Securing the Mobile Workforce
It’s interesting to note that device loss accounts for 41% of breaches, compared with 25% that derived from hacking and malware, according to Trend Micro. Overall, there has been a 300% increase in mobile device OS vulnerabilities since 2011, and businesses are realizing the increasingly critical need to protect the company—and customer data. As networking environments have evolved, IT departments adapted to growing security threats in mobile devices. Cabir, the first virus that infected smartphones, reared its ugly head in 2004, and by the time iPhones and other smartphones emerged, a whole new generation of security woes had been born.
More than half of organizations have identified employees as the source of a major security breach, either due to falling victim to phishing, using unapproved apps, using unsecured Wi-Fi networks or through simple human error. In a report by Apricorn, nearly 20% of organizations believe their mobile workers don’t particularly care about security, with one in three experiencing data loss as the direct result of their mobile workforce.
In this age of “supermobility” in which mobile devices provide all the tools employees need to be productive away from the office and IoT initiatives increase, there are a seemingly infinite number of endpoints that need to be secured. Mobile device security is the measures taken specifically to protect sensitive data stored on portable devices. Additionally, it refers to the ability to prevent unauthorized users from accessing mobile devices and the enterprise network. Devices that require protection of this sort include laptops, tablets, smartphones, wearables, and other portable devices. Today, the majority of businesses are using these devices to conduct routine business and the devices themselves could contain hundreds of gigabytes of private data on them—everything from healthcare information to customer credit card and social security numbers and more.
While the first instinct might be to lock everything down like Alcatraz, company security policies, an efficient security posture and back up plans for mobile devices can help align policy with culture and avoid the airtight seal on the organization.
In an article in Computerworld, Adrian Duigan has some suggestions about establishing a successful security policy; in addition to the suggestions we’re digging into in this blog post, here are a few other considerations to consider when implementing or updating your company’s security policies:
- Check out what organizations similar to yours are doing
- Ensure your policy conforms to all legal requirements
- Overprotection could be a liability, as well; sometimes an Employee Code of Conduct may be all you need
- Include staff members in policy development; being a part of the process not only helps with policy adoption, it also makes them a part owner in its success
- Make sure your policy is in writing and that all employees have acknowledged their acceptance of the policy in writing
- Set clear penalties and enforce them
Security awareness training should be rolled out to all existing mobile workforce employees and become a part of on-boarding for new employees. This training should be held annually as both a refresher and a to update any outdated information. Similar to in-office security training (such as keycard usage and clean desk policies), the training for a remote workforce should focus on things like the dangers of public Wi-Fi spots, the usage of removable media (such a USB drives), what to look for in phishing emails or spoofed accounts, and the security and password requirements for smartphones, laptops and other mobile devices. Ensuring that the policy put in place is representative of the overall culture of the organization is a key factor in guaranteeing that employees will follow the policy once it’s rolled out.
Work with a mobile security vendor who can help IT with adding and provisioning apps, policies and devices. IT can then better and more easily activate users, set policies and restrictions, deploy apps and connect to VPN, configure email, connect to Wi-Fi, intranet sites and other resources, remote lock and wipe. Deploy multi-factor authentication (MFA). MFA is a critical component that is virtually no cost, a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction. Combining two (or more) independent credentials consisting of a combination of three things: what the user knows (their password), what the user has (a security token) and/or what the user is (biometric verification). This layered defense makes it more difficult for an unauthorized person to their target (in this case a mobile device). If one factor is compromised or broken, there is still one more line of defense in place before the attacker can successfully break into the target.
BakerHostetler’s 2019 Data Security Incident Response Report notes that raising employee awareness and employing multifactor authentication are still two of the best defenses to address the employee risk factor. “Now more than ever, mobile devices have a target on their back,” said Mike Feibus, principal analyst with FeibusTech. “It’s ironic, but the more mobile devices are used as a multi-factor option to secure PCs, the more desirable they become to hackers. And as everyone knows, where there’s a will, there’s a way.”
Virtual private network (VPN) technology was developed to enable remote users and satellite offices to access corporate applications and resources, securely. Previously, VPN’s were created for fixed networks with high bandwidth and relied on the user having a stable IP address. Now, forward-thinking companies are applying this same technology to their mobile workforces to enhance the privacy and security of their devices. Special care should go into determining which VPN provider is right for your company. Make sure to consider the type of devices, the devices’ OS and the VPN hardware to ensure the solution is a good fit for each of these.
Understanding the risks
It’s easy to underestimate the risk mobility provides to an organization. Whether used by in-office personnel or a remote workforce, mobile devices should not be the source of truth for any of your data. Companies should operate on the assumption that a stolen, misplaced or breached device is highly likely, and therefore plan, accordingly. Examples of this preparation include backing up mobile devices, daily and ensuring that a data classification policy is put into place and followed; allowing users to make more informed decisions about the data that can or should be copied to a mobile device and what data should never leave the network.
Data loss costs companies more than you think. According to cloud data protection company, Druva, “every lost laptop costs an organization approximately $49,000.” These costs are obviously not related to the actual value of the device but rather the value of the data on the device, the loss of intellectual property and the impact of potentially compromised proprietary data. Add to that the inevitable loss of productivity/employee downtime and the financial impact of that data loss increases even more.
In 2018, the University of Utah Eye Center identified that a computer and its associated external storage device had been stolen from their facility. Due to data privacy laws, the university was required to notify more than 600 patients that their protected health information was potentially at risk. As an added measure, they also proactively established a dedicated call center to help the affected patients navigate the aftermath. The potential damage to the Eye Center’s reputation could have reached a point of no return if the University hadn’t mitigated the damage and proactively attempted to retain their patients’ trust.