This article is not aiming to discuss crisis preparation, crisis management, business continuity as a whole nor recovery, but rather aims to examine one aspect of business continuity - information security and data protection with regards to remote or work from home scenarios.

With the current Covid-19 pandemic in full swing, many businesses from large multi-national corporations, to SMBs to government organizations have encouraged or even enforced a work from home policy.

Risk managers should examine the potential of exposure and consider if there BCPs include information and data protection when processed offsite by employees

Whilst not at all new, this is a very innovative way to ensure business continuity whilst practicing social distancing and mitigating risk from the virus, risk managers should examine the potential of exposure and consider if there BCPs include information and data protection when processed offsite by employees.

These policies, procedures and tools, however, are usually designed for the business network and workspace and very rarely consider a work from home scenario, and those that do, are often a check the box exercise as opposed to policies that have teeth and can be enforced across the organization.

Commercial organizations, regardless of size should have some level of information and data protection in place, and the vast majority of large corporations do. Whilst many SMBs have policies and procedures, these are often more basic although in an era where startups have the potential to change our lives, both physical and information security is often neglected by the smaller companies, regardless of the technology they possess. These policies, procedures and tools, however, are usually designed for the business network and workspace and very rarely consider a work from home scenario, and those that do, are often a check the box exercise as opposed to policies that have teeth and can be enforced across the organization.

How does it differ from an earthquake, flood, or other natural disaster where suddenly, access to the business workspace is limited? It doesn’t.

Risk managers and business unit leads may present evidence that indeed, the current crisis is unlike any crisis our generation has experienced and I certainly cannot dispute that point, however, the breadth and depth of this crisis is a reason for the sudden onset, but not an excuse for being ill prepared; how does it differ from an earthquake, flood, or other natural disaster where suddenly, access to the business workspace is limited? It doesn’t.

In the midst of the crisis, it’s probably unfeasible to make major change to policies and enforce new company regulations overnight, regardless, risk managers (physical and information), together with HR and other key partners should be cognisant of the following examples and consider effective and culturally acceptable ways to roll them out, or risk their business sensitive data potentially being exposed:

• Are mobile devices supplied to employees or are employees expected to use personal devices when working from home?

  • Are employees aware of which devices may be used for business activities and is this governed contractually with the employee?

• Does your organization have a data protection awareness program?

  • Was a refresher given at the start of, and will it be repeated during this work from home period or has all information focused on the crisis itself?

• Does your organization have fit for purpose information and data protection policies for work conducted on site?

  • If so, why is off site not related to at the same importance? The information and data access are mostly the same and often onsite has the additional layer of physical security. Does home?

• Does your organization have network, hardware and software requirements and limitations?

• How well has your organization vetted approved collaboration software platforms?

• Does your organization specify at which offsite locations work may be conducted (home versus local coffee shop etc.?)

• Does your organization provide guidelines and minimal requirements to ensure compliance with organizational information and data protection policies for work from home locations?

  • Are the minimal requirements robust or simply “good enough” to check the box?

• Is your business providing a stipend for employees to cover secure work from home network setup and ensure compliance?

  • How are you ensuring compliance?

  • Are there ramifications for not being compliant?

In addition, with the increase of employees being made redundant or on leave without pay, or employees that fall victims to the crisis, how does your organization: 

• Ensure that access to your network is denied in a timely manner?

• Ensure that information stored locally on mobile devices is not accessible by the former employees still in possession of the mobile devices?

• Ensure that the mobile devices are returned to your organization?

The above are simply examples of a broader information and data protection strategy and examples of what could be considered when implementing a work from home policy, or any remote working policy where the employee has remote access to business sensitive data.

What about the potentially strongest, and potentially weakest link to any program; the people and non-organization networks when they’re working offsite? 

 To summarize, there’s much attention given to mitigating risk from an (perceived and actual) elevated from remote cyber breeches, but what about the potentially strongest, and potentially weakest link to any program; the people and non-organization networks when they’re working offsite? 

Enablement Advisors is a boutique risk management company providing creative solutions to challenging problems across the globe. Contact us now to see how we can help your organization.

 About the author

IVOR TERRET

Ivor brings over two decades of international counter terror experience at both the official and private sector levels including instructing hundreds of students from high-risk facility security teams, government covert VIP units, government Surveillance Detection units, hotel security senior management, aviation security personnel and senior management, specialized law enforcement and counter terror units as well as corporate EP and SD units.

In addition to training and highly specialized field operations, Ivor has designed and implemented security master plans for covert counter terror units, high-risk facilities, protective details and has consulted on a myriad of projects including mass transport hubs, business parks, hotels, residences, high risk facilities and factories.

