The use of mobile devices and a mobile workforce has become the norm. Almost half (48%) of the UK workforce is mobile, and on the move 20% of the time, with half of them using smartphones to access their work email regularly, according to a report by Strategy Analytics. This ability to access the company network from anywhere gives companies the opportunity to increase efficiency, but it also comes with major headaches when it comes to cyber security and data protection, and the implementation of a business continuity plan, should something go wrong and disaster strikes.
More platforms, more problems
The increasing use of cloud computing and apps has also reduced the use of central in-house IT services, while the number of communication platforms now available, and commonly used by the workforce, means that email is not always the way in which data is saved, stored and distributed. In effect, the system of record a company needs to keep track of its sensitive data is far more difficult to keep.
As a result, traditional approaches to data protection that rely on all information being created and stored centrally will no longer be fit for purpose, because today, a team member can create a file using personally identifiable information, and save it to their own mobile device or a cloud storage service, without ever even touching a device owned by the company.
Organisations are now, therefore, faced with the risks of not only seeing sensitive data lost or leaked from devices, but not even knowing that the data was created in the first place, if they do not have the right mobile machine management policies and best practices in place.
Mobile Data and the GDPR
This should ring alarm bells as the May deadline for GDPR looms, because in order to be compliant with these strict new regulations, organisations need to be able to prove that they can adequately store and secure all of the data they own. If that data is created remotely and does not come into contact with the main network, it won’t show up in a data audit, and won’t be part of the data mapping process.
This also has big repercussions for business continuity, because in order to keep the company running in the event of major issues such as a tech disaster or malware attack, you need to have records of the most up to date files, data, processes and operations from across the organisation to work from until the resumption of normal business practices.
Steps to Mobile Workforce Security
Here are some basic first steps your business should take to strengthen the company’s security when it comes to mobile devices:
Create a mobile device security policy
We have mentioned before that data protection and IT security is not just for the IT team to worry about, it should be an organisation-wide policy that enables all team members at all levels – including the board and HR - to understand their responsibilities and explain why the best practices are being put in place. Outline the security implications of mobile devices, and the possible actions that can be taken if the policy is not followed.
Run a security audit
In order to understand where security is vulnerable, your IT team needs to run a security audit that includes every device used to access the organisation’s systems, and this should include all mobile devices that have the ability to tap into the system. For this to work, full transparency will be required from all members of the organisation to detail exactly what they use, what they sue it for, and what level of access they have.
Often, this process is best done by an outsourced IT Support service who can take an unbiased and focused approach to assessing the strengths and weaknesses of each device and the overall security policy.
Control all security centrally
Your IT Manager or Chief Technology Officer should be in control of all security settings for any device capable of accessing or adding to your organisation’s central network or systems. This could include:
- Blocking all methods of transfer that do not comply with the company’s security policy
- Implementing mandatory access controls for all devices
- Setting standards for synchronisation to ensure only approved apps are used and mobile devices are unable to sync to other personal devices such as a home computer
- Automating back-up
Opt for CYOD over BYOD
The risks of a security breach are heightened when the company does not have ownership of the devices used to access the organisation’s data, so many companies are now choosing to implement a Choose Your Own Device (CYOD) policy over a Bring Your Own Device (BYOD) one. According to the Strategy Analytics report mentioned above, 60% of UK firms are now choosing to supply their staff with mobile devices, rather than allowing them to use their own.
This gives the company a lot more control over the platforms and apps used to access and transfer data, as each device can be pre-programmed with controls that eliminate high-risk practices. It also means that the organisation can know exactly what data is stored on each device, as they have full ownership of it.
The more types of device and mobile operating systems being used, the larger the security risk, and data protection and machine management challenges. If your company uses one brand or device type and limits the number of systems used on it, the IT team can have a better handle on risks and know how to fix them. This should also include labelling devices and keeping records, just as you would with a standard computer.
Every device capable of accessing and transferring your company’s data should use encryption or pseudonymisation, not just on every file used, but on the device itself. Each device should also require a password, preferably two-factor authentication, or one-time password tokens.
Use a Virtual Private Network (VPN)
When staff are able to access the company’s wireless network from their mobile device, you should view it in the same way you would their accessing company files from any other wireless network. You want their use to be secure and transparent, so a VPN can help to keep all in-house data and systems safe from external threats.
Extend antivirus products to all devices
Deploy the antivirus software used in your organisation to all devices in order to protect against malware creeping into the central system.
These first steps should help you protect your data and create a secure working environment for your mobile workforce that is as robust as the measures you have in place within your organisation’s offices.
If you are not sure how to start the process, or need help at any stage along the way, you should seek the assistance of an IT consulting service. As certified GDPR practitioners, the team at pebble.it are experts at advising on the security and data protection measures your business needs.
Get in touch with us to find out how we can help, or book an audit below: