Personal Email, Devices, and Offices Often a Risk
Hillary Clinton's government email use and that of her staff touches on a widespread and larger issue in the business world: Employees using personal email, computing devices like their smartphones, tablets and computers, and personal home offices (or Starbucks) for work. And using personal social media sites to do work, too. Many companies are not aware of the risks and struggle with how to address a business and Information Security area where people, tools, and risk cross.
NOTE: While this article was influenced by the news of Hillary Clinton's use of personal email for US State Department communications, I leave discussions of it to the growing number of commentaries on the Internet. This article identifies the risks and outlines the overall security approaches to safer data and company protection.
Hillary is Not Alone
Working with old, new, and at times only slightly compatible technologies can be archaic and cumbersome. While many employees are not IT geeks, they will use whatever is available, easier, and familiar to get the job done. Workers view using mobile tools like smartphones and tablets as a necessity and not a convenience.
With US State Department permission, Hillary Clinton used a personal email account to do her work. Hospital environments, on the other hand, do not give permission for using private tools, but that does not stop staff. A Spyglass Consulting Group report states that although 89% of hospitals forbid the use of personal smartphones, 67% of nurses use their phones for doing work. Only 11% of the hospitals with BYOD programs include nursing staff. The infraction rates are mainly due to workers trying to consolidate tool use for efficiency, similar to other official efforts by companies, but on a smaller scale and without an understanding of the security risks. This practice is similar in other industries.
Can Companies Just Say No?
While there are security risks from BYOD, a growing number of companies are pushing their employees to BYOD. A Gartner survey of CIOs predicts that 38% of companies will stop providing devices to employees by 2017. These companies cite cost savings, employees wanting to use personal devices for work, and increased work opportunities. Those opportunities include employees using apps that support multiple telephone lines with voicemail and email to keep "plugged in" while out of office. IBM cited that by supporting mobile/remote workers, they slashed real estate costs by $50M. Other benefits include productivity gains, like American Express telecommuter production being 43% more than those in-office.
Employees using BYOD is the tip of the iceberg with using downloaded apps to increase productivity, capture notes, etc. Increasingly, companies support teleworking for a variety of benefits that include shifting the burden of providing infrastructure (VOIP phone, broadband, computers and software, etc) to their workers. Of companies surveyed on telecommuting practices, at least 50% of employees use their own devices to perform company work. However, a company's internal networks and systems, which are secured by a large variety of sophisticated security mechanisms, are increasing exposed by a loss of control and lack of security from those mobile devices and remote work environments.
To reduce security risk, companies could limit or prevent mobile devices or telecommuting environments from even happening. But employers unfortunately can't afford to say no; stopping a flood is easier said than done. The growth in mobile communications, like smartphones and tablets, is expected to continue growing. A report on business and personal worldwide mobile email estimated growth in 2013 to reach 897M users with a 5% growth each year until 2017. Similarly, mobile Instant Messaging (IM) is estimated at 460M accounts with slightly slower yearly growth.
Employees themselves are expressing to business their love of BYOD, and backing it up with their feet. In Staples’ 2014 telecommuting survey, 71% of employees see teleworking as an important benefit when considering a new job, with 19% avoiding a potential new job if telecommuting is not offered. Using mobile devices and work environments away from the company will only increase. Expanded smartphone and tablet capabilities, dropping prices for devices, and increasing numbers not even having a traditional telephone or computer in place of a mobile device will guarantee it. Now, children ask their parents for a smartphone for Christmas because their little peers have them. More mobile use, increasingly on personal devices, raises the risks for malicious software and information exposure.
What Are the Risks, Anyway?
According to Jeffrey Bernstein, Managing Director of Information Security at T&M Protection Resources, in this past year alone well over 80 percent of data theft begins with users doing things they shouldn’t, such as clicking on malicious Web links, using weak passwords or opening file attachments. But let's set aside the obvious pitfalls from malicious content that virus detectors and other security scanners might catch. There are a number of other pitfalls that put companies at risk.
