Security Awareness

Should employees be allowed to bring their own devices into the workplace and connect them to the corporate network? There are mixed views on this, and you must carefully consider the advantages and disadvantages and then define corporate policy. Personal devices in the workplace are high risk, and the IT departments would have no control over the content of such devices. 

• It could result in the theft of data by an employee. As company data is likely to be needed on personal devices to undertake their role within the organisation, use of the data for other purposes is a straight forward next step. Data found on personal devices could easily be considered plausible. If staff used data for other purposes, the evidence is unlikely to be available due to the lack of monitoring.

• It would be challenging to verify the removal of corporate data on personal devices when employees leave the organisation. Backup copies could be available in remote storage areas such as Dropbox, Google Drive and One Drive. Someone could restore deleted data using recovery tools as a file is never entirely deleted until the file data has been overwritten with other files or securely deleted.

• If companies allow employees to have data on their own devices, they generally have much less control of the data than if it was on fileservers within the organisation. It isn’t easy to maintain an inventory of sensitive information within an organisation if it extends to personal devices.

• Using personal devices within a corporate environment also introduces risks associated with malware.

• Software compatibility could become an issue. In a lot of cases, versions of the software are more recent on personal devices. If document formats have changed, saving a document from a personal device could result in it no longer being accessible to software on corporate devices. If corporate licensed software needs installing on personal devices, it may not be compatible, and if it is, it may be in breach of software licence terms and conditions.

• With lost or stolen personal devices, it could be impossible to know what corporate data was on the device, and consequently prevent accurate reporting under data protection regulations.

A different kind of risk with personal devices in the workplace is the quantity of time spent undertaking personal activities during working hours. Businesses can control the software on corporate devices, but personal devices will include employee’s software and data. Own devices can introduce a lack of productivity.

Although this blog began with a question, the case is more in favour of not allowing employee’s own devices to connect to the corporate network.

The issue of viruses, ransomware, spyware and other forms of malware intended to cause harm, has become much more of a hot topic in recent years. However, this has not translated into a comparable increase in vigilance and due diligence when it comes to choosing software vendors and websites. Although many attacks come from vulnerabilities in software, it is far easier for malicious software to find its way into your corporate environment by allowing staff to install software themselves.

Malware is becoming more sophisticated, and the quantity of malicious software is quickly increasing. Technical solutions are evolving to protect against malware, but the concern voiced here is the culture of software installation and usage.  When left unchecked, this can easily result in harm, loss of data, loss of reputation and business. Anti-malware solutions are essential but relying on such solutions while allowing any software to be installed by anyone for any reason is a dangerous approach. An extra level of defence is needed.

• Restrict endpoint permissions so that only key members of staff have the authority to install the software. Needing to involve an authorised person or team to have new software installed requires a justification which slows down the process. Whereas, if just one person is involved, they can easily install software on a whim with very little in the way of thought about the implications.

• Have a published white list of software for use within the business, and defined policies in place regarding how to install software, and how new software is selected. Promote awareness of software installation policies throughout the company. Again, this aims to slow down the installation process or, more precisely, increases the time between an end-user deciding they need a piece of software to the software being ready to use on their desktop.

• Remove all unauthorised software. Implementation of software installation controls are often performed at a late stage in business development and seldom implemented during any start-up period. Therefore, it is highly likely that when there is a requirement to enforce control of software within a corporate environment, it is because the business has lost control of its software.

• Identify all executables on desktops and which application they belong to and remove all other executables. This approach can be time-consuming, and a more viable strategy is to define a standard image for endpoints which includes the operating system and all the software applications used by most staff. Applying this standard build will remove all traces of the previous installation and any unauthorised legacy software. The outcome is two-fold, cleanup of all old software, and control of new software.

• Don’t install software from unknown or untrusted sources. The fact is, it is effortless to search for software online, find anything that is needed, and install the software very quickly. Websites giving away malicious software often look very professional, and many sites mimic known websites to capitalise on the credibility of legitimate websites.

Slowing down the process and giving time for appropriate software to be chosen and installed is essential and cannot be over-emphasised.

The saying ‘Loose lips sink ships’ was displayed prominently on posters during the second world war to advise military personnel and others to avoid chatter involving information that could be used by the enemy. A key question is to what extent does this apply now that mobile technology is everywhere. Undertaking 100% of professional work inside an office is a thing of the past; people work from any location including trains, aeroplanes and more commonly now in coffee shops. External observers can take advantage of the information on laptop screens, handwritten notes and discussions between people.

