TechRepublic writer Erik Eckel gives tips on how to make sure your data is safe if you’re working from home.
TechRepublic’s Karen Roby talked with writer Erik Eckel about best practices for backing up data while working from home. The following is an edited transcript of their conversation.
Erik Eckel: So many people went to work from home in March. That’s just become the norm, the standard, by which so many people are working. One factor that may be overlooked, is how are we backing up all of the data that’s getting processed and created, and edited and revised, in people’s homes? Chances are, people are working with a laptop from their company at home, maybe fighting over position for the best home office location, whether that’s a desk in a spare room or the kitchen table. A lot of important work is getting completed at home, including processing payroll, the completion of tax filings and returns, product brief development, and that type of work. What happens if the hard drive dies on the computer that you’re using to work from home? What happens to that data?
SEE: Identity theft protection policy (TechRepublic Premium)
I think there are a couple of questions you want to ask yourself if you’re in that position, or if you’re an employer or IT department managing folks who are working remotely. The first one is to take a look at where are the applications housed that people who are working from home are using. If people working from home are accessing cloud applications, then it’s a safe bet that the data is in the cloud, and it’s being backed up by the provider of that platform. You want to confirm that to be true, but that’s typically the case. That’s one of the big advantages of working with a cloud application. If that’s not true, though, then the next question is, where are the critical applications being housed? If those are back at a corporate HQ, or a corporate office, and working from home you’re accessing those resources through a VPN, then the IT department just needs to make sure that those systems continue to be backed up according to best practices, to ensure that that data is safe.
If you’re working from home and you’re not sure, there’s nothing wrong with reaching out to an IT contact, or a technical contact at your office and just asking that question and saying, “Hey, here are the things that I’m working on throughout the day, each day. Are those being backed up? Should I get an external hard drive to connect to my computer? What needs to be done there to be safe?” The IT departments may answer, “Hey, I’m glad that you asked. We’re in good shape. We’ve got that covered.” Or they might say, “Wow, we didn’t realize you were actually working on that. Let’s put an alternative plan in place.” That way you can make sure that you’re covered. If you do use a USB hard drive, and I would recommend anybody who’s working on a computer, unless there’s an extenuating circumstance why they shouldn’t, get an external hard drive. You can pick them up from a variety of vendors, typically for less than $100 for a terabyte or two, and leverage the backup utilities that are available on your computer, either in windows or on a Mac, and just make a whole backup of the laptop, or if you’re using a desktop computer, the desktop, throughout the entire day. You never know what you’re going to need.
Data stores itself in a number of different locations on the computer. You can always reach out, of course, to an IT contact at your company to do that. If you’re an IT department, you probably want to make sure users who are storing files in their documents folders, and on their desktops, that you have some mechanism in place to be backing that data up because the old rules still apply. Hard drives are still going to fail whether someone’s working at home during a pandemic or not. It’s important to get that data backed up. The other concern is if you pick up an external hard drive and connect it to your computer, and format it for backups, you want to consider encrypting that hard drive because the same old rules, again, apply. You could still suffer a theft. You could still encounter issues where a hard drive is lost, or someone who’s visiting the house picks it up by mistake. There is a responsibility to ensure that corporate data is protected, and that that drive is encrypted.
If that’s not something you know how to do, you can work with a technical contact at your company to make sure that those drives are encrypted. All that means is it keeps that data from being accessible to someone who gains possession of the hard drive, but doesn’t have that encryption key. If you’re an IT department, obviously deploying hard drives in the field for folks, you want to make sure that you encrypt those drives and then keep those encryption keys securely on hand so that if they’re needed, you have that information available. The last item that probably gets overlooked, and it’s not as technical, although it becomes a technical issue, and that is paper mail, snail mail. There’s still a lot of important paperwork that people are having rerouted to their homes, or maybe if they’re like me, they’re picking up regularly from their corporate office location, and then processing that at home. I think one good best practice recommendation would be to scan that information and save it securely in a location that it’s available to the company, so that if you do have a failure of your computer, whether it’s a laptop or a desktop, that again, that information is available to folks.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
In a lot of cases, the type of information you might be scanning might be receipts for expense reimbursements. It could be tax filing. Any of that type of information that’s kept for record keeping over an extended period of time, you’d probably want to make sure if you’re handling physical paper, that you’re getting it scanned and placed on a corporate directory where it’s securely safeguarded for long-term retrieval, if need be. Just some pointers to help ensure that data’s protected.
