How do personal tech and professional data mix?
A prominent political figure is paying a hefty price for mixing confidential information with personal technology for the sake of convenience. Hillary Clinton may indeed regret the use of her personal email account to manage business communications involving professional sensitive information. It was suggested that Mrs. Clinton and her aides were “extremely careless in their handling of very sensitive, highly classified information.”. It would appear Mrs. Clinton did not comply with required information security policies. She would have allegedly put sensitive information at risk for storing it and processing it in non-vetted and personal systems with questionable security controls.
The above example of personal technology use with professional data may well be an obvious case of a bad mix through a deliberate policy breach over an extended period of time. It also reminds me of a an experience I personally had in putting information at risk through personal technology use some time ago. It was a lesson learnt for me, and it is a story you may relate to.
Snap! Pictures of whiteboards and documents
How often do you take pictures of work related whiteboard content or documents with your personal mobile phone?
A few years ago I had the habit of taking pictures of whiteboards containing professional data that I would write and draw on whiteboards during creative and collaborative work sessions. I used to take those pictures with my (BYOD) mobile phone to keep a copy of my work. It was very convenient to do so.
Then one day, I visited for the first time a well known Cloud storage website associated with my mobile phone. I saw an icon “Photos”. I clicked on it and saw pictures of my children. It surprised me, but I recall a thought that it was actually a good thing because I then happened to have a backup of my precious family pics. I flicked through the pictures, and… I found pics of whiteboards containing professional information. My phone was configured by default to automatically synchronise all my photos to a public Cloud storage account when connected over Wi-Fi. Not good! Where was the data located? Who could access it? How was it protected? I was unaware of my phone configuration (my lack of diligence at the time). I was inadvertently sending professional data to a personal service. I immediately deleted all the pics that shouldn’t be there. I changed the configuration of my phone and I stopped taking pictures of whiteboards I would not want to send out. Until then, I was arguably putting some information at risk by simply taking pictures of whiteboards.
I use this personal story in Security presentations to comment on the risks that the exciting technologies of Cloud and Mobility inherently amplify together. The risks would also be further amplified when uncontrolled BYOD and personal Cloud usage are a practice and when staff security awareness is lacking. My point is not to advise against any technology or the BYOD practice, but it is to advise on the need to apply a diligent thought process and a business risk assessment when using Cloud and Mobility technologies, and others, to better benefit from them.
Conclusion
The deliberate or accidental storage, transit and processing of professional data through personal technology such as a personal email account, personal mobile phone and personal Cloud storage accounts is a risky mix. It presents some business risks that should be mitigated or reduced to an acceptable business extent rather than being accepted as-is or ignored.
The following items may provide some elements of practical recommendations, amongst others, to better manage some of those risks.
Risk assessment
This is all about business risk and how we manage the risk. If you haven’t done one in a while, consider a Cyber Security Health Check or a risk assessment. The Telstra 5 knows of cyber security also provides a great, easy and business oriented reference on the subject.
Personal email & Cloud storage services
While some personal email and Cloud storage services may arguably be technically more secure than some corporate services (indeed), they are are not a good corporate practice and their usage should not be vetted in the corporate context. Security and system usage policies should be clear about it, and those policies should be clearly communicated to staff. You may consider moving your email and storage services to a trusted provider that may provide a better security and a better user experience than your current corporate in-house services (3rd party risk assessment is advised). You may also consider subscribing to a Cloud Access Security Broker service to better manage your Shadow IT risks.
Mobile device security
Consider solutions to enforce security policies on mobile devices (corporate or BYOD), such as MDM, MAM or EMM solutions.
Staff security awareness
A staff security awareness program is a critical component to professional data protection. It should include some practical example of use cases (e.g. pictures of whiteboard as above, don’t send professional data to a personal email address, etc.).
Article first published on LinkedIn on July 6, 2016
