Secure mobile working: Turn the weakest link into the strongest asset

gpsj-logo-2.png

WEDNESDAY, DECEMBER 13, 2017 | GOVERNMENT AND PUBLIC SECTOR JOURNAL, JON FIELDING

Without question, mobile and remote working offers huge business benefits, but it also exposes organisations to risks that can be challenging to manage. Organisations are not only tasked with managing flexible working practices, but also faced with the need to provide the necessary tools and training to enable employees to do so securely. A survey conducted by Apricorn found that 70 per cent of surveyed businesses said that securing corporate data is an ongoing battle, and 53 per cent said that managing all of the technology that employees need and use for mobile working is too complex. The Human Element The crux of the problem, however, remains with the user. Human beings are typically the weakest link when it comes to data security. Forty Eight per cent of the surveyed companies said employees are their biggest security risk, and as many as 44 per cent expect that employees will lose data and expose their organisation to the risk of a data breach. These risks span across all organisations, and the public sector will always be a popular target due to the nature of the information they house. Earlier this year, the WannaCry ransomware attack affected more than 300,000 computers globally, and disrupted the operations of many major organisations, including the NHS. Whilst this wasn’t a direct result of mobile workers, it was an example of how a lack of knowledge and failure to apply basic security practice can have detrimental repercussions. If public sector organisations want to prevent attacks such as this, they need to ensure that staff have basic cyber-hygiene and recognise the need for policies and how to adhere to them. Data on the Go Many organisations are underestimating and neglecting the risks they’re exposed to from well-intentioned employees. For the first time in history, more users last month accessed the web from mobile devices than they did from desktops or notebooks according to data released by StatCounter. With the rise in mobile working, the security risks are mounting, and this is despite 29% of Apricorn surveyed organisations admitting they have suffered a data breach as a direct result of mobile working. Even with the increasing emphasis on cyber security, many employees are neglecting information security practises, whether it’s password security or leaving devices on public transport. In 2014, Londoners left 25,000 devices such as phones, tablets and USB sticks on trains, buses and trams, with USB devices numbering almost 1,500. Just last month an unencrypted USB device was found on a London street containing security details for London’s Heathrow International Airport, including security measures and travel details for the Queen. The security implications surrounding this are huge, and had the information fallen into the wrong hands, the repercussions don’t bare thinking about. Device losses such as this merely highlight the need to have provisions in place to protect information on the move and ensure that our weakest link, employees, can become the strongest asset. Below are three steps that covers policy, people, and tools and encryption as a way of removing the risk of human error altogether. Policy Organisations must get their houses in order, but this is not a simple process, and the ownership of data is often an issue. As part of the new General Data Protection Regulation (GDPR) requirements, businesses must demonstrate that they are controlling who is authorised and has access to sensitive information, and why. Employees require adequate education and necessary policies should be created and enforced to avoid putting company data at risk. Organisations need to establish security policies and procedures that cover all types of removable media, mobile devices and flexible working if they are to effectively manage the risks. Since one in ten companies, regardless of size, does not have a strategy that covers removable media such as USB sticks and 23 per cent of organisations admitted that they have no way of enforcing relevant security strategies they have in place, it is clear organisations have a long way to go. Apricorn’s survey also revealed that 24 per cent of the surveyed companies were not aware of the impending GDPR, due to come into force in 2018, or its implications. Worryingly, 17 per cent of those who were aware had no plan for compliance. Organisations will benefit by maintaining security standards and keeping abreast of changing compliance mandates to ensure the security of the user, device and the data that it houses. People Frustratingly, employees often see security policies as a barrier to productivity. When it comes to the mobile workforce and data security, employees should be trained on the secure use of their mobile and removable devices and the necessity to follow the corporate security policy at all times. Organisations must monitor how data is processed, stored, retrieved and deleted in order to remedy any shortcomings and ultimately avoid a costly data breach. Tools and Encryption Encrypting valuable or sensitive data enables organisations to manage their risk and is a critical piece of the armoury. When properly embedded within an information security plan, it will provide the most effective last line of defence. Encryption should be automatic and invisible – without the option for users to choose to encrypt or not. An organisation’s information security policy should be enforced through technology where possible, by locking USB ports to only accept corporately approved hardware encrypted USB devices for example. Data Encryption is an important element in GDPR compliance and helps mitigate an organisation’s obligations in the event of a breach and will be considered in mitigation should any fine be deemed necessary. The combination of policy definition and enforcement, employee education, and data encryption, will enable employees to take control over intellectual property and help protect themselves, and the information they access, from the threat of a breach. For further information please see: Twitter @Apricorn_info and their website is at: www.apricorn.com/