In the modern world, the traditional office building is becoming a thing of the past and most enterprises are starting to embrace mobility. Indeed, concepts like telecommuting are now commonplace, because they remove recruitment restrictions such as location, while also offering various other benefits.
For instance, a study from TinyPulse found that remote workers were happier than office workers and also felt more valued. Meanwhile, research from the Harvard Business Review found that, contrary to popular belief, those working from home are actually 13.5 percent more productive than those working in an office environment.
Given that it can increase productivity, improve morale and potentially reduce staff turnover, it is little wonder that businesses are embracing mobility. However, it also throws up issues too, with one of the most important being cyber security. So how exactly can enterprises maintain security in today’s landscape?
Where mobility and security collide
Organisations that embrace concepts like remote working must place a great deal of trust in their employees and this is especially true when it comes to cyber security. In fact, by definition, enterprise mobility means sacrificing a certain level of control, because you cannot monitor people 24 hours a day, 7 days a week, 365 days a year.
Unfortunately, mistakes can happen. If you have read about a major data breach in the past few years, there is a reasonable chance it was caused by an employee leaving a memory card on public transport, or misplacing a device. If someone in your enterprise makes such a mistake, it could mean sensitive data getting into the wrong hands.
Similarly, companies rely on their remote workers to follow ‘best practices’ for security. It will usually be impossible to know if staff are using sufficient data destruction techniques before throwing a personal device away, while cloud-based file-sharing is a potential cyber security minefield, as data can be accidentally made public.
The issue with third-party software
Although present-day mobility is a major plus point for many enterprises, carrying out an IT security audit should highlight numerous problems. For instance, remote workers may be accessing the company network from a personal device, and the company may have little or no ability to check how that device is being used in private.
The average mobile phone has dozens of apps installed, and each mobile device is likely to have a different selection of apps. The same applies with computers and software. This means that companies are potentially at the mercy of thousands of pieces of third-party software, which they will have no ability to identify and protect against.
Even if you could somehow guarantee that all of these applications are completely legitimate and downloaded through channels like Google Play, which is almost impossible, more than 50 percent of all mobile apps communicate the device ID to a third party and more than 40 percent send location data to a third party.
“What many companies have had to learn the hard way is that allowing employees to simply use their own personal devices to access the network is like leaving the back door open,” explains Mike Miranda, an enterprise software expert, writing for Information Security Today.
Maintaining mobility and security
Despite the potential security issues, it is important to acknowledge the benefits associated with ‘bring your own device’ policies. For example, an IBM study found that BYOD can lead to productivity increases, significant cost savings for businesses and greater employee satisfaction. For these reasons, it should be embraced. However, it is essential for companies to put appropriate security procedures in place.
It is sensible to monitor usage, but this must be restricted to monitoring work-related activities, or activities which involve the use of company networks and data, in order to strike the right balance between security and privacy. Staff should be made fully aware of all company security procedures, including the policy on activity monitoring, while taking staff through basic IT security training can help to minimise other problems. For example, it may be useful to teach staff how to securely wipe data before handing devices down to family members, and how to make sure they are only installing apps from reputable sources.
Finally, while it is not always possible to prevent problems like devices being lost and stolen, it is possible to make sure staff know how to securely lock their device, and to make sure important company information and data – whether on company networks or the cloud – cannot be accessed without the right credentials.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/