How to mitigate the human risk of mobile working -TEISS® : Cracking Cyber Security
Jon Fielding, Managing Director EMEA, Apricorn
Mobile working has become the norm – but many organisations still underestimate the security threat they face from well-intentioned employees carrying smartphones, tablets and removable media devices.
According to Apricorn’s latest survey of IT decision makers, 29% of organisations have suffered a data breach or data loss as a direct result of mobile working, while 44% expect that mobile workers will expose the business to data breaches.
Large volumes of corporate data and personally identifiable information (PII) are being physically taken out of the workplace every day. Mobile and removable devices are at high risk of loss and theft – and so is the information that resides on them, once it is moved or transferred outside the corporate network and systems.
Security strategies and policies are failing to keep pace with evolving working practices and legislation, such as the new EU General Data Protection Regulation (GDPR) which will come into force on 25 May. Tools such as firewalls, VPNs and gateways cannot be solely relied on to prevent data loss or stop cyberattacks – particularly when data is not within the boundary of enterprise security controls.
Limiting access to mobile technologies and applications is not the answer to safeguarding data – this will only restrict productivity. The best approach is to place the employee at the centre of a mobile security strategy that controls, monitors and securely manages data when it exists outside of central systems.
Also of interest: WannaCry, one year on…
Create specific policies that protect data on the move.
These should include procedures and processes that cover the types of mobile devices, removable hard drives and USB storage devices allowed by the business, and how they must be used. Policies can be enforced through, for example, only allowing IT-approved devices to connect to the corporate network.
The business should also clearly set out the mobile and flexible working practices that employees are required to follow. Apricorn’s survey found that one in 10 companies do not currently have policies that cover storage devices such as USBs, or remote working and BYOD.
Other security policies which can be easily implemented through technology include rules on the length and complexity of passwords, and the requirement for auto-lock/self-destruct for lost or stolen devices.
Policies and procedures should not be hard to understand or adhere to – this is when employees will find workarounds or decide to take a short-cut. The more simple and seamless they are, the more likely it is they will be adopted by users.
Also of interest: Anti-malware providers and businesses need to join forces
Mitigate the human risk with training programmes.
People present the greatest threat to the security of mobile data. The lion’s share of breaches are not caused by hackers, but originate from inside the company – either due to negligence, human error or malice. According to the Ponemon Institute’s 2017 Cost of a Data Breach Study, 28% of data breaches are caused by human error. The source could simply be an employee hoping to work more productively by using an unsanctioned cloud service to share documents, for example.
Employees should receive training in the mobile working procedures they are expected to follow, and the compliance requirements specific to the business. They also need to understand the risks and consequences of, for example, accessing work systems and apps over an unsecured wifi connection, or saving customer data to an unencrypted USB to work on offsite.
Also of interest: Can the UK police tackle cybercrime?
Take human error out of the equation.
Strong encryption forms the last line of defence for data security, meaning that if a device does end up in the wrong hands the information on it will be unintelligible to anyone trying to access it.
Encryption is specifically mandated by Article 32 of the GDPR, as a means of protecting personal data.
Also of interest: When a Data Breach Isn’t a Death Sentence for Your Brand
Equip mobile workers with the right tools.
More than half of organisations say that while their mobile workers are willing to comply with security measures, they don’t have the necessary skills or technology to keep data safe.
Employees should be provided with encrypted devices and tools that are straightforward and hassle-free to use: if they’re too difficult to work with people might look for an alternative that has not been sanctioned by the business.
Tools should include a corporate-standard mobile storage device that features strong hardware encryption. The business can monitor and enforce the usage of these devices by establishing whitelisting policies, and locking down USB ports to accept only pre-approved corporate devices.
Look for a device that IT can pre-configure so that it complies with security requirements such as policies on password strength. PIN pad authenticated USB devices can provide onboard and automated encryption, removing the vulnerability inherent in software authentication which opens the door for hackers and keyloggers. .
All employees must be given full training on how to use the technologies implemented, including the secure use of their mobile and removable devices.
The more employees work flexibly and collaborate using mobile platforms, the bigger a business’s attack surface grows. The boundary between enterprise and ‘the rest of the world’ will become increasingly blurred, and security strategies must be rethought to avoid data breaches. Organisations that are not in complete control of their data when it is on the move also risk falling foul of regulations such as the new GDPR.
A mobile security strategy that covers people, policy and tools – and which is reviewed, tested and modified at regular intervals – will enable a business to defend itself against the threats as technology and working practices evolve.