The new working professional is always connected, and increasingly, the office is Starbucks, an airport or home. With new flexibility comes new IT security risks for businesses. Basic defences like antivirus are important, but not enough to keep corporate data from the increasingly sophisticated hacker.
How can mobile workers better protect information while they're outside the office? Here are 9 tips to keep employees (and corporate data) safe outside the office:
Tip 1: Use laptop disk encryption
One of the first lines of defence is to secure data that sits on a laptop's hard drive to make it unpalatably difficult for attackers to retrieve data from a device that slips out of an employee's control. As more personal laptops have entered the work ecosystem, disk encryption has become increasingly important.
Without properly implemented encryption, a password is just a polite request for an attacker to not access data.
Tip 2: For laptops, set boot order and password in the BIOS
Most people have their Windows accounts locked down, but what about the BIOS? The first thing a seasoned attacker will try to do is boot from something other than the hard disk (USB stick, CD, etc.) and poke around.
There are a few techniques to make this more difficult. One is to put the hard disk first on the boot list in the BIOS and then password protect the BIOS to stop someone from changing it. If an attacker has stolen the laptop, they can still take more drastic measures such as removing the hard disk (but hopefully it's encrypted).
Changing the boot order will make it more difficult for an attacker that has brief access to the machine.
Tip 3: See what it takes to do password resets, then educate employees
The model of using biographical information for password reset is failing. The name of an employee's favourite pet, grandfather's occupation and mother's maiden name are more available than ever before: attackers can mine information from social networking sites as well as public records that are now online.
It's an important exercise for employees to see how exposed they are by trying password resets on their corporate and personal accounts. Imagine they have forgotten all passwords to email, their laptop, etc.
How do they reset them? What questions get asked? Could someone find those answers online somewhere? If so, it's time to change those questions or answers. If the account simply sends a password reset email then ask: what would it take for someone to reset an email password?
Tip 4: Educate employees on the risks of public Wi-Fi networks
Free tools abound to sniff traffic on public Wi-Fi networks. With that in mind, it's important for employees to take precautions when accessing or sending anything sensitive (email, searches, etc.). Mobile workers should always ensure that email is sent and received through an encrypted channel (VPN, webmail over SSL, etc.). For corporate email, this should be the only route possible to receive messages.
The reality though is that sometimes policies are circumvented in the name of productivity. One common example is sending corporate documents to personal email accounts so that they are easier to access and work with outside the office.
If you accept that work-related activities will be done while not connected through a VPN or on a corporate-sanctioned device, it is important to educate employees about the risks and help them make safer choices.