Mobile allows users to work from anywhere at any time, but the extended office demands modern approaches to extended security
Whether it’s the local library of the nearest Starbucks, most open-door establishments provide public Wi-Fi access to their patrons. Some users are merely shopping online or creeping their social networks; others are conducting work-related transactions.
Thanks to mobile devices, anywhere and everywhere can easily become an extension of the office so that users can be fully functional wherever they are. The risk for today’s enterprise is that the convenience and practicality of an extended office has far greater value than its security.
That’s why both business decision-makers and security practitioners need to be thinking about what they stand to lose. The loss of physical property is the greatest security risk to businesses, said Matthew Bradley, regional security director (Americas) at International SOS.
“Physical loss is the No. 1 thing, whether they leave it on a security belt in airport or it’s stolen out of their cars. The physical loss is more frequent, so it’s a greater risk than someone stealing email or a file,” Bradley said.
Worrying about a lost laptop may seem counter to the stories oft told about cybersecurity threats, but it’s important to remember that risk is determined by the likelihood times the impact. In reality, there is a greater risk of a user losing their laptop than of their being the target of a cyberattack.
Yes, the data stored on a lost laptop or device could be exploited if the device has no protections. However, the more technical attacks will be targets of opportunity. “Unless someone is following you into a café, sitting next to you and then sniffing the network, the attacker is already in the coffee shop,” Bradley said. If a hacker is already there, they are looking for usernames and passwords or credit card information.
The more likely scenario is that a hacker wouldn’t even be able to identify sensitive proprietary data if they came across it, which is why the risk of being compromised via public Wi-Fi is greater to the individual than to the enterprise.
“If you don’t send a marketing plan for next quarter, the attacker doesn’t get it. Even if you did send it, they would have to know what it is and who would pay them for that information,” said Bradley.
Risk Changes Because of Likelihood
Users can access the same information from their laptop on an airplane and in a coffee shop. The likelihood of being compromised on a plane is lower because the criminal has to be on the plane, and it’s highly unlikely that a criminal is flying around with the sole purpose of trying to access data over the network. “The environment is richer,” Bradley said, “so maybe it would make sense if you were hopping around the east coast shuttling back and forth, but the attacker has to be very sophisticated and aware, and criminals are usually lazier than that.”
The real risk to enterprise security comes when someone’s credentials have been compromised. Because the risk of a security breach through compromised credentials is real, it is the responsibility of the organization to protect its assets across all devices.
“Employees are unreliable, and companies must protect themselves from the insider threat,” said Bradley. Companies can’t expect their employees to change their work habits based on geography.
Enabling a Secure Mobile Workforce
Although they often don’t implement security controls because they are too cumbersome or expensive, businesses can protect against the risks of a mobile workforce by ensuring that users do not give away sensitive information through their lax security practices. First, they must assume that employees working outside of the office do not have security front of mind.
That’s why it’s up to the company to require users to login through a VPN and demand their employees have a secure password. “It is important to make sure that BYOD devices can only be used in so-called ‘demilitarized zones’ within the organization. That is, the devices should not be able to directly access sensitive resources, and access should only be allowed to some organizational resources through VPNs. It is also important to be able to monitor the use of such devices through the network, and keep track of when, where, and how these devices connect,” Dr. Engin Kirda, chief architect at Lastline, told ZDNet.
If companies expect data on mobile devices could become lost, they have to protect laptops and other mobile devices against theft or loss. “It’s on the company to have the capability to remotely erase the hard drive or secure devices with encryption,” said Bradley.
A good mobile workforce security strategy requires planning. Additionally, Bradley said that moving data from devices to the cloud is more practical so that companies can secure one location as opposed to multiple. Securing the connections to access the cloud is better than trying to protect every individual laptop.
Operating under the assumption that property will be lost or stolen and credentials could be compromised then guides the decisions security practitioners make about where to put the most sensitive data and who should have access to it. Because of the trade-off between convenience and security, the greatest challenge is to minimize that friction so that security is implemented in a way that allows them to seamless minimize business travel risk.