MOBILE SECURITY CONSIDERATIONS FOR YOUR REMOTE WORKFORCE

By John Doig

In recent weeks, there has been a rapid escalation in the need for organisations to enable staff to work remotely, minimising potential exposure to COVID-19 and complying with the evolving Government recommendations. This would typically have been a more involved process of discovery and assessment, strategic planning, design and implementation, and it would have been a dedicated project allocated budget, time, detailed attention and resources. But due to the pressures to rollout a solution quickly, interim measures have been employed in many instances. Organisations now have an opportunity to get a true understanding of their mobile maturity level, to refine and enhance their solution, and adopt robust and best practice measures for mobility and remote working.

As the definition of the workplace becomes more fluid and dynamic, computing endpoints are moving from the more secure “behind the firewall” environment, into more vulnerable environments with remote access and a heavy reliance on mobility. As remote and mobile usage increases, if not managed and secured properly, so too do the risks.

As organisations reflect on and refine their solutions, it’s important to analyse what the vulnerabilities and risks are and how they are, or should be, mitigated. When assessing this, there are a number of areas that are commonly overlooked when it comes to mobility.

Physical security – Remote working, and mobile device use in particular, occurs in a variety of spaces, typically without the physical security protection that exists in a traditional office environment. Devices are commonly lost or stolen. While some may be recovered, others are not, putting your organisation’s data at risk in an unsecured device. Due to their high value, mobile devices are often targeted for theft, and a device with poor or basic security is a cyber criminal’s dream. Another physical aspect that is often underestimated is ‘shoulder surfers’. While working remotely, especially in crowded places, it’s important to be aware of the sensitivity of the data that can be seen on the user’s screen. Corporate data, login credentials and sensitive client data may easily be put at risk.

Personally enabled devices and BYOD – Allowing personal use of corporate devices and Bring Your Own Device (BYOD) is not innately a security risk. However, it may reduce the ability to secure, manage or maintain visibility of usage against corporate and IT policies. A lack of clear policies for device types and usage can lead to increased risks ranging from jailbroken/rooted devices, through to untrusted networks, apps and content. It is also important that visibility over OS versions be available, so security policies can be applied and access levels restricted based on the currency of the OS and security patches.

Mobile Operating Systems – Users and administrators often put a lot of trust in the OS vendors to keep devices secure and data safe. While keeping the OS updated helps to mitigate the majority of risks, history has repeatedly shown no manufacturer is immune to vulnerabilities. Additionally, basic models and older devices are often not supported for updates and patches. Processes to maintain update and patch compliance are an essential aspect of reducing risk. However, additional software and systems are required as OS security is rarely sufficient to keep enterprise data protected.

Device Management and Endpoint Security – Mobile Device Management (MDM) is a key recommendation for managing a mobile fleet, enforcing security and compliance policies, restrictions and simplifying deployment. However, when looking at options to protect mobile endpoints and corporate data, the solutions required go much further than an MDM. Mobile endpoint security and threat detection solutions that protect users (and the organisation) from threats ranging from poor application data policies, through to malicious content and phishing are a necessary addition to any mobile security toolkit.

Protection against mobile specific threats – Cybercrime is increasingly targeting mobile. Why? Because it works! Whether it is as simple as excessive permissions from apps, poor privacy and security/coding practices, through to malware, ransomware and cryptojacking, mobile users and organisations are falling victim to these threats. More concerning is the continued trend of phishing moving away from email and targeting mobility. Most organisations take precautions against email phishing, with mobile being overlooked.

Shadow IT – As organisations move to remote and flexible working, many are stretched to keep up with the rate of change demanded by, and the requirements of, end users. While this lag exists between user requirements and system/organisational capabilities, users will find their own means which may not be enterprise-grade. Many organisations are familiar with workers using unauthorised filesharing, messaging and collaboration tools. While many of these tools themselves may not pose a risk, it can open the door to additional threats, leaving you at the mercy of the vendor’s security practices, and also move corporate data out of your network, increasing the risk of a breach.

As the initial rush to mobilise workers in response to COVID-19 has now begun to ease, it is an important time to review and refine the solutions put in place, along with assess mobility capability, requirements and strategy moving into the future.

Additionally, it’s important to understand that mobility is not a set and forget project. Mobility solutions and strategy need to be treated as an internal product rather than a project, receiving regular reviews and refinement. Mobility is one of the most rapidly evolving technologies in organisations. Threats and cyber criminals are constantly advancing, so organisations need to remain current and prepared.

The COVID-19 pandemic may even be the catalyst for organisations to take full advantage of mobility solutions and the digital workspace. The trend is likely to continue and become part of the new norm after the crisis is over, as the processes and systems will have been established to enable extensive remote working. When we reflect on this pandemic experience, it will be considered to have been the impetus for acceleration into a new phase of the digital revolution.

Understanding your mobile maturity level

By John Doig

Over a decade into the modern smartphone era, most organisations are making significant investments into mobility. But, are those investments in the right areas? How are the gaps where those investments should be made identified? Understanding your organisation’s mobile maturity level holds the key.

Recent research from Oxford Economics and Citrix predicted that levels of mobile maturity are going to quickly rise over the next three years*. As workplaces become more flexible as to where and when work occurs and the digital workspace grows, workers become increasingly mobile. Workers and organisations are becoming more aware of the performance, productivity and profitability advantages achievable through a digital workspace.

While significant investments are being made, the majority of these investment are based around hardware, connectivity (mobile network), and mobilisation of simple existing processes. These existing processes are usually email, calendar, contacts, an assortment of messaging applications and simple collaboration tools. In a number of cases, we see this mobilisation enabled through the use of a Mobile Device Management (MDM) solution. While this level of mobilisation creates benefits for the users and organisation, it is an entry level step, leaving large gains unrealised. To achieve a higher level of maturity, and leverage the investments in and capabilities of mobility, we venture further into increasing collaboration tools, mobilising existing business processes and data, and then embark on the journey of developing new mobile-first business processes.

Assessing and understanding your organisation’s level of mobile maturity can allow you to develop a robust, secure and effective mobility strategy. When performing mobile maturity assessments, it’s important to look beyond the traditional aspects of hardware and carriage and focus on business drivers and objectives, along with the bigger technology picture. It’s equally important to engage with multiple internal stakeholders during the assessment to ensure that we understand these aspects from a range of viewpoints.

At Blackbox Mobility, a mobile maturity assessment is typically done as part of the “Discover & Assess” phase of the consultancy engagement, and addresses a broad range of topics including: