Cyber security for charities 6: Beware of bringing your own tech
Be careful when it comes to home or mobile working, writes Martyn Croft
Employees increasingly expect to use their own tech. It’s a compelling thought, especially for charities and not-for-profits, that staff might come equipped to do the job without you having to buy them a PC, a laptop, a mobile phone or a tablet. A well thought-out “bring your own device” programme could indeed deliver on that promise, although it’s rarely as simple as letting staff connect whatever they want to the corporate network. The same information security principles apply, only more so, and enforcing password policies, device encryption and secure data networks requires buy-in from all parties.
Cyber security for charities
2 Security lead
3 Personal information
4 Teach your staff
5 Clear rules required
6 Beware of bringing your own tech
7 Getting technical
8 Checklist and further information
Mobile working is perhaps the natural successor to remote working, but the thought of staff using their own laptops to connect to your corporate systems through the unsecured internet in local coffee shops should give pause for thought. In that scenario it’s relatively easy to harvest data, and even login credentials, straight off the internet. And a not so clever “man in the middle” attack can take data in transit, via a fake hotspot, straight into the hands of the bad guys.
Connecting to a well-secured and internet-accessible gateway is, of course, entirely feasible, and bolstering the authentication process with, for example, two-factor authentication will do much to ensure that the person logging on has the permission to do so. Confirmation of that permission with an additional credential – perhaps a code sent by text or a secure token, as adopted by many internet banking services – will provide the secondary authentication factor in addition to the user’s password.
The proliferation of cloud services has facilitated access to organisational information by requiring little more than an internet connection, but has compounded the access problem for users, who might have to remember multiple log-ins and passwords for each service. There is, of course, an answer to this and, yes, it’s another cloud service providing a “single sign-on” (SSO) service so that users have to authenticate only once to access the multiplicity of systems at their disposal. However, SSO might not be the ultimate panacea and it’s worth remembering that user credentials are some of the most valuable data an organisation possesses: they are the keys to the corporate data door and it might be better to keep them closed.
With many services now being deployed in the cloud there comes a complacency nurtured by an out-of-sight, out-of-mind attitude. But whether corporate data resides in servers “on-premise” or “in the cloud”, there are still questions to answer about who’s taking care of the data. Any adoption of a proposed cloud service should be preceded with a few simple questions, such as “where exactly is my data?”, “how do I get my data back?” and “who can access my data?” The same questions, but possibly different answers.
173 total views, 0 views today