If there is one thing we've learned about small business cybersecurity it's that there are a great many operators that are afraid to ask tough questions about cybersecurity... because they are worried what the answers might be. We specialize (tactfully, of course) in helping organizations raise and think through those tough questions -- and come out the other end safer and happier. Today we'll take on the issue of Remote Work, asking four of the tough questions that deserve to be asked. And giving you, our reader, a ray of hope that there are reasonable ways to resolve any cybersecurity loose ends made apparent by the question. Here goes:
We've seen many small business cybersecurity policies that make it crystal clear that work emails must never, ever be viewed from a personal device if they contain confidential information. And of the 100s of policies that we've seen that espouse this rule, we believe that zero of them are carefully followed by their teams. First of all, we know many business professionals that check their email day-and-night, and we've scarcely ever run into any that carry a dedicated work smartphone in one pocket and a personal smartphone in the other. Yes, count us as a skeptic when a company flatly indicates that confidential information must never be handled from a personal device.
The compromise to make the policy realistic: savvy companies are getting smart about asking their employees to verify that they have encryption, remote wipe, and geolocation turned on. And, that they avoid installing any tools or modifications that break the "sandbox" approach that many mobile devices use to keep applications from leaking information. Lastly, we see savvy companies establish expectations about idle locking, to ensure that a misplaced device quickly ends up on its lock screen. Each of these measures helps to narrow the risk of BYOD, while being realistic about the fact that employees are very likely to use BYOD as part of their technology mix (whether you like it or not).
Did you think it was challenging to come up with reasonable infosec policies for employees working from home? What if they are -- instead of at home -- at a luxury resort of their choice? Or on a camping trip with their phone hotspot as their connectivity? Or in an airplane connected to in-flight wi-fi? The small business cybersecurity implications may seem daunting.
Gone are the days where infosec policies expressly forbid any case of an employee connecting to a non-work network (we're exaggerating: there are probably a few remaining cases relating to defense contractors). However, what should employees do if they find themselves traveling unexpectedly? (or if you are the skeptical type: if they find themselves traveling intentionally and quickly to their preferred vacation destination)
The compromise to make the policy realistic: a few basics are in order. Nothing good can come of employees accessing websites that aren't served over SSL. Nothing good can come of connecting to a public wi-fi hotspot that doesn't prompt for a password (we've written about man-in-the-middle attacks here before). And nothing good can come of using a public-access workstation in a hotel lobby or some other system with unknown security characteristics. Lastly, a VPN connection may be in order. Some completely reasonable and defensible travel guidelines can take what could have ended up being a security disaster, and make it relatively safe for the company and the employee.
In professions where there is a high degree of confidential information handling -- for example a role involving handling data that is classified as Protected Health Information under HIPAA, a smart scenario to consider is the case of an employee who routinely works in a non-private area. With roommates near. Or frequent visitors. Or any number of scenarios. It is very, very hard (impossible?) to craft small business cybersecurity policies that limit the interpersonal proximity of remote workers.
The compromise to make the policy realistic: if you believe you may have team members who have a working environment that is subject to this type of risk, a starting point is to make it abundantly obvious that the company will gladly fund any privacy screen protectors requested by team members. These are screen protectors that limit the field of view, making it very difficult to see on-screen content without sitting directly in front of the laptop. Additionally, auto-lock policies, disk encryption, and other practices should be put into place.
This is the "what if" that has the potential to strike true panic into a small business owner, more than any of our other questions. What if a laptop containing mountains of confidential information ends up being misplaced. No one knows where it went. Who is holding it currently. What they are doing with it.
We haven't seen a policy in quite awhile that forbids the use of laptops, so we're inclined to think that there are a great many organizations that have either answered this question, or are struggling to answer it. Here's our take.
The compromise to make the policy realistic: what would you want to be able to do if a laptop were misplaced? We assume you'd want a shot at locating it -- via a turned-on geolocation feature. We assume you'd want the ability to lock it -- via a remote device management capability. And, we assume you'd want the ability to wipe it -- again via a remote device management capability. None of these are as hard as they sound, and even if one of these tactics ends up failing in the moment of truth, you'll be dramatically better off having implemented all three of these approaches to get some comfort in even the most nerve racking of "lost device" situations.
Thanks for reading. Have other tough questions about making remote work compatible with small business cybersecurity? We'd love to hear from you, and we'd be glad to share our thoughts in a future post on any small business cybersecurity topics suggested by our readers.