By Jon Fielding, Managing Director, EMEA, ApricornMore than a third of UK employees work remotely at least some of the time, according to recent research from Apricorn. As this number increases, so will the volume of sensitive data and personally identifiable information (PII) being physically moved outside the workplace – and your enterprise security controls – every day.
Mobile, portable and removable devices are highly susceptible to loss and theft. Tools such as firewalls, VPNs and gateways cannot protect information when it’s taken beyond the corporate network.
Almost all (95 per cent) of UK organisations who responded to the Apricorn survey agreed they still had problems with mobile working, with a third admitting they’d already experienced a data loss or breach as a direct result. To add to this, 30 percent of respondents from organisations that were subject to GDPR cited mobile working as the most likely to cause of non-compliance.
Some organisations have taken radical steps to mitigate the risk. Nearly a third physically block all removable media; this has risen since 2017, when 18 per cent respondents said they had taken this approach. A further 22 per cent ask employees not to use removable media, although they have no technology to enforce this.
But a unilateral ban is not the solution. Limiting access to mobile technologies and applications ignores the problem altogether, while forming a barrier to flexible, productive and efficient working. The best way to safeguard information on the move is to develop a mobile security strategy that covers people, policy and tools.
Step 1: Identify and address the risksAudit all of the data you hold, who accesses it, how they use it and why, and then map out the security controls applied to information at each stage of its journey. This will help you to determine the specific risks it’s exposed to when it’s on the move and at rest, and highlight any gaps in your security strategy that leaves data vulnerable.
Step 2: Create specific policies to protect itThese should include procedures and processes that cover the mobile and flexible working practices employees are required to follow, together with the types of mobile devices, removable hard drives and USB storage devices allowed and how they must be used. Apricorn’s survey found that one in 10 companies do not currently have policies that cover storage devices such as USBs, or remote working and BYOD.
All policies ought to be simple to follow, and clearly set out, to encourage buy-in and adoption. Policies can be enforced through, for example, only allowing IT-approved devices to connect to the corporate network.
Step 3: Equip staff with the right toolsMore than half of organisations insist that their mobile workers are willing to comply with security measures, but lack the necessary skills and technologies to do so. For 53 per cent of companies, one of the three biggest problems with mobile working is the complexity of the technologies and tools they’ve implemented to keep data safe.
Devices provided to mobile workers must be intuitive and hassle-free to use. These should include a straightforward, corporate-standard mobile storage device that features strong hardware encryption. The business can monitor and enforce their use by whitelisting on the IT infrastructure, and locking down USB ports so they can accept only pre-approved corporate devices.
Step 4: Encrypt everything as standardStrong encryption forms the last line of defence. It will lock information down in transit, meaning that if a device does get stolen or picked up, the data on it will be unintelligible to anyone trying to access it. Encryption is specifically recommended by Article 32 of GDPR as a method to protect personal data.
Step 5: Build a culture of securityKeeping data safe is everyone’s responsibility, yet nearly one in five IT managers believe their organisation’s mobile workers don’t care about security.
Training employees in the mobile working processes they’re expected to follow, and the correct use of the technologies provided for their use, is vital. Equally as important, however, is educating people in the value of the data they work with, the risks of mobile working and the consequences of failing to follow security policies – accessing work systems and apps over an unsecured wi-fi connection, for instance, or saving customer data to an unencrypted USB to work on offsite.
An increase in the number of people working remotely will lead to more and more sensitive and confidential information being removed beyond the confines of the corporate network. Organisations need to ensure that any data, be it at rest or on the move, remains secure – but without creating any additional complexity.
By creating a comprehensive mobile security strategy, reviewing and updating it at regular intervals, you’ll be able to control, monitor and securely manage data when it’s on the move, without compromising availability.