< Back

Share |

Security considerations of mobile working

April 2013

For most of us (although perhaps not Yahoo! boss Marisa Mayer) working for our employers outside of the office is a fact of life in 2013. There are clear benefits for employees who gain better control of the elusive ‘work life balance’ and flexible working patterns and for employers who attract and retain staff and benefit from lower costs and greater productivity.

The Blackberry and the iPhone remain the most widely used devices in the enterprise mobility space but other devices commonly used by employees to work remotely include netbooks, laptops and other smart phones.

DataThe convenience of working on a mobile device needs, however, to be weighed up against the increased risk of losing the data contained on it due to the very nature of its portability. Employees carrying around sensitive company data in their pockets creates an obvious, immediate and material security risk for their employers if the data is lost or stolen. In addition, any entry point into your networks for mobile devices is potentially an entry point for malware and viruses. Below is a list of dos and don’ts for your mobile security policies for the workplace:

Do:

  • ensure all laptops used by employees for work purposes are encrypted and that devices are registered with you and benefit from your mobile security packages;
  • remind employees not to use (i) personal laptops without installing your security software or (ii) private email (e.g. hotmail) accounts for work purposes;
  • ensure you have a data loss/theft policy in place to deal with mobile devices and that this includes a process for your IT departments and your risk management departments to alert each other and to work together to contain the security risks arising from the loss of a device;
  • use mobile device management (MDM) technology to remotely wipe devices that are lost or stolen;
  • circulate updates to employees on any malware or phishing scams that come to your attention;
  • Checklistensure devices used by employees require multiple layer passwords that incorporate a mixture of alpha and numerical characters;
  • ensure you have a policy on the installation of apps onto work related devices and encourage users to read apps permissions and reviews before installing them;
  • remind employees to uninstall apps they don’t use;
  • prohibit sales or loans of devices used for work purposes until they have been securely wiped by you of all company data;
  • require devices to have automatic locking mechanisms if inactive for a period of time and to wipe the data if the password is entered incorrectly a number of times;
  • require users of mobile devices for work purposes to update their passwords regularly (at least every 90 days);
  • remind employees to beware of phishing emails and unexpected links and files sent to them by ‘friends’. These may be malware;
  • have a quick effective policy for revoking access to devices remotely where required;
  • consider archiving old messages on a device periodically;
  • warn employees about accessing your systems via unsecured networks though this risk is reduced by the widespread use of virtual private networks (VPNs) by employers; and
  • remind employees to file emails promptly and to delete unwanted items.

Don't:

  • Stopforget to deactivate employees’ access to your networks when they leave your employment. This is one of the most common forms of data breach in practice;
  • allow users to sell or loan their devices without the devices being securely wiped clean of the data by you;
  • allow users to send devices to suppliers for repair without being wiped of your data;
  • forget to back up of your company data on devices. Have a clear policy on how this is done and what you expect your employees to do in this regard;
  • allow your employees to use their devices for work purposes without agreeing to abide by your policies to protect your organisation’s assets; and
  • allow your employees to use other third party storage application for storing your work related data such as Dropbox.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Tablet
Sarah Needham

Sarah Needham      


Sarah looks at the security risks inherent in mobile working.

"Don’t forget to deactivate employees’ access to your networks when they leave your employment. This is one of the most common forms of data breach in practice."