system proved insurmountable; in the end, the hotel owners copied the blueprints and stuck them up, unlocked, on Google Drive.
DRM isn’t a lost cause, but it might be a few years before it’s smart and transparent enough to use by default at the document level, especially in sectors where businesses come together for one-off projects and then separate again.
Putting it all out there
Even before the pandemic, there were plenty of businesses that operated almost entirely in the cloud. And if your business model happens to fit neatly with a cloud provider’s model, this can be a win-win proposition. However, in almost all cases, it’s a major project, and probably not something you want to start in the middle of a major upheaval; a year into the crisis, I’ve not yet heard of anyone yet who has started a cloud move after the arrival of lockdown. Aside from anything else, uploading a local data store to a cloud server can be time-consuming: one mid-sized corporate client told me that upload times for its Office 365 server were measurable in centuries.
A halfway house might be to create a virtual model of the remote-access office discussed above. If you can create VMs of everyone’s work PCs, you can host those on Amazon EC2 or Azure and largely shut down the office, while quite possibly enjoying better performance than you would get from accessing the real hardware over your company’s leased line.
Those already in the cloud boat will be pleased to hear of another empty class I expected to see more of over the past year: small businesses whose data was stolen because they trusted their cloud provider’s security and architecture, and who have subsequently found themselves with no comeback. It goes without saying that providers will never take complete responsibility for your use of their service, and especially during lockdown I’ve perceived a certain “like it or lump it” attitude by service sellers. While their businesses are under unusual pressure, they can’t so easily accommodate you or race after your sales enquiry, so just be grateful for what you receive. There’s every chance that unfortunate breaches have happened, but this sort of thing is generally kept as quiet as possible.
Vox populi
Once issues of access to apps and data have been addressed, the actual practice of working from home can be functionally just the same as working in the office. However, one big unavoidable change is a greater reliance on communications technologies.
These come with their own concerns. Of course, we all love those team-building chitchats over Zoom, but we’ve also heard plenty of incidents of chats left unsecure, allowing any random user to join in. That might not be a problem for tight-knit teams, but if working from home continues significantly in the coming years then, as staff join and move on, the risk grows. And Zoom isn’t just about live chat – it’s also a dangerously easy way to receive files whose provenance you may not have properly verified, and to share items with individuals who might not be who they seem.
This isn’t just a Zoom problem.
It’s remarkable how easy it is to externalise a phone system, so that staff can have a “company phone” at home, perhaps a softphone on their computer. As I’ve hinted above, the danger is that these systems do so much more than VoIP, and there are so many of them that it’s easy to be blindsided by an unfamiliar one. My suggestion for any end user concerned that they might become the conduit for a data leak is simply this: learn to lie. No one can prove that some service or piece of software works on your machine or your connection, and saying it doesn’t is a pretty safe way of avoiding unfamiliar (and potentially untested) programs that can spell disaster. You may feel a little dirty, but protecting your data is important enough to excuse the fib.