More of us than ever are working remotely. A recent worldwide survey suggested nearly 80% of employees who produce ideas and information (that is, not goods and services) work away from their office at least once a week. With remote working becoming ever more acceptable to employers this trend is upwards. Already, many of these workers won’t have a corporate office desk (or will have to share one).
It won’t be too long before ‘remote’ working is the new normal.
In times past, when most of us did have a desk, keeping it clean of our work output was a security virtue and sometimes corporate policy. A clean desk still helps corporate security staff doing after-hours patrols to see that sensitive work assets have been put away.
But the hard outer shell that provided physical walls for corporate information and assets is being dissolved by ever increasing remote working. More of us spend less and less time producing our ideas and information inside secure environments. In this post-office age, we now use a rich mix of both private and corporate IT services, some of the private ones being more powerful than would have been available to corporations not long ago. Welcome also to the world of BYOD, that is becoming so common that the acronym itself is falling out of use. On top of all this, we need to remember that there are no paperless offices and ‘hard copy’ is still very much part of the picture.
Vulnerabilities and Threats
It’s now common to have family and friends (and, in public places, complete strangers) overseeing our work. Sometimes we may even share devices on which corporate sensitive data rests or has passed through, and nearly all of us share wireless connectivity.
With this increased mix of less physical security and more attack surfaces how can we, when working away from an office, protect corporate assets once our work is done?
It is important to recall quickly any procedure when something goes wrong. In the same way that we instinctively know to dial 911 in an emergency, we should hard-wire any corporate requirements about reporting the loss or possible compromise of assets into our consciousness. This will help to protect you contractually as well as giving your clients and your organization a fair chance to put things right. It can be traumatic to lose any asset, so passing that knowledge onto those who are trained to respond is a good first step for preventing any loss or compromise turning into something worse. A security awareness program can help with this.
Make sure you understand all the requirements for backing up work, whether onto another device or into the cloud, and make sure you understand how to apply any encryption required. Backing up your work when finishing your day is the virtual equivalent of putting all your papers safely way in a fireproof cupboard. Backup your work regularly and often. Adopt the good habit of saving documents while you work on them through frequent mouse clicks or keystroke combinations.
If available, make sure that any tracking tags are still connected to your most valuable assets and their containers. These are increasingly common and can help you and organizations (as well as law enforcement) track down missing assets.
When corporations restrict the use of their own devices it might seem like a good idea to carry your own, too. But consider the challenges of effectively managing several devices. Always double check to make sure you have everything when leaving public spaces, especially public transportation, restaurants and bars.
Without effective encryption, securing remote working would be much more difficult. It is therefore very important that encryption keys are not compromised, and attention should be given to any special instructions for the handling of encryption management tools (e.g. passwords and tokens). Their loss or compromise must be reported immediately.
We don’t have to wait to get to our destination to do our work, due in part to the multitude of public wireless access points, e.g. in transportation hubs, restaurants, and hotels. But their use creates new opportunities for hackers to collect information or just interfere with our data and devices. Some organizations may specifically prohibit the use of public networks and any such instructions should of course be followed. But make sure that any default setting on your devices that enables them to be discovered (i.e. by other devices) is turned off before setting out on business. At the end of the day, log off from any accounts accessed through public networks. Ideally, clear your browser of any saved information too, including passwords.
To protect your devices at home, access to your private network should always be secured with a complex password. Its address (e.g. SSID) should not include information about you, your device or location that might help hackers zone in on your work devices.
Applications and Programs
Limit the use of corporate devices for any private browsing. It may be possible for corporations to set their own device up so that corporate and private internet access can be kept separate. In any case you should be clear that you will be responsible for any misuse of an organization’s assets, including their applications and email accounts. Some organizations may require or enforce the log off of any applications used for work. This can challenge your personal password management approach (but see below).
Passwords and Tokens
There are many words of advice on how to construct and secure your passwords, but those we can manage in our heads must weaken in inverse proportion to the growth of computing power available to hackers. For this reason I suggest a non-technical approach that sidesteps internet vulnerabilities: a personal notebook in which you can construct long, random passwords (which are increasingly expected by businesses). The book should not be attributable to any account or device and passwords should be written in ways that are not obvious. If the book is then lost, there is little chance of compromise. As for inconvenience, most businesses now give easy to follow instructions about changing lost or forgotten passwords.
In spite of technical advances most of us still keep and use information in hard copy formats. Remember how easy it can be for piles of papers to get mixed up? Applying this lesson helps you appreciate how the risk of sensitive papers being mislaid has really increased with remote working. Limit this by restricting the numbers of papers you carry and produce. Ensure any you do are clearly packaged and kept apart from other clutter (I find a brightly colored folder – different to any other folders in use at home – helps to corral official papers).
There can be no return to the time where the ideas and information we worked on was static and unduplicated. But it’s not difficult for remote workers to run some end of work routines that, while not blocking every possible loss of assets, can limit any damage while helping corporate security officers quickly assess and respond to security breaches.
 2015 PGi Global Telework Survey – ‘Trends Around the World Shaping the Future of Work’