How do you protect your sensitive business data in a working-from-home world?

Part 1.

It has been a problem that has existed since the invention of business itself but in this work-from-home world we live in now the question of how to protect business data is once again top of mind.

With staff working from home it is inevitable that they will end up with sensitive business data stored in an un-controlled environment either on their own computer equipment or on company owned equipment with few protections.

In my career I have had the opportunity to see and understand how large, highly secure government departments handle this situation.  In the most extreme example I was invited to see how one of the most technically advanced federal government organisations in this country operate, I am not allowed to tell you who they are but I can tell you that they fall under the banner of National Defence.  Now what I got to see was strictly controlled, it’s not like they were giving away national secrets or anything but the purpose of my visit along with the other attendees was to get an idea of what it takes to truly achieve data security; security in the sense of only allowing authorised people to access said data.

What I learned was this it really is not possible to fully secure your data unless you are prepared to go to extreme lengths, I’ll tell you soon how the unnamed government department did it but first let’s look at some of the basic concepts at play.

Just about every business generates confidential data, in some cases that data is very private and personal in nature such as medical and financial records and in other cases there are trade secrets to worry about, no matter what it is, it is up to the leaders of each business to do their best to protect that data.  There are laws now that make it mandatory for a business to report any breach or suspected breach of personally identifiable information.  Let’s start with the basics, how do we prevent unauthorised access to this data?

Identity management

At the most basic level data is protected by a user name and password combination so it’s been drilled in to us for the last 25+ years “Don’t ever give your password to anyone else.”  Passwords combined with that message of secrecy served small business well for a very long time but in this connected world of our it’s no longer enough so some bright spark invented Multi-Factor-Authentication (MFA).  User name and passwords are things that a user knows, MFA adds an extra element – something that they have, often in the form of a random ever changing number, it’s not really possible to guess what the number is going to be at any given moment.  In this way MFA expands on Identity Management by requiring the user to both KNOW something (their password) and simultaneously HAVE something (their MFA app or token).

For most businesses a properly implemented MFA system is good enough protection to prevent unauthorised people from accessing their data.

The threat from within

The real problem for businesses today is not so much about protecting their data from attack by external forces, we’ve got some pretty good systems to prevent the bad guys from getting in but what about your own staff?

More specifically, what about disgruntled staff and soon-to-be ex-staff members?  What’s to stop them from copying your sensitive business information?

About 15 years ago I was attending a Microsoft seminar where they were talking about the latest and greatest technologies that they were working on, they were talking about some new tech which allowed controls to be set on electronic documents and emails which limited what could be done with them.  For instance you could create a Word document but set it so that it was impossible for someone to print it, email it or copy it to another location like a USB stick, even screenshots were preventable.  The audience were amazed, now all of a sudden those in control of super-sensitive documents could have even greater control over how they can be used.  The amazement abated pretty quickly as one savvy audience member pointed out that all this great tech couldn’t stop someone from taking a photo of the protected document and it certainly couldn’t stop someone from simply re-writing the protected document in a brand new unprotected document.

This experience taught me that we can create some pretty cool tech to protect data for the good guys but the bad guys will always find a way to get around any restrictions which are put in place.  The moment you make a document or any other data available to any other person is the same moment that you permanently and irrevocably lose control of that data.

The disappointing reality is that there are no practical steps you can take to prevent a disgruntled employee from copying and doing as they please with your sensitive business data.  The best you can do is make sure you have a legally enforceable agreement with your staff, usually as a clause in an employment contract which prohibits them from misusing company data.

How the pro’s do it

So now I’ve just finished telling you how it’s impossible to properly protect your sensitive business data I probably should qualify that statement by adding the word ‘practical’ – for the typical Aussie business, there is no practical way to fully protect your sensitive business data.  With staff working from home it is easier than ever for them to make copies of sensitive data but the threat has always been there, regardless of where they work from.

There is one completely impractical way to do it that I know about .  The most sensitive data in the world is kept in a dedicated facility with strict access controls.  The facility that I was lucky enough to see looked much like any other office once you were inside but with a few key differences.  Before entering I had to pass through a security check point, at this checkpoint I had to surrender all electronic equipment, they even took a pair of sunnies I had hanging off my shirt collar, there was an armed guard.  They checked my shoes and they patted me down after passing through a metal detector.  I was not allowed to take anything in with me, not even a pen and notepad.  Once inside I saw a series of standard looking desktop computers setup in little cubicles arranged in such a way that only the person sitting in front of any of the computers could see the monitors, there were cameras everywhere watching us.  We didn’t get to use the computers or go any where near them but we were told that they were connected to a segmented network that was only accessible from within that room, of course that network was not connected to the internet.  When we left the room we were searched again before our mobile phones and other items were handed back to us.  Was it secure?  You bet your ass it was secure, but was is practical?  Not a chance, could you imagine even trying implement security like this for a typical Aussie business?

Coming up in part 2 of this article we’ll explore some practical policies and procedures that you can implement to help your business cope with staff who use their own devices (BYOD) for work.

Read part 2 here