Personal Email and Legal Issues.
If the company is publicly traded, Sarbanes-Oxley (SOX) has requirements for protecting and retaining email related to the company. And if you work for a government agency, Freedom of Information Act rules might apply. Personal email can't be protected or retained and gives the appearance that the larger organization may be actually trying to hide or circumvent the regulations.
Worse still, many personal email systems do not encrypt the emails when transmitted or stored. For cost savings and efficiency personal email services often store emails, once again unencrypted, at locations outside of the source country. Countries outside of the United States and Europe may have different and fewer restrictions on protecting the building where email servers are located, let alone the emails or apprehending and prosecuting hackers in those countries where the breaches happen.
More than the hackers can get access to your company's data included in personal emails. For instance, if an employee has email that is processed by a server in India, the laws of India apply to the server and its data; this may allow monitoring and collection by the Indian government. Other countries have their own laws for viewing and retaining communications in general or as evidence in a data breach.
Advanced Persistent Threats (APT) is on the rise where nation states sponsor industrial espionage through private companies, using the support and laws of the country for business gain. The secrets over personal devices and services could become exposed without any hacking involved.
Encrypted Data (or not).
Companies that encrypt their data may not be as safe as they think. Employees forward or copy documents or data in an unencrypted form to their mobile or telecommuting environments for ease of access. When encrypted computer drives are used, data is often encrypted when the computer is turned off and unencrypted when the device is in use. . .and left unencrypted when users don't turn off their personal device when done working. A CSO Magazine survey reported that 45% of its 100 respondents in the UK and Germany do not encrypt data when taking it from the office. That means the data you thought was encrypted is not only outside of company control, but is exposed on systems where the company doesn't even know about it.
Social Networking an Obvious "No-No", Right?
This is not about using personal social networking like Facebook on company time to post kitten pictures. In a 2013 Avanade survey of 1,000 companies and 4,000 employees, about 74% used Facebook and 15% used Twitter, followed by more traditional tools like SharePoint or Dropbox at 39%.
These common tools are used because collaboration between teams or companies is difficult when different tools or configurations pose barriers. Employees try to do the right thing in business, but how many times are personal devices lost or stolen? How many times do you see stories about accidental posts of personal information or people posting when they don't know their comments are visible to "the world"? Even in a controlled corporate environment, user access can be a challenge.
Using social media channels places administration outside of everybody and in the hands of the media vendor. Users agree to the "terms and conditions" agreement and some companies have tried to take liberal license in claiming that posted content becomes their property instead.
Using these tools also exposes companies to the security vulnerabilities of a social network and places the company at the whim of the vendors in fixing serious security issues like Heartbleed, Ghost, etc. Increased use of social media for work equates to increased company risk. Any information or comments may become public, exposing data, strategy, and potentially damage to company brand.
Established Security Practices? What Practices!
So your company has policies and technical controls in place to address failed logins, locking down computers, and "clean desk" practices. In a mobile and telecommuting environment, the security practices that companies work hard on for employees to follow become an "honor system" when outside of company control. An employee might be productive by working at the local library where it is quiet, but do they spend the money to buy a privacy screen for their personal computer to prevent shoulder surfing?
In addition, employees working on company data often make paper or electronic copies of the data when working at home. These activities invalidate company security controls in place on directories, databases, and files that limit access to the data and prevent its potential theft. With employees often using accounts on their personal laptops that have administrative rights or "jail breaking" their devices for more control, sensitive information becomes even more at risk to being stolen.
What is a Company to Do?
The challenges to BYOD and remote work environments seem to be much greater and formidable than the return. However, that perspective is at first glance. Business has always been about extending reach within a degree of risk. Companies that simply issue a policy and simple Mobile Device Management (MDM) software will be at the most risk. Part 2 of this topic details the variety of security approaches that companies might consider to securely approach BYOD and remote work.