Martini security - working safely online anytime, anyplace, anywhere
By Lasa Information Systems Team
Being able to work from anywhere presents great opportunities, however it’s important to keep security in mind when working away from the office. Here we look at the potential security risks and how to reduce them.
Why be concerned about mobile security?
With the advent of remote working, cloud computing, ubiquitous Wi-Fi access (often free) in coffee bars, pubs and other public places, and the wide availability of public access computers in internet cafes, libraries etc., the ability to work from literally anywhere 24/7/365 has been a reality for some time. Whether on a laptop, netbook, tablet PC like the iPad, or smart phones (mobile phone with advanced, often PC like functionality such as the iPhone or phones running Android or Windows Mobile), it is easy to take your work with you and this presents increased risks to the security of your organisation’s data.
Anywhere / any time access presents some security risks that your organisation's staff, volunteers, trustees and others need to be aware of so they can take appropriate precautions. People can be the biggest threat to the security of your ICT systems whether inadvertently or deliberately. No matter how technically secure your ICT systems are, people can often be your weakest link.
Whilst there are other security considerations (e.g. security at the cloud service provider's end, security of your organisation's remote working infrastructure), here we'll focus on the precautions organisations and their people can take to avoid the main risks at the end user level.
Safe and responsible computer use – ICT acceptable use policy
The first step is to develop an ICT acceptable use policy (AUP) to inform the organisation's people (staff, volunteers, clients, trustees, trainees etc.) of what is expected of them when using the organisation's technology resources in the workplace or elsewhere to carry out work on the organisation's behalf. See the knowledgebase article ICT Acceptable Use Policies for more information and a policy framework.
Loss and theft
A big risk with highly portable (and desirable) devices is loss and theft. As well as taking precautions to avoid these mishaps, it’s worth preparing for the worst that could happen.
At the very least, ensure that devices are protected with a strong password. Consider carefully whether sensitive data needs to be present on mobile devices at all. Where it is absolutely necessary, make sure it is encrypted (see below) so it cannot be read by unauthorised persons.
It may be stating the obvious but… if you are using your laptop or mobile device in a public place, never leave it unattended. In the event that this is completely unavoidable, at the very least, secure your device using a suitable lock such as those available from Kensington.
In addition to these basic precautions:
- Insure it - Make sure your equipment insurance also covers laptops and other portable devices when they are off the premises.
- In transit - don't leave in full view whilst in unattended cars. We would also question the wisdom of using on a busy tube, train or bus where potential thieves can see your expensive laptop.
- Case study - laptop carry cases are easily identifiable by thieves so consider carrying them in something not as obvious.
Sensitive data? Use encryption
As stated above, consider whether you need to have sensitive data on your laptop or mobile device at all. Nevertheless if this is unavoidable, it’s a good idea to use encryption. In the event that your laptop is stolen, having the hard drive, and / or directories containing sensitive information encrypted will at least help ensure your organisation's data can't be easily stolen or used.
For memory sticks and disks there are also free encryption tools available. These allow you to encrypt folders or whole drives including hard disks, memory sticks, and portable media such as DVDs. Examples include TrueCrypt.
Remember that any laptop can have any data on it stolen despite the presence of Windows passwords. Encrypting the disks in the laptop is the only way. BitLocker is great for this and is available in Vista and Windows 7 Enterprise & Ultimate Editions, which are not easy to get hold of but do implement BitLocker (and BitLocker to go for memory sticks) beautifully. You also need a TPM (Trusted Platform Module) chip inside the laptop. This needn't mean paying a lot these days.
It is best not to send sensitive information by email as it could potentially be read by anyone en route to the intended recipient – it’s a bit like sending a postcard. However if you do feel the need to send sensitive data by email, be sure to use software to encrypt the message. Examples of free email encryption software include PGP (Pretty Good Privacy).
Bear in mind that as with any software, there’s a bit of learning curve involved in using encryption software so it can be a bit tricky to use, particularly for novices. So avoid sending sensitive data by email or storing it on portable media and devices.
