Tom Kington warns against making it easier for staff to access systems from tablet devices without considering the security risks.
One of my clients is keen to take his casework management system (CMS) mobile. He also wants to make it easier for staff to work by implementing single sign-on (SSO), allowing them to access all the charity’s systems via one login.
Adopting tablet devices would eradicate the paper forms currently in use. Gone would be the slow manual input, thus helping to eliminate inaccuracies in data. Giving caseworkers the ability to input information directly into the CMS from a beneficiary’s home would be invaluable to improving the speed of service delivery. But at what cost?
It’s very easy to get wrapped up in the warm embrace of digital innovation – the benefits often sell themselves. But as much as I’m excited about building a groundbreaking mobile solution for my client, I couldn’t call myself a charity specialist unless I outlined the risks.
Offline working
Let’s start with the drive to go mobile – the key here is offline capability. To be the most effective mobile solution, the ability to work seamlessly offline as well as online is crucial. Caseworkers won’t necessarily have access to the internet in people’s homes, but they need to retrieve data from the CMS as well as update results back to it. And to avoid the charity spending valuable budget on hardware, it would be ideal if staff could use any device (BYOD).
All this can be achieved by building a web-based application using HTML5. You can work from any location and from any device, without worrying about syncing data or saving work regularly. With HTML5, it happens automatically as soon as an internet connection is available.
Unfortunately, however, HTML5 apps do pose a security threat. In order to work on any hardware, data has to be stored locally (on the device) until it can be transferred to the central CMS. And currently there is no standard way to encrypt local storage data with HTML5, unlike native Android, iOS or Windows apps.
So the “cost” of this mobility “benefit” lies in analysing the risk of a data breach vs the investment in developing an app for one platform (where you will more than likely need to purchase the devices).
User behaviour
As for SSO itself, surely it can’t be risky given its widespread use? Well, the technology won’t compromise your data when implemented correctly – the risk lies more in user behaviour.
Firstly, let’s examine the benefits of SSO. Obviously it reduces the burden of IT being asked to reset passwords. And saves users time through not entering multiple passwords into different systems (which arguably also makes it secure as users are likely to make one password more difficult to predict). And it’s becoming the norm – just think how often you can “login with Facebook” across various internet sites, saving even more time.
However, what happens if a user leaves their browser unattended? It would leave any other application using that sign-on exposed. Not everyone remembers to lock their devices or set up a passcode to access them. And what if the associated email address is not secure? Many SSO solutions and other authentication mechanisms assume the associated email account is trusted to send password reset links to. If the email account is compromised, so is the SSO account and anything associated with it.
The good news is that tech giants such as Microsoft have launched cloud-based software that enables you to centrally manage all your SSO applications and whatever devices are used to access them. That way not only is your data protected but your staff are productive, on their preferred devices. And the iOS and Android mobile platforms now encrypt data when devices are locked with the user’s passcode or thumbprint, dramatically improving security and privacy for the end user. Therefore the cost/benefit analysis in relation to SSO becomes very much about investing in powerful IT management tools vs educating and trusting staff to be more vigilant.
So back to my client (and your charity too), my advice is to thoroughly analyse all the well broadcast benefits against the practical costs of security. Only by being vigilant as a leadership team can employees be expected to do the same.
Tom Kington is a technical consultant at MSM Software Solved
