One of the unfortunate consequences of the Covid-19 pandemic has been the requirement for many employees to access and share sensitive data from home. For many organisations this introduces a number of important security risks that must be addressed. Nothing will quite ruin your good reputation and financial standing like a high profile data breach. In this article, we consider how to share information securely for both large and small businesses.
Technologies in Use:
The first important issue to consider is whether employees are accessing company data using personal devices and if so, is the data secure? For example, how do you know that . . .
The employee’s device is not being used by other family members and friends?
The device is password protected or uses anti-virus?
It’s updated to prevent well known security flaws being exploited?
It uses secure online connections?
It’s encrypted, tracked and can be remotely wiped if lost?
Data doesn’t automatically sync with personal cloud storage?
Data is removed when the employee leaves the organisation or sells the device?
Hopefully, you can start to see why employees working from home is a security nightmare. Potentially, the employee is accessing sensitive company data using a device that you have no control over whatsoever.
Data in Transit:
The other important considerations is what happens to the data as it travels from point A to point B. Most data travels over the internet. However, the internet is composed of unknown and untrusted technologies: cabling, routers, hubs, gateways, servers – you name it! How do you know that the sensitive messages are not being intercepted and read somewhere down the line? This is a real concern when your employees are working from home and sending data over the wire 24/7.
Step 1: Consider the Following Technologies:
Mobile Device Management (MDM) Software: Use this if you are worried about staff using personal devices to access company data. This will ensure that their device is password protected, updated, uses secure Apps and segregates company information from personal data. MDM software also allows you to remove company data if an employee leaves the organisation or moves into a new role. Think of MDM as an app that your employee will download onto any personal device they wish to use for work related purposes.
Enterprise Virtual Private Network (VPN): This ensures that any information sent from Point A to B is encrypted whilst in transit. Most VPNs can be implemented by downloading a piece of software or an app.
Disk Encryption: It is possible to encrypt an entire hard drive using an open source or commercial product. These products usually require the user to enter an additional password on start-up which protects your data in the event of the device being stolen or lost whilst on the move. Modern phones also come with disk encryption so make sure it is turned on.
File Encryption: You can also encrypt specific files based on your classification scheme. You can then send the file knowing that even if it was intercepted, it cannot be read. However:
1. Use AES encryption where possible because it has yet to be cracked.
2. The file is encrypted & decrypted by entering a ‘key’ - which is nearly always a password. The password should use 3 random words with a couple of numbers or symbols thrown in to the mix.
File encryption has one important flaw - how do you get the decryption password to the intended recipient? I could text the password, for example, but that’s not going to scale well.
File Sharing Platforms (Cloud Based) - Check that:
1. Data is encrypted as it travels from the cloud to the end user. It should do this using TLS 1.2 or 1.3 because this standard has yet to be broken.
2. Data stored in the cloud is encrypted using AES - our standard of choice.
3. The cloud service provider uses applications and has an IT infrastructure that is regularly tested for security vulnerabilities. Look for ISO certifications, Soc3 reports or adherence to CSA CMM for complete peace of mind.
4. You can enforce 2 factor authentication. For example, the end users will need a password and a pin sent to a mobile device before they are able to access company information.
Step 2: Data Classification:
The second step is to classify the data that is being shared. For example, is the data:
Proprietary: Such as a secret recipe, the designs to a new product or manufacturing process? Proprietary data usually includes trade secrets and patented technology; the loss of which would have grave consequences for the business.
Private Data: This can be:
Personally Identifiable Information (PII): This is any data that can be used to identify an individual. Such as; a name, address, email or phone number.
Protected Health Information (PHI): Such as medical data.
Personal Financial Information: Such as debit or credit card details.
PII and PHI is heavily regulated under GDPR. Failure to comply with legislative requirements could result in fines, sanctions and litigation. Financial information, on the other hand, is protected by industry regulation: PCI DSS. Any form of data breach here would therefore cause serious damage to the organisation.
Sensitive Data: Includes information about your internal network, emails, memos, and other administrative documents that you wouldn’t want leaked because it would be damaging.
Public Data: Information you are happy to share with anyone.
Why Am I Classifying Data?
There are 4 very good reasons to classify your data:
1. Understanding sensitivity encourages the user to consider the security risks associated with handling such information – how it will be saved, used and transmitted. Simply put, if you want to prevent a data breach, train your end users.
2. Every security control and procedure you put in place will cost you time and money. The more controls you have, the slower processing will be too. You have to invest resources according to criticality. Classifying company data makes this prioritisation much easier.
3. Once it is known what data is most sensitive, adjustments can be made to the configuration of the network to better protect it and to improve its availability.
4. When you create a document, you can ‘label’ it using your classification scheme – either by right clicking on the file and adjusting its properties or by adding a label in the document header. This labelling, permits certain technologies to enforce a security policy (i.e. what can and can’t be done with document). These labels will also stop documents being distributed to individuals you don’t trust using either:
Data Loss Prevention Technologies (DLP): This technology will read data classification labels to determine what should be happening with the data and whether it should be leaving your sphere of influence. DLP technologies normally end up on perimeter devices to prevent sensitive data leaving the network unintentionally or maliciously.
Information Rights Management (IRM): If your business is looking to run from the cloud to better facilitate information sharing, IRM is a good way to go. For example, not only will the file remain encrypted whenever it’s on the move, you can control who can view, edit, print and share the file and for how long. You can even revoke access to document even after it has been downloaded by an end user. Some file sharing platforms (like Share Point) comes with this type of functionality, but any number of commercial vendors will be happy to give you a product demonstration.