Make sure you always use secure passwords and change them regularly. If your web browser is set up so save passwords, make sure you have a secure master password set to protect this information. See How am I supposed to remember that? Choosing and using secure passwords.
If you are using your laptop to connect to the internet in a public space such as a coffee shop or hotel lobby, or other free “Wi-Fi Hotspot” remember that these types of wireless network are inherently not very secure. This is because in order to make it easy for users to get onto the network, wireless security measures are often not implemented or are fairly lightweight. You should be especially careful about working in this type of environment as wireless traffic can be easily “eavesdropped” by anyone with the right knowledge and equipment.
You may have to request a security key to allow access to the network which could give a false sense of security –anyone can get one! Indeed, it is the policy of some organisations not to allow their equipment to be used on wireless networks anywhere outside the organisation, even home networks.
Publicly accessible computers
For many people without access to their own equipment, working on the move may mean having to use computers in internet cafés, libraries and other public places. It’s particularly important to take extra precautions if using publicly accessible computers is unavoidable. You won’t be able to guard against loss or theft or encrypt the computers themselves, but if you’re using memory sticks or other portable media, consider encrypting them, and definitely do so if they contain sensitive information – portable media are easily forgotten, lost or broken.
- Take extra care when accessing your network remotely from public computers - perhaps you don't want to use that dodgy looking internet café after all… who knows whether some key logging software has found its way onto a machine, giving someone else all the information they need to log onto your network.
- Make sure that passwords and other login details are not being saved automatically when you are online. Many browsers and websites offer this option but on shared computers make sure the “remember my ID on this computer” is NOT ticked.
- Clear the browser’s internet cache and any other personal data such as form data and passwords when you have finished your session. See wikiHow for information on how to do this in different browsers, and Yahoo! Help article How to Clear Your Internet Search History.
- Never leave the computer unattended when you are logged in
- Watch out for people looking over your shoulder (often called “shoulder surfing”) and shield your passwords when entering them
- Make sure you sign out of any websites and computers completely. It is important that you do this even if you have not requested the computer remember your login details
- Avoid using shared computers for logging into websites that hold your personal financial information
Home computers and remote access
If you are using your own computer at home, this should only be with the explicit backing and permission of your organisation’s management
Some good practice pointers:
- Use a personal firewall (get advice from your organisation if you are uncertain about what this means) and install and keep updated anti-virus software.
- Make sure any sensitive documents are securely deleted if not longer required to prevent information being stolen or accidentally “escaping” from the recycling bin.
- Don’t leave your home PC unattended and logged in to the office network.
- If you have a wireless network ensure it is secure using WAP security (many routers supplied by ISPs - BT Internet for example - are already set up with WAP which is hard coded into the equipment).
The benefits of being able to work from anywhere are enormous. By taking sensible precautions to avoid risks such as loss and theft of equipment, insecure wireless hotspots, working on publicly accessible or home computers, weak passwords, and “social engineering”, it’s perfectly possible for users to work safely and securely.
Lasa knowledgebase article Data Protection and Web Based Applications
The Cloud article on WiFi security
Guardian AskJack Blog post on Staying secure when using Wi-Fi hotspots
Business Link article Data protection and cloud computing
Lasa Computanews Security Guide (2 MB PDF)
AUP, Blog, Browser, Cloud Computing, Encrypt, Firewall, Hard Drive, ICT, Internet, Mobile, Mobile phone, Network, PDF, Social Engineering, Software, Virus, WAP, Web Browser, Wi-Fi, WiFi, Windows Mobile, Wireless
- Cloud Computing 101
- Home Sweet Home? The joy of telecommuting
- How am I supposed to remember that? Choosing and using secure passwords
- How secure is the Internet?
- Maximum Security - Lock Up Your Data
Published: 21st December 2010
Copyright © 2010 Lasa Information Systems Team