Workplace Law Magazine article: BT on the security risks of a mobile workforce
This feature article first appeared in issue 18 of Workplace Law Magazine (June 2006). More information on Workplace Law Magazine can be found at http://www.workplacelaw.net/magazine
Case study: BT on the security risks of a mobile workforce.
By Bridget Warrington.
It would seem our working future is flexible. Flexible working, remote working and working from home are being actively encouraged by the Work Wise Week campaign, which is supported by the TUC, the CBI and BT, in order to promote a sensible work life balance in the UK.
The internet along with high-speed broadband and WiFi connections has made homeworking, flexible working and remote working extremely attractive for both the employee and the employer. In addition, new removable devices such memory sticks and iPods have only increased the ease of transporting around huge amounts of data.
This all sounds excellent. But horror stories of unencrypted CD-Roms containing sensitive information on thousands of employees being left on aeroplane seats and work laptops being left on commuter trains are enough to give most IT managers sleepless nights.
The Department of Trade and Industry’s biennial Information Security Breaches Survey 2006, published on 25 April 2006, specifically pinpoints the risks of emerging technologies such as wireless networks, USB/memory sticks and ipods/MP3 players.
The survey states that 20% of wireless networks are completely unprotected, while 40% of companies allow staff to connect via public wireless hotspots without encrypting the transmissions. In addition, 55% of companies have taken no steps to protect themselves against the use of removable media devices.
So it would seem that these new ways of working also bring new responsibilities for both the employer and the employee. It is now essential that employers have a security policy that includes all aspects of new technology, whether working in the company office, from home or remotely.
The Computer Technology Industry Association (CompTIA) firmly points the finger at the employee as being the ‘weakest link’ in IT security. It recently reported that human error was responsible for nearly 60% of information security breaches. So it is vital that employers make staff aware of the restrictions imposed by their company’s security policy and of the legal consequences that could befall them if they lost any significant data.
One large UK telecommunications organisation that has an ongoing programme to analyse security risks and put the best possible security policy in place
Of BT’s 120,000-strong workforce, over 10% work full-time from home, while around 70% of the workforce work flexibly and divide up their time between working at home, working remotely while travelling around, and hotdesking at one of
With such a large percentage of the workforce working outside the relatively secure office environment, BT is aware that employees are often the weakest link in their security, and this is reflected in their security policy. Ian Hughes, BT’s wireless security consultant, explains the nature of BT’s policy:
“People use terms like ‘rules for the fools, guides for the wise’, but then staff can also work outside guidelines. It comes down to what level you trust the people who are working for you.
“In the majority of cases a lot of our users are just that — they are users. They are using technology as part of their job function and they are not necessarily outright experts in any particular area or field.
“So it’s about providing them with sufficient flexibility so that they can do their job and give them the mobility and freedom to work from a variety of locations, while at the same time protecting them, their equipment and the network they connect to.”
Dave Dunbar, Head of Workstyle for BT Global Services, who works roughly half his time from his home office/shed at the end of the garden and the other half out visiting clients, comments on the ease of working remotely:
“There are restricted areas within the intranet, but there’s no more restriction for me coming in from outside than there would be if I was sitting in a BT building. Any restrictions tend to be departmental rather than depending on where you’re coming in from.
“There’s nothing that I could do in the office that I can’t do remotely. The only difference is that I’m going through an extra firewall.”
BT’s security policy has been developed over a long period of time and is constantly evolving. Hughes explains:
“Security is not a one hit. It’s a continuous ongoing activity. It’s a journey and unfortunately you never arrive at the end-point destination because as technology changes and as the hackers gain greater abilities you find that what was the end post has moved on.
“BT’s security policy is a written policy available on our online system, which has a very complex search engine and is indexed on our home webpage.”
BT’s corporate induction programme introduces new employees to the security policy, tells them how they find it and, if they have any questions regarding security, who they should go to. Hughes elaborates:
“It’s part policy and policy awareness, coupled with tools that actually enforce the requirements of that policy.”
“The bedrock of BT’s security policy is the corporate build software used on all BT’s PCs, desktop or laptop. “We don’t allow people to go off and add bits of updated software on their own. Instead we control the environment in which they work,”
“If you have a BT portable PC, you can’t connect it to any network other than BT’s. So if, for instance, you connect to BT’s Open Zone — our wireless hotspot service — it will open up just enough to let you give it your username and password, but that’s all.
“Once you’re connected to the internet, you tunnel through to, and do everything via, our corporate network or intranet. It’s as though when you’re outside the fence we extend this little thin tunnel that extends all the way out to you, encrypted, and surrounds your PC.
“So you have all the security, all the capabilities, all of the monitoring, all of the security of Hadrian, our firewall. We sit behind that and it provides a great deal of protection for our network.”
