A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders
In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.
There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations. Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.
This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.
Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation. To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.
View all episodes.
Episode 5: Data, data, everywhere
“There are of course many problems connected with life, of which some of the most popular are Why are people born? Why do they die? Why do they want to spend so much of the intervening time looking at smartphones?” (mis)quote from Douglas Adams, A Hitchhiker’s Guide to the Galaxy
[ Reading time: 9 minutes ]
Life on the go
Universities and colleges are at the forefront of the adoption of educational technology. For your primary demographic (the 18-24 age group), it’s essential to ensure that you utilise mobile technology effectively to meet the needs and expectations of your audience.
Beyond the student body, your academic and support staff are no strangers to mobile technology, with smartphone ownership at 98% in the 24-54 age groups. In the workplace, the benefits of remote working for them are not hard to appreciate.
The use of mobile devices—laptops, tablets and smartphones— has been transformational for students and staff alike. Anytime, anywhere learning is a reality as much as anytime, anywhere working.
Happier students, productive researchers, a contented workforce. What’s not to like?
Well, there are some downsides. Studies suggest that excessive mobile phone usage is linked to negative student mental health, whilst an “always on” workplace culture which has staff checking emails and messages outside of working hours is reported to be a contributory factor in chronic stress, emotional exhaustion and work disengagement.
These are important findings which demand attention. However, there’s another often overlooked issue which is the focus of this episode. No prizes for guessing, it’s data security.
With technology, it is often the case that convenience and flexibility come at the expense of security. In Episode 3 (Knock, knock, who’s there?) I explained how overly permissive access controls can appear to deliver convenience and flexibility but do so at the expense of security by widening the scope for damage in the event of an incident.
Missing in action
Picture the scene.
You’re on the train on your way to a conference. You want to use the time productively and catch up on some emails, and there are some papers you need to brush up on before you get back to the office. You take out your laptop and get down to business.
You type in your laptop password and connect to the train’s free WiFi. It’s slow but it’s good enough to allow you to do emails.
What could possibly go wrong? Consider the following.
Outcome 1. You’ve been so absorbed in your work that you don’t realise that you have arrived at your station. In the rush to get off the train you leave your laptop on your seat. Loss or theft.
Outcome 2. You’re not aware of the person sitting behind you who watches you typing in your username and password when you are logging in. When you log in later, you discover that some important files and emails are missing from your account. Shoulder surfing.
Outcome 3. The free train WiFi was actually being operated by a smartphone in the carriage and was being used to intercept all the laptop communications, including usernames and passwords being used to log in. Insecure WiFi.
Outcome 4. Sometime after you’ve left the train, you discover a small USB device is plugged in to your laptop. It’s a keystroke logger and has transmitted everything you have typed in to the person sitting opposite. Malicious hardware or software.
Sadly, none of the above is in the realms of fantasy. Any of these outcomes are possible and can put your organisation’s data at risk.
Speed data
Go back 20 years, and all that data was kept in house. It was stored in server rooms, and people worked on computers in offices. The buildings provided physical protection for data, with server rooms protected behind lock and key, and the firewall provided protection to the network from unauthorised access from outside.
Fast forward to the present day, and people are working on all sorts of devices in all sorts of places. Computers, laptops, tablets and phones, on campus and off campus, in the office, at home and anywhere in between. And the data they are working with? For sure, some of it still lives in the server room, but more and more is stored in the cloud, and some of it will be stored on the devices themselves.
You can no longer rely on the buildings or the firewall to protect that data. Keeping track of it, and protecting it from falling into the wrong hands, requires a new set of tools.
Make no mistake, firewalls are still essential to protect your on-site data and equipment (and cloud firewalls are available to protect servers which are cloud-hosted), but the use of mobile devices has moved the security goalposts and we’re playing a whole new ball game when trying to manage the risk.
So just how do you do it?
Say it with… a policy
Your first step should be to make sure you have strong, clear policies around the use of mobile devices—both organisation-owned and personal. This should include keeping work and personal files and email separate, only using approved applications to access work files and communications, having anti-virus software installed and up-to-date, as well as guidance on safely using devices in public locations, including avoiding insecure WiFi connections, and prompt reporting of devices which are lost or stolen.
A policy is only effective if it’s embedded into working practices. So ensure that you provide training to make sure people understand the policy, the risks it addresses, and have clear guidelines on what to do, and what not to do. Refresh the training at least annually.
