When the best security is best practice…

There’s no stopping mobile working, but recent security breaches should keep public sector organisations on their toes, says Alistair Millar of Altodigital

Mobile working is now part of many organisation’s DNA. Even within local authorities and other government bodies, senior staff at least are expected to be contactable when travelling or working remotely. However, it’s impossible to work efficiently without being able to access all but the most confidential of documents when away from the office.

For many, the whole bring your own device (BYOD) is a worry from the past. Either the organisation came out firmly against it or they established a firm policy and took measures to counteract the risks; for example, they strengthened their firewalls and introduced tiered systems of mobile access.

But this may have given organisations a false sense of security. With the number of security breaches continuing to rise, many companies are wondering if they are doing enough. Last year, the government released the results of a cybersecurity survey which revealed that seven in ten large businesses had identified a breach or attack. Famously, these cases include Uber, which recently revealed being hacked late 2016, exposing the personal information of 57 million customers and drivers.

The credit rating company Equifax and Yahoo have also recently admitted their own breaches. As has Deloitte, once seen one of the top cyber security consultancies.

None of these incidences appear to have been caused by lack of mobile security. But, unfortunately, cyber criminals will always find the vulnerabilities and it seems that mobile devices are often seen as this weak spot. In fact, in a study for Check Point software, 20% of organisations polled said their mobile devices had been breached and nearly all (94%) expected the frequency of mobile attacks to increase.

Mobile apps are a particular target, especially those which enable users to store personal details. Increasingly, apps are being used by workers in the field. They can store significant amounts of data – often client information and personal details – and are extremely vulnerable to hackers.

But it’s not so much the sudden proliferation of security breaches that are drawing attention to mobile security. It’s more the deadline for GDPR in May 2018 with its threat of large financial penalties. Gartner notes that “by 2019, 30% of organisations will face significant financial exposure from regulatory bodies due to their failure to comply with GDPR requirements to protect personal data on mobile devices”.

So how can organisations exercise ‘due diligence’ and protect their data to the required levels?

As I see it, there are four main areas that serve as pillars of best practice:

  1. Don’t ignore patch updates

Updating patches regularly would have negated many of the problems associated with the recent WannaCry ransomware attack. Easier said than done for many hard pressed departments where patching can be seen as a hassle. However, making sure the latest anti-virus and anti-malware software is in place and firewalls and gateways are up to date is a vital first step to protecting data.

  1. Staff must understand the issues at stake

A mobile security strategy should include who can access what, a policy on mobile apps and storage of confidential details – not just on mobile phones, but also on laptops, tablets and USB sticks which can be easily mislaid.

Education is key here. For example, some people like to save work in multiple locations to ensure accessibility and to know there is a back-up. Employees should ensure passwords are strong and they carefully manage and protect both their own personal data and the company information entrusted to them.

Organisations should protect other potential weak spots such as mobile printing. If documents are sent to print from a mobile phone to an office, they can easily then get into the wrong hands. They should ensure to use printers that hold documents until a user enters the right PIN code or other authentication and use encryption.

  1. Adaptive authentication

Adaptive authentication based on certain parameters can ensure that while employees have easy access to low risk data, a company’s confidential information is kept safe and only accessed by those with the right authority and trust.

This may mean that access to some parts of the network require only a single password, whereas reaching HR data or sensitive client information, for instance, requires two-factor user authentication and a digital certificate, even for the same user.

  1. Layers of security

An increasing number of organisations are implementing several layers of mobile security to plug every vulnerability. This can include mobile device management, mobile application management as well as anti-malware and anti-ransomware. There’s no one size fits all here, just a policy of adding protection at any weak point.

Mobile working has so many productivity benefits that outweigh the hassle of implementing these measures. But now it’s not just the cyber-criminal, but also the regulator seeking out your vulnerabilities, the urgency and extra caution has multiplied. But it’s not rocket science – more good, careful housekeeping will ensure security is met.

Related reading