Ivor holds an MSc in Security and Risk Management from the University of Leicester where he was awarded the esteemed Dissertation of the Year Award for his research. Ivor is the elected Chairperson of the ASIS Israel Chapter for year 2016 and 2017 and interim Chapter Chair for years 2018 and 2019.

(Click on each infographic to view full size or download)

About this kit

This information kit and guidelines within, aims to help the reader mitigate risk by understanding how to limit personal information available on open and some closed sources. This information is often used by persons or groups with ill intent to support preparations for hostile acts and thus limiting this, significantly reduces risk. 

Anyone can be a target

Please see the separate infographics below for personal and business use of social media for specific guidelines

Kit audience 

Anyone who feels that they may be at risk by a non-professional adversary. This kit is not aimed at the information security professional, rather any “regular” social media user who may be at risk.

What does this kit cost?

This kit is offered to the public at no charge.

Why is it free?

Privacy awareness should be available to everyone and we believe it’s our social duty to help promote this.

Social Media

Social media refers to internet based platforms used for information sharing, communities, and to connect to people with similar interests. Social media can be defined as a virtual space to socialize and to both share, and gain information. 

Social media is often used for both personal and business use and thus, we encourage you to see the separate personal and business infographics at the end of the kit.

The concern

Whether a for profit offense, or to inflict physical harm, both sophisticated, and less sophisticated criminals and hostile gain tremendous amounts of information from social media. This information is critical in helping the hostile to select and harm the targets. The more information that is shared on social media, the easier it is for the hostile to profile their target, identify vulnerabilities, and design a plan to harm them. 

Much of what is posted on social media platforms enables this target “profiling”, by gaining information on location, financial status, business interests, social interests, frequented locations, preferences etc. Limiting this information makes a target much less attractive and unless specifically targeted, the hostile will usually select an easier target, with readily available information.

Direct and indirect methods

The easiest for the hostile is to simply see what information is available on social media using direct methods such as looking at what’s publicly available, or befriending/connecting with their target or people associated with the target. Available information may include the targets name, photo, home town, current town, phone number, email, check-in’s (offering predictability), interests (likes), etc. 

When the information above is limited (as it should be), the hostile may use more sophisticated, indirect methods such as befriending or connecting with friends and colleagues and seeing what information is shared with them about the target, liking posts the target is tagged in, and eventually befriending the target - once the target is familiar with them though interests, common friends, groups etc. 

What social media is covered in this?

As opposed to providing a “privacy manual” per platform, we’ve chosen to provide guidelines are applicable for any social media platform, with relevant adjustments for personal and business platforms.

Things to consider (and limit)

• Who can find you?

  • Is your account under your real name (as per terms of use?)

  • Is your account searchable by search engines?

  • Is your profile picture of your face and available to the public?

  • Is your location visible to the public?

• Who can befriend you?

  • Can anyone send you a friend request?

  • Can anyone see who you are friends with/connected to?

• Predictability

  • Who can see your interests, groups, posts, likes, comments?

Limiting the above makes the social media user almost invisible to people they are not connected with in the physical world. In short, this keeps us safer - remember, privacy is more impactful than it seems.

Location

• Are your photos automatically geo-tagged with location of the photo?

• Consider how easy it is to find a home address, address of a friend or business partner just by extracting information from a posted photo

• Don’t include any personal information or location indicators on your photos, especially at home/work.

  • Look closely at your photos before posting

Passwords

• Use robust passwords and change them regularly

• Do not use the same passwords for multiple accounts

• As soon as you learn of a data breach on a service you use, change all your passwords 

Look deeper

• When an unknown person send a friend or connection request, look at their profile to assess if they are who they say they are

• As a rule, don’t befriend/connect to people you don’t personally know, but if you must:

  • Google their name, does their photo match? 

  • Do a reverse image search on their profile photo

  • When did they join the social media platform?

  • How many friends/connections do they have?

  • Watch their profile for a few days

  • Do you see them befriending/connecting to your friends/connections

Privacy and Safety Checks

• Most social media platforms have built in privacy checks; use them, and rectify any issues

Business versus Personal Social Media Usage

• As business use of social media is based on exposure, sharing, and often building a community, at first glance, it may seem more difficult to limit information when social media is used for business 

• In fact, the opposite is true, using social media platforms for business usually doesn’t include personal information such as social friends, home addresses etc.

• With that in mind, using social media for business still has potential vulnerabilities and certain steps can be taken to limit these whilst not limiting the effectivity of the business effort.