BT makes a considerable investment in security, but given that there are many thousands of attacks against BT’s firewall every day, it’s an important investment. Hughes explains:
“Some of these attacks will be automated; some of them will be people trying things for who knows what reason.
“We are a large organisation and for that reason we take security very seriously. We have a lot of customer information and legal obligations to our customers to maintain the security of that information. So we manage and maintain this very strong firewall presence to protect that data.”
BT doesn’t just have a single layer of security. “A good model for security is an onion — it is one onion, but it has many layers,” says Hughes.
It operates different levels of security depending on the individual involved and what type of work they are doing — from somebody doing work that is not considered to be particularly security sensitive, to people working with government departments where the level of security required is considerably higher. BT tailors the individual’s security level needs to their particular job function.
BT security has active tools to monitor what is happening on any remote device at any one time. It also makes sure that anti-virus and personal firewalls are in place and are updated automatically as soon as the employee is connected to the network.
When it comes to devices that employees can use to transfer or transport data — iPods, PDAs, memory sticks — BT has strict desktop management control.
This includes preventing the use of USB devices or controlling very specific devices that can be used. It also involves ensuring that any data placed onto any external drive is suitably encrypted. So if an employee copies a file to a CD-Rom or flash drive, because of the way their machine will have been configured, it will be encrypted automatically.
The employee’s machine will be able to read the data from the device and so will anyone else who has the required encryption keys, but to anyone else it will
Another layer of the BT security onion is the classification of data. There are escalating levels of security (e.g. ‘in confidence’, ‘in strictest confidence’) and these allow employees to access certain documents or data based upon their location and on the technology they are using. So an employee accessing via their laptop in an airport lounge might be able to view an ‘in confidence’ document, but not an ‘in strictest confidence’ document.
In addition, BT has a strict password policy. An employee is unable to have a simple username of ABC and a password of 123 — there are restrictions on what those passwords have to be. There are also strict controls on how long they live.
And depending on the level of security required there are passwords and privileged passwords. Privileged passwords last much longer, but when they are changed there is an automated system that prevents minor adaptations. So you can’t add a number on the end of a password and hope to continue using it.
None of these features are rocket science, as Hughes explains:
“All of these are features on most portable PCs and PDAs, but people don’t enable that type of functionality. We’ve taken the time and trouble to actually look at them and understand what these capabilities are and make appropriate use of them.”
As part of BT’s HR function, full-time workers based from home have regular checks for security purposes and electrical safety.
They are unable to store any local content on their machine because hard drives die occasionally and BT requires that data be stored on a network drive where it is backed up regularly.
BT’s control on what employees look at over the internet is also highly managed. Hughes explains the necessity:
“The internet is a wonderful place, but there are some bad things out there. It’s our responsibility as a respectable organisation to control what our users can do.”
Employees cannot connect directly to the Internet, other than via the corporate network. Therefore all of the usual monitoring and safeguards are in place. So wherever a member of staff is, if they want to access the internet, they do so as if they were sat in a BT office.
BT’s security professionals take seriously the occasional incident when employees are found to be sending defamatory content or looking at inappropriate material. Hughes explains:
“We have web filtering anyway, so it’s virtually impossible to view inappropriate content. You get a warning screen and your attempt at viewing that content is logged.
“But we not only log the attempt of viewing it, we look at how you got there. Sometimes you can be on a completely innocent page, click on an ordinary link and end up with something totally inappropriate. So we don’t just look at where they’ve gone, we look at the steps by which they arrived at that point. However, if it happens on a more regular basis, then it becomes an issue.”
In addition, BT has a policy for emails, which it monitors, so anyone sending religious, race hate or defamatory messages can be traced. If an individual receives defamatory content there are also ways in which they can contact BT security and it can be traced back to the person who sent it.
One last measure is that all BT PCs have screensaver lock down so that if an employee leaves their PC for a certain period of time, it shuts down.
Part of Hughes’ role as a security professional is to try and find ways to break the tight security, because if he can find some way to break into something then somebody with malicious intent can also do so. He explains:
“Human fallibility is the greatest issue that we have to deal with here. Second to human fallibility is human ingenuity.”
“As new technologies and capabilities appear, it’s part of our responsibility to look at these and analyse how they can hurt us, how somebody could exploit it in some way, perhaps to do us harm.
“For example, if you take a database and completely wreck it, that’s obvious harm. However, if someone makes small changes to it, that’s more subtle and may not be noticed but the impact of doing so might be far greater.
“So we have over a thousand security practitioners within the organisation whose job it is to understand the details of security risks and vulnerabilities, whether we’re designing a network for a customer or protecting our own internal networks. From a mobile worker’s perspective we will make sure that any application, any technology they have for access is secure and meets out company policy.”
With all these measures in place, BT feels it is managing security appropriately. Hughes says:
“I’m not saying that security breaches can’t happen, but it’s our job to make reasonable ground rules. Security isn’t about removing the risk; it’s about managing it down to an acceptable level.”
