Grant Taylor, UK VP at Cryptzone, details seven simple steps anyone travelling internationally on business can take to keep data safe.
International trade involves a complex web of legal, governmental, political and business issues. Quite rightly, everyone’s focus is on keeping up to date with changing policies, regulations and legislation that can affect an organisation, worldwide. As company ambassadors, we do everything in our power to keep abreast of changes and make the organisation secure and compliant. Yet the biggest chink in our armour isn’t the technology we use, it’s the people we let use it — our trusted employees. We can’t get rid of them so we have to find another way to work with them.
Every organisation has, or should have, policies that detail how it works within the confines of the various legislation and regulations it must adhere to. However, while many will cover anti-corruption and anti-bribery laws, fair trade requirements, staff protection and evacuation policies and even environmental policies, how staff handle sensitive data when out on the road is often overlooked.
Sometimes, it’s the simplest things that make a difference, so here’s our “security policy for dummies” guide both for you and for you to share with your workforce.
Be aware of your surroundings
Go on, admit it — how many of you have looked at the laptop or “smartphone” screen of someone dutifully typing away or flicking through their e-mails? The problem for these hard workers is that they’re concentrating so hard on what they’re doing they fail to take in their surroundings or the people in their close proximity. In the majority of cases it will just be a nosey parker who is “shoulder surfing”, but there only has to be the one occasion when it’s not.
Although it might sound like something out of a spy novel, it has been known for people to be targeted for the information that they’re carrying, and the mobile device they use doesn’t have to be stolen to give up the corporate goods.
Think about what you’re doing
While we’re on the point of your surroundings, it’s also worth advising employees to think about what it is that they’re looking at. Do they really need to be accessing sensitive information when in a public place? If so, what are they doing with it? How are they getting it? For example, if the connection they’re using isn’t secure, ie free Wi-Fi and not via a virtual private network (VPN) connection, then they’re no different from the ridiculed politicians in Downing Street.
Think before you print
One of the issues that is hardly ever mentioned in security policies is printing, reading and disposing of sensitive information. The points already made are equally relevant to reading sensitive documents on paper in a public place.
Also, disposing of it properly needs to be covered. This is not rocket science, and yet organisations are still publicly humiliated because sensitive documents have been left out with the bins! Of course, the environmentally friendly among you will be saying that it should be recycled in any case, which I wholeheartedly agree with, and the best way is to use one of the many reputable companies that shred sensitive information on site before taking it away for recycling.
Don’t leave devices unattended
This one might seem like common sense but, believe me, I’ve been on a train or plane where the person sitting next to me asks me to keep an eye on their device while they go to the bathroom. While taking the device would arouse suspicion, a quick copy of the hard drive to a USB stick is unlikely to leave an obvious trace — especially to the untrained eye.
Of course, an organisation could ensure that information transferred from a device to a portable memory device is encrypted so that, if this were to happen, there would be little the thief could do with the information. That said, it wouldn’t stop the files and documents from being perused, and notes made, in the interlude.
Don’t lose devices
No matter how much we tell people not to leave devices behind, and let’s face it it’s often not done on purpose, it’s something that you will need to repeat at any given opportunity.
Of course, one way to get round this — and it’s not just me telling you this (see above); it’s also the advice from the Information Commissioner — is to make sure all sensitive information is encrypted. That way, if a mobile device goes astray, accidentally or maliciously, it’s just inconvenient rather than injurious.
Don’t be too obvious
The same way we’re told not to leave valuables on display in cars, or flash our money-filled purses, consideration should be given to how and where we keep our mobile devices.
For example, laptop bags are very practical for carrying, well, laptops, but the problem with them is it’s hardly a secret as to what’s inside. Nothing screams “steal me if you can” like a laptop bag that doesn’t have someone holding on to it very tightly.
Patch the device
I’m sure the majority of your workforce is frustrated by the plethora of pop-ups, when they power-up their devices, asking for various updates to be installed. You need these updates to make sure your employees are adhering to changes in legislation and regulations but, for them, user apathy may make the “remind me later” option too attractive. It’s wise to advise your workforce that updates to their devices are vital not only to keep them in tip-top condition, but also to keep them secure and compliant.
These points may seem very basic, but the reality is that although ICT professionals eat, sleep and breathe security, most people on business trips do not. While they may be focused on local customs, economic sanctions and export control, they probably haven’t given a moment’s thought to what their actions could be doing to an organisation’s security. With an automated approach to policy management, you can make sure that what they’re doing doesn’t put the organisation at risk.
Cryptzone specialises in proactive controls to mitigate IT security risk in the areas of policy compliance, content security, secure access and endpoint security. More information is available at:www.cryptzone.com.
Last reviewed 20 March 2012