I don’t think it’s uncommon in today’s employment market that employees take their work home with them. Whether it is a report they need to write or a market analysis that is due for a Monday morning 8AM meeting, I would say confidently that we’ve all done it at one time or another.
As security professionals and practitioners required and responsible for applying security specifications such as PCI, NERC and SOX in our work place environments; do we take our work home with us? Do we apply the same guidelines, policies and best practices on our own home personal networks and equipment that we do in our work place? I’ve had this conversation with several friends and colleagues and it seems that most of them do not apply the same guidelines at home. I’ll admit I’m guilty of only applying very basic best practices in respect to my personal equipment and accounts.
One could argue that the comparison and needs are completely different between the respective environments and while this may be true, after all, as individuals we don’t have to answer to a yearly audit of our home. However, we do have a need and I argue a responsibility to protect our personal data so that it can’t be misused and abused if a security breach were to take place.
The idea of a breach on an individual could be characterized much differently than that of one that could take place on a company. With so much technology available today in the consumer market; laptop computers, cell phones, credit/debit cards and drivers licenses with RFID chips embedded in them the vectors are nearly limitless for a evil doer to get their hands on our data.
If an attacker is able to breach our laptop for instance, if like me, you do your banking online in addition to paying bills, booking vacations, checking email and any other number of activities that take place where sensitive personal data is exposed you’re suddenly forced to cancel accounts and re-open new ones, change passwords and keep an eye on your credit report to ensure that somebody has not stolen your identity or managed to get a hold of data they can use for malicious purposes. Another example are cell phones, I don’t password protect mine even though the option is there as it seems to just be a “hassle” I don’t want to deal with when I want to access an application quickly. Yet I am subscribed to text banking and have mobile applications for other financial institutions installed and accessible. If my phone is lost or stolen I’m immediately at risk.
Applying some of the paradigms in use in the work place in our personal lives can help mitigate that risk. Instituting complex passwords with required change dates, ensuring that patches are quickly applied to our computing equipment, enabling encryption on our wireless access point, creating a password or pattern lock on our cell phones, installing tracking and remote wipe software on our cell phones and most importantly enforcing and auditing ourselves honestly to verify that we’re following our own guidelines.
So I believe the question; Do we take our work home with us? Should be re-phrased and re-imagined to How much work should we take home with us? I look forward to seeing how much work my peers in the security industry bring home and apply to their own personal corporation.