Jan van Vliet, VP and GM EMEA at Digital Guardian, discusses some of the security challenges that mobile working presents to businesses and how they can be addressed with the right application of training and technology.
Mobile working initiatives have gone from avant-garde to the accepted norm in recent years, but while the benefits mobile working offers both employees and businesses can be great, it also comes with numerous pitfalls that must be carefully considered.
Chief among these is the additional security risks from allowing employees to access and store sensitive or confidential information on their mobile devices from anywhere, at any time. Once this information leaves the protective environment of the business network, it becomes much more vulnerable to theft or misuse.
This is particularly true if employees are careless with their devices and unfortunately, they tend to be much more careless than you would think. Recent research found that 26,272 mobile devices were reported as lost on the Transport for London (TFL) network in the last year alone, of which 23,453 were handhelds and 1,155 were laptops.
The recently imposed General Data Protection Regulation (GDPR) has also raised the stakes for many businesses, with fines of up to €20 million or 4% of annual global turnover for breaches resulting from non-compliance. Of course, this is before the cost of subsequent reputational damage suffered as a result of any breach is factored in as well.
While it’s impossible to prevent employees from losing devices, fortunately there are a variety of measures that can be taken to improve the overall security of mobile working initiatives without imposing overly stringent limitations that would impact employee productivity or satisfaction. Below are four key areas that businesses can focus on:
Date security training
One of the cheapest and most effective ways to improve data security is to invest in regular training sessions. Not only does this keep security top of mind for all employees, it also helps them better understand the risks and potential consequences of losing a mobile device.
Well trained employees will not only be more vigilant against known security risks, but they will also know exactly what to do in the event of a lost or stolen device. This includes immediate reporting of the loss/theft and even remotely wiping it, if possible.
Creation of a clear mobile working policy
In order to avoid uncertainty, businesses should create and enforce a clear mobile working policy. This policy must cover key security aspects and every employee should be clear on it before being allowed to participate.
The policy should clarify the business’s stance on areas such as the minimum-security requirements for mobile working devices, the permitted applications and assets that employees can access, and employee responsibility for backing up business data and storing it securely. The policy should also be explicit on the business’s rights for altering the device, such as remote wiping, in the event of loss or theft.
This includes the business’s liability for an employee’s personal data, should a device have to be wiped as a security precaution, as well as employee liability for the leakage of sensitive company data brought about by negligence or misuse.
Data encryption
Mobile working initiatives take data outside of a business’s enterprise security measures, so it’s critical that this data is encrypted both when in transit and at rest. Encryption solutions can provide protection for devices, email and data itself. Furthermore, secure encrypted email is the only answer for regulatory compliance, a remote workforce and project outsourcing.
Data Loss Prevention (DLP) solutions
DLP is a set of tools and processes designed to ensure sensitive data is not lost, misused or accessed by unauthorised users, making it particularly well suited to businesses operating mobile working initiatives.
DLP software starts by classifying a business’s regulated, confidential and business critical data, then identifies any user violations of policies defined by the business. If violations are identified, DLP software can respond with alerts, encryption, or a range of other protective actions to prevent users from sharing data that could put the organisation at risk, be it accidentally or maliciously.
DLP tools can also monitor and control endpoint activities, filter data streams on corporate networks and monitor cloud activity to protect data in use, in transit and at rest.
In recent years, mobile working has become an essential modern business practice that boosts productivity and employee satisfaction, whilst lowering IT costs. However, it also presents its own security challenges and makes round-the-clock data security that much more difficult to maintain.
While organisations can’t eliminate employee carelessness or prevent devices being lost/stolen, a combination of training, clear policies and data-centric security technologies can significantly reduce the likelihood of data loss or compliance failure occurring as a result.