Remote work may put government data at risk
- By Rick Vanover
- Jan 04, 2021
This article was originally published by GCN.
As COVID cases continue to rise, more than half of federal workers are expected to remain remote in some capacity well into the new year, and the lines between personal and government-issued devices are beginning to blur.
The concept of bring your own device (BYOD), while convenient, has limited agency control, making concerns about unauthorized access to government systems and data a growing priority.
Months of isolation and the normalization of remote work have led some employees to let their guards down. They may be opting to use a home computer for some tasks to get work done. Perhaps they have a program installed on their personal device that would make crafting reports and memos easier.
It may seem like an innocent productivity hack to transfer data from one device to another, or to simply check personal email on a work device, but the repercussions could be severe. These seemingly time-saving actions not only lead to data sprawl, but they also contribute to the potentially more harmful data mingling.
Data sprawling and co-mingling across agencies and personal devices is nearly impossible to manage and even more challenging to control and secure. Lack of encryption or outdated operating systems can leave personal laptops and mobile devices open to potential hacks and significant data loss. Whether on the battlefield or in government offices, out at sea or in space, secure and accessible data is critical.
The first step in managing the use of personal devices and the data on them is for IT teams to educate staff about the risks involved -- especially if workers eventually plan to discard their devices. Employees should be trained in government security practices and understand how that translates to personal devices.
Part of this employee training should include instructions on how to properly wipe the contents off personal devices if they eventually upgrade or resell them. With the used smartphone market expected to reach approximately $39 billion by 2025, the chance that government data on personal phones may fall into the wrong hands is not taken seriously enough by most agencies.
Staff must also be briefed on how to identify potential malware, phishing or ransomware attacks on their personal devices. If employees are able to identify these threats, it massively mitigates risk of data being lost at all.
Manually put protections in place
Information and data allow agencies to make critical decisions on day-to-day missions, and threats to government data could be catastrophic, making data protection essential. In addition to educating staff, here are some protections IT teams can manually put in place to mitigate risks even further.
- Regularly update software. If employees opt to use their personal devices for work, it they must be required to update their phone regularly. Be sure to provide staff with the support necessary to deliver these updates.
- Encrypt data for protection. Although smartphones and tablets have encryption options that will protect stored data, agencies may consider requiring staff to come on-site to run a full security check and diagnostics on their devices, ensuring encryption is up-to-date and security applications are running properly.
- Increase data protections. Security incidents involving employees working from home can arise from misuse of government desktop sessions for non-work-related activities such as social network browsing, audio and video streaming or personal shopping. All of these activities increase the possibility of sensitive government projects and information being exposed to unauthorized individuals.
- Ensure an effective backup plan for data. Protecting information is challenging when it's on a remote worker’s home laptop. Having a reliable backup plan for further data protection can prevent issues introduced by remote workers that could potentially impact agency missions and access to critical data.
- Clear all phone data. If government employees decide to move on to a new device or stop using their current device, agencies must have a procedure to manage the deletion of all data from that phone and a strict policy around discarding even unauthorized devices used for work to prevent access to work-related content stored on personal equipment.
Teleworking allows the government to carry on its critical mission to serve the public, and as it increasingly becomes the new normal, managing the sprawl of government data continues to be complicated. While the COVID-19 pandemic resulted in a nearly overnight shift to remote work, these flexible work trends had been forecasted to continue over the next five to 10 years. As we look to the future, remote work may become even more complicated, making it absolutely crucial for agencies to plan for the realities of data mingling becoming too overwhelming to handle.
As their agencies take on more flexible working arrangements, it is imperative IT teams understand all the risks – including those that come with using personal devices -- and have precautions in place to ensure ultimate data protection.