Security risks of homeworking and working remotely:
Without a dedicated home work space, a PC/laptop is open to interference by family and visitors to the home.
A work computer could also be used for private/family email and internet use or misuse.
Infrequent (or never!) backing-up of data (locally or online).
Security features that exist on portable PCs/PDAs (e.g. usernames, passwords) are not enabled.
Hacking when using an internet connection.
So-called hoover applications that can extract the entire contents of a USB device including all erasures while on screen it looks as though a single file has been copied.
Operating over WiFi connections or copying data without encryption software.
The endless stream of new viruses if anti-virus software and firewalls are not regularly updated.
Leaving a laptop or mobile phone on the back seat of a car in a risky area.
Losing your keys and the memory stick attached to the keyring.
The dangers of emerging technologies such as spyware and voice over IP.
Looking at an employer’s data responsibilities, these are governed by the Data Protection Act’s 7th principle. This is concerned with security and the data a company holds about employees and customers. If the company fails to comply with that principle and endangers the security of employee or customer information, they could be open to enforcement notices and ultimately prosecution by the Information Commissioner’s Office (ICO).
In addition, if an organisation breaches the principle and an individual suffers as a result of that breach, the individual could take the organisation to court.
From the employee’s standpoint, it’s worth being aware that any misuse of company data (e.g. using a contacts database to set up their own business on the side) comes under Section 55 of the Data Protection Act. There are an increasing number of prosecutions being brought by the ICO under this section of the act against individuals.
Elizabeth Brownsdon, a solicitor with Bird & Bird specialising in IT, comments:
“There have been quite a lot of prosecutions brought under Section 55. And in fact that’s where most of the IOC’s prosecutions are brought now.”
In fact, in 2004/05 the ICO successfully prosecuted 12 cases under the Data Protection Act involving Section 55 (covering misuse of company data). This compares with just ten successful prosecutions in 2003/04. The cases for 2004/05 involved individual fines ranging from £100 to £3,150 or conditional discharges.
The Employment Practices Code is a useful legal reference point for the employer. This code has been put together by the Information Commissioner and sets out guidance for employers about what they need to do to comply with the Data Protection Act. It also sets out best practice.
In particular, Part 3 of this code covers monitoring employees and goes through the limits of monitoring private emails and how you inform employees before you monitor.
Monitoring of employees is also covered in the Regulation of Investigatory Powers Act 2000 (RIPA). RIPA places limitations on the screening of and interception of communications. Employers should also be aware of the Human Rights Act which covers the individual’s right to privacy and respect of family life — particularly relevant when employees work from home.
The Employment Practices Code Part 3.2: Monitoring electronic communications
This sub-section deals with the monitoring of telephone, fax, email, voicemail, internet access and other forms of electronic communication.
3.2.1 If you wish to monitor electronic communications, establish a policy on their use and communicate it to workers.
3.2.2 Ensure that where monitoring involves the interception of a communication it is not outlawed by the Regulation of Investigatory Powers Act 2000.
3.2.3 Consider — preferably using an impact assessment — whether any monitoring of electronic communications can be limited to that necessary to ensure the security of the system and whether it can be automated.
3.2.4 If telephone calls or voicemails are, or are likely to be, monitored, consider —preferably using an impact assessment — whether the benefits justify the adverse impact. If so, inform workers about the nature and extent of such monitoring.
3.2.5 Ensure that those making calls to, or receiving calls from, workers are aware of any monitoring and the purpose behind it, unless this is obvious.
3.2.6 Ensure that workers are aware of the extent to which you receive information about the use of telephone lines in their homes, or mobile phones provided for their personal use, for which your business pays partly or fully. Do not make use of information about private calls for monitoring, unless they reveal activity that no employer could reasonably be expected to ignore.
3.2.7 If emails and/or internet access are, or are likely to be, monitored, consider, preferably using an impact assessment, whether the benefits justify the adverse impact. If so inform works about the nature and extent of all email and internet access monitoring.
3.2.8 Wherever possible avoid opening emails, especially ones that clearly show they are private or personal.
3.2.9 Where practicable, and unless this is obvious, ensure that those sending emails to workers, as well as workers themselves, are aware of any monitoring and the purpose behind it.
3.2.10 If it is necessary to check the email accounts of workers in their absence, make sure that they are aware that this will happen.
3.2.11 Inform workers of the extent to which information about their internet access and emails is retained in the system and for how long.
Sources Of Information
Bird & Bird
Data Protection Act Section 55: Unlawful obtaining etc. of personal data
DTI’s Information Security Breaches Survey 2006
Employment Practices Data Protection Code Part 3.2: Monitoring electronic communications
Human Rights Act
Information Commissioner’s Office
Regulation of Investigatory Powers Act 2000