Virtually Secure is Not Enough: Information security challenges for remote teams

As virtual, flexible and remote working becomes increasingly commonplace for teams in a wide range of sectors, we welcome the benefits this offers for improved productivity, motivation and work satisfaction.  Technological changes from mobile communications to cloud storage have been a huge part of making this possible. However those very technologies can create significant vulnerabilities, when it comes to security and data protection.

In the UK and Europe, May 2018 is going to bring huge legislative changes in this area, with the implementation of the General Data Protection Regulation.  If you are a manager of a remote team you will be liaising with your information security department to implement changes, but small business owners will have significant new responsibilities of their own. Virtual not Distant can’t provide legal advice, but we’d suggest that this is a good time for every organisation to review their policies and practice around data protection and privacy - especially if those policies haven’t been reviewed since people started working out of the office or on their own devices.

Things are going to be tightened up significantly under GDPR, and a few of the changes which organisations need to be aware of include changes to the definition of ‘personal data’, increased sanctions and reporting requirements in relation to breaches, and overall a shifting of responsibility to the data processor - and emphasis on the privacy rights of individuals.
 

Challenges for the remote environment

When everyone is colocated in a single space, it is much easier to control the way data is transmitted, stored and processed, as well as being able to limit it to specific devices.  But when we enable teams to work from wherever they choose, that comes at the cost of considerable control. When you bear in mind that the organisation itself retains the legal responsibility for the safe processing of the data, you’ll want to ensure that your systems are watertight.

Some of this will be common sense, and can be addressed through up-to-date information security policies, combined with training and regular review - it is not enough to simply issue documents of instruction to your team, because in the event of a serious breach you’ll need to be able to demonstrate that these policies were fully understood and tested.  

Working outside of the office does create new practical risks, and the more flexible and blended our lifestyles become, the more good practice can be seen as ‘getting in the way’ of flexibility:  Two-factor authentication takes that little bit longer, quickly editing a document on a mobile device is so easy to do, and insecure public wifi is just so ubiquitous and available nowadays… So it’s vital that your procedures and training specifically address risky behaviours relevant to 2017, and makes it clear what behaviours represent a breach of the organisation’s policies.  
 

“Bring your Own Device” - security vs flexibility for the remote worker

Bearing human factors in mind, you can anticipate vulnerabilities and address them structurally - if people really want to work on their iPads because they travel a lot, then providing everyone with access to a mobile VPN is an inexpensive way to make this a great deal safer.  If you suspect that a ban on USB devices will be hard to enforce, then issuing secure encrypted drives (protected with a thumb print or PIN) will ensure your database doesn’t get left on a bus, at least not in a format anyone can access.

When people are using their own devices for work, as is increasingly the case, then a careful trade-off must be made between their own choices and privacy, and the security needs of the organisation.  All of this requires an open dialogue and understanding on both sides, and your BYOD policy can accommodate reasonable limitations, on exactly which own devices can be used and exactly how.

For example, if someone wants the convenience of being able to process data classified as ‘sensitive’ on behalf of their employer using their own mobile phone, then arguably the organisation’s information security team should have the ability to brick and wipe that device if it gets lost or stolen. But the same device obviously contains lots of personal content belonging to the employee, their photos etc… and they have their own rights to expect privacy, from services like location tracking.  

Similarly, if someone wants to use their own laptop, it really has to be regarded as a ‘mobile device’ in terms of physical vulnerability - especially if working from different locations rather than just at home, and being carried around a lot.  So disk encryption and remote override will become mandatory, as will access control - you can’t process personal data on the same machine your kids do their homework on, or at least not via the same profile login.

And let’s not even get started on back-ups and cloud storage.  Because this is one of the biggest data security challenges facing IT teams today: where exactly IS the data?  Different standards and regulations apply in different parts of the world, and if remote workers are backing up their own drives and devices in ways you cannot control or understand, then it’s far more likely that copies of personal data will end up where they should not be.
 

General Data Protection Regulation - the clock is ticking!

Enforcement of GDPR starts on 25th May 2018 - so just 6 months remain for organisations to review and update their policies in line with the new requirements, and to make sure they’re fully compliant - protecting the organisation, the remote worker, and ultimately the data subject whose information is being processed.  The Information Commissioner’s Office has lots of supporting material available, to help organisations of every size get compliant and address their vulnerabilities.

Conducting appropriate risk assessments, and encouraging a company culture of openness where breaches (or suspected breaches) can be safely disclosed and addressed - and learned from.  Also, a culture where people respect privacy and data minimisation as intrinsic principles, and are not afraid to question anything perceived as risky.  If the worst happens, the regulator will take into account how an organisation has responded to limit the damage and impact on data subjects, and any kind of blame culture which encourages an individual to try to cover up or fix a breach on their own could have disastrous outcomes.

It’s important that GDPR compliance isn’t used as an excuse to push-back on remote working, and all the benefits that this brings to the organisation and the individual - so we must ensure that the potential vulnerabilities are addressed in good time, as part of coaching and continually-improving practice.  Choosing the right tools and addressing security concerns from the outset will enable our organisations to move forwards safely and responsibly, as data protection becomes under ever greater public scrutiny.

virtually_secure_is_not_enough.png