Your organization may have strong security defenses for in-house data and files, but do your staff and their devices remain protected when they leave the office? Since nonprofits commonly work with sensitive data, it’s imperative to protect that information from cyber criminals, no matter where that work takes place.
Everyone likes having access to their critical documents while they’re on the go, and many nonprofits’ work depends on their staff having full access to sensitive data while they’re traveling, visiting clients, or working from the field. Although remote workspaces present a great deal of risk to sensitive information, there are best practices you can implement to significantly reduce the chances of data breaches or malicious attacks.
Secure Storage and Device Encryption
It’s risky to store large amounts of critical files on portable devices, which are at high risk of loss and theft. Instead, you should keep important information in secure cloud-based storage and only download the files you are currently working on to your mobile device. By limiting the number of sensitive files you carry with you at any given time, you minimize the impact that device loss or theft could have on your nonprofit’s confidential information.
Even if you’re very diligent about moving critical data to the cloud, it is likely that some sensitive data will make its way onto your devices. To protect that data, you should ensure that every device that touches organizational data is protected by full-device encryption. Put simply, this security measure scrambles all the data on your devices so that only someone with the right password can access it. Those without the correct passcode will be unable to decipher the protected data, even if they have sophisticated hacking tools.
The Power of VPN
When joining a public WiFi network, it’s almost impossible to guarantee the legitimacy of the network. You can never know for sure who really operates a free WiFi hotspot, and a hotspot operator with a malicious agenda would have little difficulty watching and even manipulating what you do on that network once you’re connected. So, any data that isn’t protected by end-to-end encryption (such as HTTPS) is at significant risk of being compromised if it is transmitted over a public WiFi network.
For this reason, you should never conduct sensitive communications over public or shared WiFi networks. If using another network isn’t an option, you should use a virtual private network (VPN) service, such as ExpressVPN or Tunnelbear, and configure the tooling to automatically activate whenever you connect to the Internet.
VPNs mask your geographic location, IP address, and identity while browsing and encrypt your user traffic data accessible by Internet Service Providers (ISPs). By routing your internet use through a VPN’s remote server, you gain anonymity to your browsing needs and mitigate the risk of malicious surveillance and manipulation of your Internet traffic.
Shoulder Surfing Threats
You can have strong passwords and encryption set up for your devices, however, these security measures do not address the threat of someone taking a picture of your device’s screen or looking over your shoulder while you work. Although visual hacking is often an overlooked vulnerability, there’s always the potential for a malicious person near your remote workspace to try to steal or copy sensitive information from your screen.
Whenever possible, avoid working on confidential or valuable information in public places, including coffee shops, airports, trains, etc. If you need to conduct work in such places on a regular basis, you can minimize the risk of having information stolen by adding a privacy film or laptop privacy filter to your screen to limit viewing except for the primary user. And you should set up screen locks that automatically activate after five minutes of inactivity on all your mobile devices, so that you won’t leave sensitive information exposed when you’re not actively working on your phone or PC.
Block Untrusted inputs
People don’t generally think about all the ways their computers are capable of sending and receiving information from external sources – but every one of those avenues is a potential way for an attacker to get access to a poorly-secured PC. For example, it is possible for a skilled malicious actor to gain complete control over a PC (or destroy the entire device) simply by plugging a flash drive into it for a few seconds. Wireless communication protocols such as Bluetooth can be just as dangerous.
You should never plug untrusted flash drives, phones, or other USB devices into your computer, even if they superficially look harmless. You should also keep Bluetooth and other wireless communication features disabled unless you are actively using them, and be sure to update your PC’s hardware drivers for Bluetooth and WiFi regular intervals. Finally, make sure that you have Windows file sharing and network service discovery disabled for public networks.
Enforce these Best Practices
Asking busy nonprofit staffers to manage all of these distinct settings on top of doing their work is likely to result in more frustration than enhanced security. Accordingly, you may want to consider automating the enforcement of security features like automatic screen locks, full-device encryption, and the use of VPNs by enrolling all organization devices in a centralized Mobile Device Management (MDM) platform, such as AirWatch or MaaS360. In addition to automatically enforcing a wide range of security settings, MDM platforms can often perform geolocation and/or remote data deletion on devices that have been lost or stolen.
While there are multiple risks when working with sensitive information while away from the office, these best practices can help minimize your risk, so you can focus on your work without worrying that you are putting your organization in danger. Try to implement as many of these recommendations as you can to maximize the security of your remote work.
For more assistance in securing your nonprofit’s data, either on the road or in the office, request a free consultation with a Tech Impact expert. Want to know how well-defended your data is? Download our Data Privacy Assessment to assess your level of risk.