Data/Cyber/Cloud Security, Privacy, Website Security, Data Encryption, Malware/Viruses, Open Source Intelligence, Cyber Defence, Data Breaches
In June 2014 I published https://www.datasecurityexpert.co.uk/articles/personal-articles/81-why-not-controlling-your-business-data-is-a-bad-idea.html when cyber security was less known about or “sexy”. A few articles ago in https://www.datasecurityexpert.co.uk/articles/personal-articles/331-cyber-security-the-gap-between-rich-good-security-and-poor-not-good-security.html. I said in the article, very early in my career I worked at a large firm whose security was incredible for the time. Still I stand by my comment that company x beats many companies today I see.

It is all good securing the corporate issued laptop, if you do at all, and then pay little attention to remote services like OWA (Outlook Web Access), Office365 (<), OneDrive (cloud file storage) or the web based DMS (document management system). It is likely your laptop will have FDE (full disc encryption) and maybe, just maybe USB storage devices blocked which makes it a little harder to leak data by mistake or on-purpose.

Post 2010 the concept of the four walls of a company or the boundaries of its physical firewall have slowly (or now rapidly) been degrading. In the old days all we used was a Outlook client and a shared folder which meant you needed to be on-site or with a VPN-laptop to get to your data. The days of client software are reducing and everything now is browser based, more specifically cloud based which is hosted in someone else’s data centre.

Let’s now move to 2019 to see what has changed and you could say the cloud has made the issue worse! The DPA (Data Protection Act of 2018) or GDPR (or as I call it East Germany) talks about controlling data, encryption and destruction once no longer required. Over the years and still to this date I speak to many people every month, from five man/woman firms, law firms to companies with a turnover of hundreds of millions a year. You would think the larger firm the better, erh, no.

Below are two anonymised stories which are not clients:

Law firm with a few hundred staff
The British law firm does issue VPN enabled laptops but not everyone has one due to management and supplier delays. Solicitor x does not have a corporate issued laptop yet and needs to work from home including abroad (outside of Europe). He/she uses a laptop owned by himself/herself or one of a friend/partners to work on remotely. Access to corporate emails is by OWA or Office365 and a cloud-based document management system. Emails are edited within webmail and documents are downloaded + edited on the local laptop, and then uploaded to the central cloud store.

Multi-national consulting firm with a giant turnover
Similar to the above, everyone has a laptop and no desktop computers are used. The laptop is managed by the company and has a VPN agent on it. Instead person x choses to use his/her personal laptop to work on, whilst in London and Europe. Naturally Office365 is used for email along with OneDrive. Again, emails are edited in the web browser and files downloaded to any old device type/ownership.

What is the problem?
A lot in a single or two word! Having the data on a random device allows it to leak in many ways like:
  • Malware, infection of the personal laptop could lead to data theft or data encryption through ransomware
  • USB/CD/DVD*, being a non-corp device, files could easily be copied to removable media which could then go walkies
  • 3rd party cloud, inadvertently data could be uploaded by a non-corp cloud provider thus crossing jurisdictions
  • Leavers, JML not the shopping channel, JML deals with, when someone moves department or leaves the firm. Nothing can happen once the data leaves corp devices
  • Loss/theft, personal devices will have no encryption. Remember the days of central govt and councils constantly leaving USBs and laptops on the train?

*Countless firms still have USB devices allowed and you ask them why. They say IT blocked them and people moaned so they let them be wide open again. Come on! Can’t you issue everyone hardware encrypted USBs & whitelist them or install software which allows BYOUSB & force encrypts data to them. You may say hardware encrypted USBs will cost a fortune and yes, they will but then poor publicity and losing a public sector contract will cost more.

Solution?
Firstly, block or control USBs & CD/DVD drives on company issued kit. Block downloads within webmail when on non-corp issued kit. Look at some kind of Citrix or RDP session which means all processing is done on a server and displayed to the device only.