Security of data, devices a concern for many workers, employers
Given the popularity of remote work, it’s no surprise 50 per cent of respondents to a recent survey said they frequently work outside the office.
While that might make a lot of sense when it comes to a healthy work-life balance, greater productivity and simple convenience, there’s a catch — 71 per cent of respondents who work off-site worry about the safety of paper documents while 61 per cent worry about the safety of electronic devices, found the survey of 450 Canadian workers.
One of the reasons for the concern could be because people are not taking the appropriate steps to safeguard the data, said Paul Saabas, vice-president of Stericycle, provider of Shred-it information security solutions, which released the survey, citing the fact that 26 per cent of respondents said they do not have a security policy..
“People could be using their cellphones or their iPhones and someone can pick it up off the table and it’s not password-protected,” he said. “You put yourself at risk because (people then) have full access to both your personal and work-related stuff.”
Another issue — whether it’s at a coffee shop or airport — is people log into the free Wi-Fi, he said. If they don’t have another layer of protection, such as logging into a virtual private network (VPN), it could be a risky tactic.
“Some of it’s just awareness or going against your habit to just log on to Wi-Fi,” said Saabas. “It’s about being aware of where you are, what you’re doing and asking yourself ‘Do I really need to make that connection at this point in time or am I better off doing it from home where I know my Wi-Fi is protected?’”
Stats highlight risks
Of those people who frequently work from home, 61 per cent travel with a paper notebook, 58 per cent with a company phone, 53 per cent with company documents, 59 per cent with a company computer, 56 per cent with USBs and 44 per cent with portable hard drives, found the survey.
But 31 per cent of respondents said they don’t password-protect all their electronic devices; 66 per cent said they use public Wi-Fi; and 45 per cent don’t shred confidential documents when they’re no longer needed.
“The real challenge of the remote-working situation is that the employees are generally on their own, working from home, so there’s not as much monitoring to ensure compliance with the policy,” said Stephen Shaddock, senior associate and lawyer at Borden Ladner Gervais in Ottawa.
“Everybody recognizes the free public Wi-Fi is probably one of the least secure places to be doing work and, certainly, confidential or secure work. But it’s understandable that employees working from their own home may feel a little bit more… secure… But the reality is that their home Wi-Fi may not have sufficient firewalls in place.”
That’s also true when it comes to paper documents, as employees may “let their guard down” at home, thinking they won’t be targeted there, he said.
“There might be a tendency to just throw documents in the recycling bin.”
And certain generations may be riskier than others, according to Saabas.
“The millennials typically have that more open attitude, and they don’t mind sharing their information, be it on Facebook or Instagram… in the same token, they don’t necessarily password-protect their phones or their computers. And that’s the piece that organizations need to understand.”
People also love to do work on their cellphones, which can be problematic, said Lisa Plaggemier, chief evangelist at Infosec in Austin, Texas.
“It’s fast, you can rip through email really quickly. That means you’re also really quick to click on something malicious… paying less attention.”
That highlights the issue of people’s behaviour as a potential problem, whether that means a developer who makes a mistake in coding or an employee clicking on a phishing email, she said.
“If you dig through all the breaches that happen in the news, you’ll eventually find a point where a human interaction could have stopped the bad things from happening or it actually caused the bad things to happen.”
Best practices
It really comes down to both the company and the employee being aware of the risks — and taking precautions, said Saabas.
“The workplace of the future is not a place; rather, it’s remote access. Knowing that, what organizations need to do is make sure that they have policies and procedures in place, and communicate them to their employees to make sure data breaches don’t happen.”
That means not just having employees taking an online course on data security, but validating that people are actually adhering to those rules and the training “is actually being translated into real-life action,” he said.
It’s about having the right mix of a good policy and appropriate tools, such as encryption devices or a VPN, said Shaddock.
“Employers are recognizing that it is happening more as a trend and not one-off situations anymore, so I think there is recognition that, yes, there needs to be policies, as well as technology responses in place,” he said.
“It’s up to employees to be diligent, but for management to ensure that employees understand and follow the policy.”
It’s about having a layered defence, said Plaggemier.
“You have to have multiple fail-overs, so maybe there’s some technology that’s protecting you but if a human does something to go around that technology, then there’s another process or another technology.”
When it comes to the education and awareness of policies and practices, it’s a good idea to have training modules that work on mobile phones because people use them so often, she said.
Another issue is around actual theft of devices, such as laptops left in cars or hotel rooms. That should mean policies around keeping devices in the trunk or hotel safe, and if those aren’t available, taking the device with you, said Plaggemier.
“Sometimes it’s good old-fashioned theft, as opposed to data security.”
Company-issued phones should also be PIN-protected or passcode-protected, said Plaggemier.
“If you’re allowing people to use their own devices and do company business on their personal cellphone, then a best practice is to have security software installed on that device. It’s kind of a trade-off for the employee — ‘If you want to use your device to do company business, then we have to be able to protect what you’re doing on the phone.’”
This software can wipe all the data from the phone, she said.
“In doing that, the employee loses everything else on their phone… so that would be their texts, or contacts or pictures, all that stuff. So that can be a little controversial, but it’s a trade-off.”
And when it comes to paper documents, it’s often best to not be too complicated with policy, she said.
“Rather than getting tied up and trying to tell your employees ‘This is what you’re supposed to do with this piece of paper, depending on what’s on it’ — nobody’s going to stop and take the time in their day to do that — it’s (about) ‘If there’s any doubt, shred it, dispose of it properly.’”