Earlier this year in London, while sitting in a coffee shop, I was close enough to overhear a conversation about a security incident. Sound travels, and without any real effort to listen or intention to earwig, it was apparent what these men were talking about and were concerned that a data breach may have occurred. Initially, the information could have been about any company, anywhere or any system. It could have been about their employer or one of their employer’s client’s systems. The details here have been left intentionally vague, but the conversation didn’t end there:

• Clients won’t be happy – such a reference indicated that a data breach could have occurred with one of their internal systems involving their customer data, rather than a system belonging to one of their clients.

• Branded stationery – overhearing a conversation was one thing but getting up for a coffee refill made corporate stationery visible without any effort or intention to spy; everything was in my face as I walked past them.

• Laptop screensaver – companies often give away corporate stationery to clients for marketing and brand awareness. Therefore it was not a given that these individuals worked for the company whose branded pens were visible but returning to my seat and noticing a corporate screensaver on one of the laptops advertising the business was additional confirmation.

• Identified vulnerability – the discussion overheard was sufficient for me to understand the nature of the issue and how someone would exploit it.

How to use this information requires little imagination.

Several years ago, I overheard two people discussing their wills over dinner in a restaurant and how they needed to get them replaced due to changes in circumstances. Shortly after, when a neighbouring couple was ready to leave, the man approached them and said, ‘Sorry, I couldn’t help overhear you mention that you needed new wills. Here is my business card. Give me a call’. This example is innocuous; however, depending on the context, the consequences could be quite severe, such as revealing information that could influence the stock market.

Thoughts include:

• Avoid discussing sensitive issues in public.

• Avoid using names of companies in the discussion. Using alternatives such as ‘we’ and ‘the client’ will often be more than sufficient.

• Use anonymous tagging of corporate laptops so that nothing on the outside identifies ownership if it is lost or stolen. The value of the data on laptop computers will depend on the owner, and effort is less likely to be expended if ownership is unknown.

• Remove visible branding from the operating system, so if it is lost or stolen, and someone turns on the laptop, it is not possible to identify the owner. More challenging than it sounds if the network domain name and the company name are the same.

• Using BitLocker Device Encryption (Windows Vista through to Windows 10) with a boot-up password will prevent the operating system from loading until you enter the correct password. An unauthorised user won’t be able to identify corporate ownership.

Being security conscious in public places is essential. Almost every time I have coffee somewhere, I hear something which someone could use for malicious purposes.

Websites are still offering copycat-services in place of official services provided by government departments and local authorities. The difference is, the copycat-service is more expensive, not always legal, and seldom offers any added value above and beyond the official services available. Authorities have made a significant effort over several years to address this issue, but new services and sites continue to emerge.

These types of copycat-services are different to services delivered through trademark infringement and passing off, as the genuine services are still needed to provide the service required by the customer. E.g. with a passport application, the copycat-service would not make and deliver the physical passport but would act as an expensive intermediary. Instead of the customer paying £50 and applying directly, the copycat service could charge £100 and process the application on behalf of the customer; making a healthy profit from every transaction.

It is also necessary to consider the quantity of personal information required to make such applications, data held by the service provider, which has the potential to create a whole world of pain.

Copycat-services should not be confused with added value services such as the post office check and send service, where application forms are reviewed by post office staff before being sent to HM Passport Office for processing. The post office advertised this service as an added extra and applicants can make an informed choice. Visa agents work in this way also by offering similar added value services such as making sure all the paperwork is in order, or by visiting the consulate to process paperwork on behalf of customers. With copycat-services, the service providers manipulate customers into believing they are using a genuine service.

UK Government services have domain names which end with ‘.gov.uk’ and do not use paid advertising with links to the sites. Visit https://www.gov.uk for details of all available services. The following are samples of direct links.

• Passport Applications: https://www.gov.uk/browse/abroad/passports

• Driving Licence Applications: https://www.gov.uk/browse/driving/driving-licences

• Tax Returns: https://www.gov.uk/file-your-self-assessment-tax-return

• Universal Credit: https://www.gov.uk/browse/benefits/universal-credit

• Land Registry: http://www.landregistry.gov.uk/home