Karen Roby: In general, is this something you think companies take for granted, that their employees actually know what to do?
Erik Eckel: That’s a good question. What I’ve learned through a few decades in the corporate world, maybe it took me longer than some other folks, is everyone’s making this up as they go along, I think. Some organizations are probably on top of this. They probably have a standard operating procedure that says, “If anyone’s working remotely, here are the guidelines that they follow.” The majority of small and medium businesses and those that I’m familiar with having talked to their owners, or neighbors who are employees at those types of companies, there weren’t a whole lot of guidelines on sending everybody home to work remotely through an extended period. This won’t last forever, but I think companies are struggling to just figure out what the fall’s going to look like. I think a lot of organizations expected that children might be returning back to school and parents would start getting back into a routine again. In a lot of cases, that’s not happening, it’s hit or miss. Some colleges are going to play football, some aren’t. There’s just a lot of confusion right now. I think that’s true in how companies administer their data.
I don’t think companies have hard-and-fast rules in a lot of cases on how to handle data that’s being stored on computers at people’s homes, who normally would have worked in the office, or what do you do about paperwork? You’re talking about paperwork that can have sensitive information, it can have HIPAA protected data, it can have Social Security information, and there is an obligation to continue to maintain the security of those documents and that information. I would recommend that anybody who’s working from home, working with that material, touch base with the IT contacts at their company, or that if you’re an IT manager, that you work with folks who are working from home to make sure if you have any of that sensitive data in play, that it’s being safeguarded correctly.
Karen Roby: Do you think, in general, that people are getting a handle on security, that they’re understanding, and companies are more understanding of how important security is?
Erik Eckel: Everyone understands the importance of security, but I’m not sure everyone understands the daily nuance, how the seemingly insignificant actions become important so quickly. Simply receiving an email message from a vendor that says, “Hey, here’s a receipt, or here’s an invoice for the services.” These can be invoices that appear to be coming from companies with whom you regularly work, but it’s not an authorized message. It’s in fact, a corrupted message, a phishing message. Anyone can pick up a newspaper and read about how hackers have keyed in on the vulnerability that exists as people are working from home, amid some confusion and questions around security. I would recommend that people not click on anything that they weren’t anticipating receiving without first asking some questions, that whenever connecting to corporate resources you make sure you’re doing that over a secure, typically a VPN, connection, or if you’re accessing cloud applications, that those are secure sites, and that you’re leveraging multi-factor authentication for every login that you can, typically, that involves using a program that generates a special code for you, or sending an automated code to your cell phone. I think everyone’s familiar with those now. Make sure we turn those on, those are our great preventive measures. They’re not perfect. There’s a lot of confusion. There are people who are going to take advantage of that confusion, as well. Try to minimize as many of those opportunities as you can, reasonably.
Karen Roby: It’s so unfortunate that during uncertain times and a little bit of chaos, that is when the bad guys really thrive. That’s when they take advantage of opportunities to really wreak havoc.
Erik Eckel: I would recommend that if, especially people who are working in human resources capacities, and working with any other sensitive data, you’ve also got an obligation to protect your screens from being viewed by other people in your home. That sounds a little draconian, but if you think about it, if you’ve got within your pod family that you are sharing experiences through this pandemic, if you’ve got a couple of neighborhood children hanging out with your kids, you would never want them to read things about a parent or a work improvement program that a friend or someone who’s known throughout the neighborhood, you wouldn’t want to reveal that information inappropriately. It is important if you’re going to leave a computer out in a kitchen area, or on a common desk area around a coffee table or wherever people might be working from, that you set those screens to go to a screen saver, or minimize windows that are open. Even email messages, if you’re like me you receive the notifications for email that comes in, and there can be sensitive information just within those messages. Just a heads up to be mindful of that, and maybe adjust your practices to help keep sensitive information secure.