At Abavus we are big fans of mobile working. I firmly believe mobile working offers a massive opportunity for local government organisations, not only to reduce costs but also to speed up processes, work more flexibly and efficiently and significantly improve customer service. There’s benefit both for employees who tend to find it motivating and empowering, and also for customers who  see things getting done more quickly and effectively. In short, it’s win win. That said, mobile working does come with risks that organisations need to be aware of before making the transition. We’ve blogged before about the benefits of mobile working but here I want to talk a little about what the risks are and how best to manage them.

What are the risks associated with mobile working?

The biggest risk associated with mobile working comes from the fact that mobile working means that you have information stored and transmitted outside of your secure onsite network environment. Mobile workers may be using devices with relatively limited security features as well as wifi networks that you don’t control. On top of this, mobile working means that your staff are using their devices offsite, perhaps in public environments where they can be overlooked, and of course there’s always the chance that someone will lose their device or that it’ll be stolen. In summary, the key risks associated with mobile working are as follows:-

  • Mobile devices being lost or stolen – phones and other mobile devices can be highly vulnerable to being stolen because they’re powerful and high value items. Additionally, they’re easy things for people to lose.
  • Being overlooked – it’s common for mobile working to involve employees using their devices in public places. This means that they can be overlooked, with the possibility that sensitive or confidential information can be viewed by people who are not authorised to see it.
  • Loss of credentials – most mobile devices offer the possibility to store one’s access credentials in some way or other, perhaps in a browser or through keychain software. This then means that if the device gets stolen and the thief is able to access it, they may also be able to then access your organisation’s network and the tools on it.
  • Tampering with devices – if employees leave their devices unattended at any time the possibility exists that an attacker could then insert malicious hardware or software onto it, with a view to monitoring user activity or compromising organisational security in some other way.
  • Accidental compromising of security configurations – depending on how their devices are set up, it may be possible for non-expert users to inadvertently make changes to their security settings which can then open up the device to the possibility of external attack from hackers.

How can the risks of mobile working best be managed?

It’s critical that if you’re already using mobile working in your organisation or you’re considering it that you have a proper mobile working security policy in place. This will cover things such as who is able to work offsite and what devices they have access to as well as the type of information that is stored on or can be accessed by mobile devices, and how mobile device use is going to be monitored and controlled. As a starting point I’d strongly recommend that you consider the following ideas:

  • User education and awareness – this is critical. Your users need to be trained on how to use their devices safely and securely before they’re allowed to use them in the field. They need to be aware of what the risks are and the steps they should take to avoid them. There needs to be a clear security protocol which users understand and are able to apply every time they use their mobile devices.
  • Protect sensitive data – think about what data actually needs to be on the devices themselves and, wherever possible, keep this to a minimum. The device should only contain the data that’s needed for the specific activity that’s being performed. Users shouldn’t be able to access data that isn’t relevant to the tasks they themselves perform. If the device supports it, it’s a good idea to ensure that all the data is encrypted so that even if the device does fall into the wrong hands, the data’s not vulnerable.
  • Protect data when it’s in transit – one of the times that information is most vulnerable is when the user is transmitting data to and from your organisation’s network. If they’re offsite when they’re doing this then the chances are that they’re using an unsecured public network to do so, with the attendant risks that poses. Consider protecting the device and the information in transit by setting up a virtual public network (VPN) over which information is exchanged.
  • Technology and encryption – you should ensure that your provider or your IT team (if you’re doing things yourselves) is using Advanced Encryption Standards. What follows is not an exhaustive checklist but you should be looking for the use of Transport Layer Security (TLS) 1.2 protocol formerly Secure Socket Layer and now generally referred to as SSL for all data communications. This ensures privacy between software applications and your users on the Internet. Confirm that all data packets transmitted are encrypted as well by private public key and further encapsulated by industry standard SSL layer. It is the combination of these various cryptographic protocols that will provide the high levels of security required when data is in transit.
  • Review your organisation’s incident plan – even with all the best security protocols in place there will be times when things go wrong, perhaps for unforseen reasons. When that happens it’s critical that you have a robust incident plan in place so everyone knows what needs to be done and who is going to do it.
  • Remote disabling of devices – wherever possible you should set up your mobile working devices in such a way that they can be remotely disabled in the event that one is lost or stolen. At the very least you should be able to prevent a particular device from being able to access your corporate network once it’s been reported as lost or stolen.