Planes, trains and buses – how security can quickly go off the rails

The ever-increasing trend to work anywhere, anytime using mobile technology comes with cyber-security risks, especially during the holiday break when lawyers and staff are travelling, writes Mark Andrews.

You may have made the call or heard someone else on a mobile phone saying, presumably to someone at home, that they are on the bus and will not be long. Of course, this is not the only thing you may hear or see on the bus, or on a train for that matter or in some other public space. In the modern workforce, it is possible to work just about anywhere and at any time. Often the pressure to meet deadlines and client demands can place us in unsafe environments in which we need to complete work.

Let us consider the area of transport: the phone call you take on the bus, the emails you are checking on the train, the document you work on while on a plane, the negotiation you complete in a taxi, or the spreadsheet you finalise at the airport. It can greatly sharpen your security awareness if you start with the premise that the person sitting next to you, or reading over your shoulder, or simply hearing your conversation, is working for a competitor or on the other side of a deal.

Stay alert

Risk assessments are essential when working in different locations and while travelling. A simple initial assessment should involve a visual check to determine who may be able to see or hear what you are doing. It will also depend, of course, on what you are doing; clearly, on occasions it may not matter if others are listening in or watching you. From this risk assessment, you may conclude that it is fine to complete the work or you may decide that you need to either wait or to take measures to gain increased protection such as using a privacy screen.

Perhaps you are thinking I am being overly cautious, but I can recall a number of times when, for example, I have sat next to someone who was working through sales figures and presentations and their company was easy to identify. Some high-risk areas include lifts, trains, planes and airport lounges. We should always exercise a higher degree of awareness about what we are saying and doing in these environments. Mobility has exponentially multiplied the number of risks to security and confidentiality. Whereas the traditional workplace can be physically secured and we can control who enters and leaves, this is not the case for the wide range of public and semi-public spaces in which we now work. It is incumbent on us all to be more aware of risks in our many and varied physical environments.

Holiday hazards

Many of us periodically head off on holidays. It is a great time to relax, but this can lead to a scenario whereby we let down our guard in terms of security. Hotels and resorts are really no different to some of the abovementioned transport examples, but the fact that we may feel a little less cautious is a risk in itself. When that call comes through while you are lazing by the pool, or if your iPad or another tablet needs to come out while you are on the beach, remember that a risk assessment needs to happen – and not just to address concerns about getting sand in your device.

Social butterflies

Many of us have made it far easier for others to get to know us and pose as trustworthy connections. They can read our articles, see what we post online and perhaps view our LinkedIn profile, including our work history and education. People can and do use this information to establish a connection and build trust – sometimes for good and sometimes not. The mindset we adopt in working anywhere and at any time – while not always thinking about the risks in the environment – can translate to an overly trusting approach when it comes to social media, in particular. Social media is extremely important to many of us professionally and personally. Avoiding it may be an option for some, but that number is shrinking. However, just as we need to undertake a risk assessment in the physical environment, we need to do the same for social media.

One approach is to think about ‘risk in’ and ‘risk out’. ‘Risk in’ is what we can do to reduce the risk that our social media activity creates, and ‘risk out’ is about the mindset we adopt when reacting to information coming to us via social media. We reduce ‘risk in’ by limiting excessive personal information, using different email addresses for social media sites that have no or limited business purpose, and by not painting such a comprehensive picture of ourselves that someone could too easily pose as an old school connection or university friend.

‘Risk out’ simply refers to applying caution when using information from social media and to have a mindset that any unsolicited communication, even if from a connection on social media, needs to be treated with care.

Blurred lines

Mobility leads to discussions about life balance and the blurring of lines between work and life. One of the things that does get blurred is password protection. A while back, in writing for ALMJ, my colleague Brent Snow discussed the issue of passwords and the need to take care. People often want to make things easy for themselves and as a consequence have common passwords across various domains of their life.

A key risk-mitigation approach is to ensure we ‘un-blur’ our life with passwords. Here are a few questions to ask:

• If I knew your work password, could I also get in to your social media accounts?
• Is your mobile device password the same as any other passwords?
• Could I use a small variation on your work password to log in to your bank?
• Is your work email address the user ID for social media, your bank, your utility providers or any other sites and services you use?
• Do you take the opportunity to update other passwords when you are forced to change your work password?

It is often helpful to group the various domains of your work and life activity by risk. Doing this can ensure that you separate financial, social and work activities and have a more robust approach to passwords.

Smart decisions

Our ability to work anywhere, anytime does not always mean we should work anywhere and anytime. The best form of physical security is to make conscious decisions about what we do and when we do it – not just professionally but also with our own financial matters and other business. Do you really need to complete your banking while in transit, or could you wait until you reach your destination? Can you delay that phone call a few minutes until you are somewhere more private? It is also important for firms to provide training in some form to all staff – legal and non-legal – about security risks, particularly around this time of year.

What we do and when we do it has a major impact on our risk profile, but as discussed there are a range of simple steps we can all take to reduce the risk. If you are taking a break in the next few months, make sure you enjoy yourself and relax – but be safe and secure.

Mark Andrews is director – projects, IT and knowledge at Baker & McKenzie. He has a varied background, including time in the public and private sectors, along with considerable professional services experience. He has held roles ranging from HR to management consulting and has previously been a guest lecturer as part of UTS’s Executive MBA program.