Use the right tools for the job
Most computers in your organisation’s offices are programmed to use a set of security settings which are applied automatically. This happens because they are part of your Active Directory “domain” and permanently connected to your network. Devices like tablets and phones cannot be managed in the same way, and may not be connected to your network, so you need a different solution.
That solution is (usefully) called mobile device management (MDM). This does what it says on the tin: allows you to apply a similar set of security settings to these devices which they pick up using any available connection—including a WiFi hotspot or 4G mobile connection.
What settings do you need to be looking for? There’s a huge range of possible configurations, and the decision will be different for each organisation. Typically, you will want to ensure that devices have a PIN code or password configured, with lock screen timeout enabled, and encrypted data storage. You might also want to ensure a particular anti-virus program is installed an up-to-date, that certain applications are installed for accessing organisation email and files.
One important feature is the ability to lock devices which are lost or stolen, and some devices can be put into “lost mode” to help with locating and retrieving them. Think “Find my phone” at a corporate level. If a device cannot be retrieved, the MDM can remotely wipe the device.
There are several MDMs to choose from. The two we see most commonly in the sector are Microsoft Intune and JAMF. For organisations with Microsoft 365 A3 or A5 licences, Intune is an obvious choice, and can used for Apple, iOS, Linux and Android devices as well as Windows (although some advanced features require additional licensing). JAMF is a specialised MDM for Apple devices.
Mobile application management (MAM) takes MDM a step further by securing data within the applications. It means that you can control whether you can copy and paste data from an email or document into another app, and restrict this feature to only apps which are approved. If necessary, you can remotely wipe organisational data from a device without affecting other apps.
Using public WiFi can expose mobile devices and the data on them to risk. Insecure WiFi networks allow data to be intercepted, including passwords and sensitive data. You may have a policy that says don’t use public WiFi hotspots, but you need technical controls to enforce that.
An MDM can restrict access to a set of approved WiFi networks, but that is likely to prove too restrictive in most cases. A better solution is use a VPN (virtual private network). This encrypts the traffic over any WiFi connection, which means that even if it’s intercepted, the communications remain protected.
However, it’s important to ensure that only reliable, trusted VPN services are used. These are often available as part of your organisational firewall.
Bring your own disaster
The use of personal devices for work—known as Bring Your Own Device or BYOD—poses high risks which are challenging to mitigate.
For some organisations, BYOD has been a necessary response to the requirement for flexible working. If you can’t afford to provide all your staff and students with an organisation-owned and managed laptop or tablet, then having them use their own can be seen as a low-cost option.
Low cost, but certainly not no cost.
The price you pay for accommodating personal devices is that you have little or no control over how secure those devices are, so you have to have put in place much stronger protections elsewhere in your business systems and processes.
Your BYOD policy by itself isn’t going to stop it happening and will provide cold comfort if you’re facing a data breach or ransomware incident resulting from an insecure personal device.
What you want to do is minimise the access that these “unmanaged” personal devices have to key data and systems. Make sure that access to organisational data requires multi factor authentication. Enforce conditional access policies to ensure that users can only log in from trusted locations. An application proxy is a way to allow people to securely access internal applications and data using a web browser.
Your people are your strongest defence
So far I’ve outlined a combination of policy and technical controls as the tools you need to manage the risks from mobile devices. These are essential measures to have in place.
But in this area of cyber security, it’s people and behaviour which are going to have the biggest impact. Ultimately what you want to achieve is a “security first” mindset in your workforce, where people know the risks and how to mitigate these by using secure working practices.
Cultivating that culture is a challenge that executive leaders have a crucial role in, by leading from the front and promoting the security first message as a core business value.
Pushing the boundaries
So, to summarise, mobile devices extend the security boundaries of your organisation beyond the physical network and buildings out to the devices people are using to work on. You need clear policies for the secure use of mobile devices, including BYOD if appropriate. Back these up by using mobile device and application management tools, VPN and application proxies. Invest in your staff training programmes, and lead from the front.
A Final [Deep] Thought
For now, you can take useful steps forward by reviewing your organisation’s mobile device and BYOD policy, and finding out whether you have Mobile Device and Application Management systems, VPN connectivity and application proxy in force. Check that your staff training programme covers the risks from shoulder surfing and using insecure WiFi.
In the next episode of A Hitch-Hacker’s Guide to the Galaxy, we’ll be looking at how to make sure you are keeping your organisation’s security up to date. A stitch in space and time…
James Bisset is a Cyber Security Specialist at Jisc. He has over 25 years experience working in IT leadership and management in the UK education sector. He is a Certified Information Systems Security Professional, Certified Cloud Security Professional, and is a member of the GIAC Advisory Board.