Travelling with your security blanket (cross post)

security-blanket-schroeder(Originally posted on the Iron Mountain Information Advantage Blog on October 16th 2013)

Mobile devices are great. I’m sat here in the back of a car in India travelling to a meeting. I’m connected to the internet via my iPhone and using the time to write a blog post on my laptop about the inherent dangers of using mobile devices while travelling. The irony isn’t lost on me.

Much has already been said on the various things that can be done to protect yourself while working on the move. Indeed, just the other day I wrote a piece on exactly how not to do it, and I am sure it is a regular topic of internal security articles at many companies.

The key issue I see is that the security measures are not always seen as ways to protect information. Rather, they are often seen as hoops that people need to jump through to get to the information they need to do their work. When, as is sometimes the case, security measures are poorly designed and/or poorly implemented, then the view of information security as an obstacle should come as no surprise.

Therefore, rather than trying to foist technology or procedures onto people, would we not be better focussing on behaviours that can be reinforced with easy to remember concepts? Here are a few to consider:

Location
Think about where you are sitting with your laptop/mobile phone. Can it be stolen easily (as in this example) or can your screen be viewed easily by people sat nearby? Your data can be both physically stolen as well as “visually” appropriated.

Connection
All internet-based connections should go through a VPN. This might be overkill for some, but it ensures that there is no internal dialogue about the security of a Starbuck’s Wi-Fi versus a BT hotspot or even a hotel Wi-Fi. Always use a corporate VPN to encrypt and tunnel your traffic through any potentially unsafe network. Even when using a personal laptop to do your own work in a cafe, like a bit of banking or shopping, your credentials and details can be stolen, so use one of the many commercial (and sometimes free) VPN products that are available

Observation
Be aware of your surroundings. Is this a high-traffic area such as a cafe or airport lounge, with people moving in and out frequently? Be aware of what is on your screen – is it confidential? Should you really be working on it in a public space? This doesn’t mean you need to be paranoid, but travellers, especially when abroad, can often be spotted easily and are often viewed as vulnerable. Knowing your surroundings and behaving accordingly is an important part of not only keeping your data secure, but of keeping yourself safe also.

Let’s face it, technology is never going to solve everything. I wrote recently about an example which had all the right technology in place, only to be let down completely by a visit to the bathroom. If in doubt, your mobile devices should be your “bathroom buddies” and not left exposed in public!

 


What’s this security stuff for anyway?

I am currently sitting in the BA lounge in Heathrow awaiting a flight to Delhi, and as I look around at the number of laptops lying around it reminded me of something I saw a few years ago at Delhi International Airport as I was waiting to fly back to the UK. It was so shocking I even used it as an example in a security article I wrote for my company on my return. Regular readers will know that I have a thing about unattended laptops anyway as it  has the potential of negating all of the technical measures put in place in certain circumstances. Anyway, I decided to write it up here as an example (and of course to kill the time in the lounge!).

It was about midnight, and I was in the BA lounge (sometimes shared with other airlines), and it was quite a busy evening so most of the seats were taken.

I was sat next to a gentleman who opened up his laptop and switched it on. It immediately asked for a password, I presume for the on disk encryption. He then had to log into his account, and then finally he connected his own data card (no local WiFi and inherent insecurities for him!) and subsequently connected to his corporate VPN using a username, password and an RSA two factor authentication token. All good stuff from a security perspective.

I noticed from his wallpaper logo right in the centre of his screen that he worked for an aeronautics defense contractor, so the level of security didn’t surprise me. What he did next however did…

After successfully connecting, he placed his laptop on on the table in front of him and went to the toilet… without even locking his laptop. He was away for 15 minutes.

I was so shocked I even took a photo of his laptop which is attached – this is honestly the laptop in question! If you look carefully you can see the window with his VPN connections in the middle of the screen

image

It summed up to me that even though there was all of this security on his laptop, it was rendered useless by his carelessness and utter disregard (or utter lack of awareness) of the security of the contents on his laptop. He entered the passwords that protected his data because that was what he needed to do to get his job done, not because he understood what it was for.

When we overcome scenarios, attitudes and understanding that results in this kind of thing being played out the world over, we will have addressed a huge amount of risk in our industry.

Bon voyage!