10 ways to secure a mobile workforce

As much as you might want to implement all the latest best practices and lock down your company like Fort Knox, you need to align your policies to your company culture.

remote workers are being safe
Credit: Thinkstock
Super mobile worker

We are entering the age of “supermobility,” in which mobile devices will provide all of the tools and technology that employees need to be productive on the go. And while workplace flexibility and convenience are at an all-time high, super-mobile employees are actually putting enormous amounts of company data at risk.

From using unapproved apps and devices to accessing unsecure Wi-Fi networks, leaving private information unattended and ignoring security updates on mobile technology, cyber risks are increasing as organizations strive to become “supermobile.” Alvaro Hoyos, chief information security officer at OneLogin, provides some tips to keep those mobile workers in check.

remote workers are being safe
Credit: Thinkstock
Define a realistic security policy

If you implement policies that are too rigid or out of place with the current maturity of your company’s security program, chances are that your employees are going to subvert or ignore them altogether. If your employees find that the policies are strict, but workable, they will be more open to approaching you with issues or concerns on how they can meet policy and still get their work done. This is especially important for a mobile workforce, which can feel more “removed” from your company the longer they are away from company headquarters and company policies and procedures. Just as important, your policies should account for your mobile workforce and provide reasonable alternatives for policies that are not feasible while on the road or when working from home.

remote workers are being safe
Credit: Thinkstock
Security starts with your personnel

Security awareness training should include content targeted at mobile workers. Most companies deliver security awareness training with greater emphasis on topics that are pertinent to office workers, e.g., use of key cards, clean desk policy. Similar to your policies, your training should include content that is more relevant to your mobile workforce, e.g., the dangers of public Wi-Fi spots, the use of removable media. With the move to not only mobile hardware, but also mobile software solutions in the form of SaaS applications, even your 9-to-5 employees that are based in an office are considered mobile workers when they log in to a company system from home or on the weekend. By providing content aimed at mobile workers, you are really providing content to your entire workforce.

remote workers are being safe
Credit: Thinkstock
Keep lines of communication open

Periodic communication is key. The ability to learn and retain data varies widely from person to person and without going into the complexities of adult education, the simple fact is that repetition tends to work better for people. An annual training or reminder to follow policies is not going to stick in everyone’s mind, so having more frequent touch points; some scheduled, some impromptu, can help get your messages stick a bit more. Making communications topical and of interest to your workforce is also important. If your personnel understand that what applies at work can apply in their personal lives, there is a higher chance that they will retain that information for their own personal benefit. For example, when a well publicized security issue, like the resurfacing of the 2012 LinkedIn hack, it is a perfect opportunity to provide a refresher to personnel on the risk of password reuse and the benefits of strong passwords. With a large population of end users working outside of your offices, this should be easy to digest communications that anyone can read through quickly in their email or messaging app.

04 authentication
Credit: Thinkstock
Integrate multi-factor authentication

Considering 55 percent of employees are accessing work applications outside of the office, employers must use an multi-factor authentication solution that guarantees the right people are accessing the right information. MFA prompts employees to validate their identity by using their phone or protected password when logging into work applications or systems remotely. Historically, if you saw Bob at Alice’s desk trying to log into her desktop, that would be a pretty cut and dry security incident. But nowadays, a good amount of your employees are authenticating into their systems out of sight and therefore enforcing the use of MFA, typically something you have, helps reduce the risk that someone other than Alice is logging into her laptop.

remote workers are being safe
Credit: Thinkstock
Empower employees; the human firewall

Employers can empower workers to become a part of their detection plan early on. Typically, admins receive all sorts of automated alerts triggered by activities that are either high risk or known to be suspicious. Empowering end users by briefing them about the activities they have direct control over, such as changing their password or logging in from a new location, can help make employees part of your early detection plan. Geolocation has become a popular addition to these alerts as well. Employees are notified that they have logged in from a new location, which is helpful, especially when they are constantly on the move and signing in from different networks.

remote workers are being safe
Credit: Thinkstock
Understand the risk of mobility to your company data

Mobile devices, whether those used by your office workers or by your mobile users, should not be the source of truth for any of your data. You should assume that there is a high risk of a mobile device being stolen or simply misplaced, and therefore you should prepare accordingly. This is easily done if your mobile workforce uses SaaS applications, but might take more planning if you don’t. At a bare minimum, documents on mobile systems should be backed up on a daily basis. You should also have a data classification policy in place so end users can make more informed decisions of what data can be copied to mobile devices and what data should never leave those same systems.

remote workers are being safe
Credit: Thinkstock
Track those mobile assets closely

With employees using more mobile devices than ever before, it’s easy for hardware to be misplaced, lost or stolen. An asset tracking and inventory solution allows employers to know who has a device and where it is being used. These solutions are not inexpensive, but they are worth protecting your company hardware from falling into the wrong hands. The perimeter has shifted from just systems tucked away safely in data centers to all endpoints from which someone can access company data from. Devices that are no longer in use or have been lost or stolen need to be tracked as well, in case they reappear on your network.

remote workers are being safe
Credit: Thinkstock
Monitor, monitor, monitor, and then do more monitoring

Intrusion detection systems or endpoint threat detection is now needed for your mobile systems. Gone are the days of deploying anti-virus on your systems and calling it a day; it’s simply not sufficient and easily defeated. Your mobile endpoints are bound to be compromised at some point, so you need to monitor for erratic behavior that can signal a successful breach. Several solutions do a great job of reporting on not only suspicious activities, but the activities that preceded and followed those flagged by the systems. This is a great resource that can assist you in understanding the entirety of an attack and its scope.

remote workers are being safe
Credit: Thinkstock
Deploy identity and access management (IAM)

Chances are that if you have an effective supermobile workforce, you are leveraging SaaS applications to some degree. Not having a workforce neatly based in office locations makes it harder to track and disable their access on a timely and complete basis. Hackers can no longer simply disable someone’s badge or have them escorted off premise as a way of disabling all their access, so IAM solutions are a must to effectively manage your mobile workforce. By controlling access at the identity level in a centralized system, you are able to quickly disable access to the apps a given employee has regardless of location, what type of system they use, etc. If you integrate your HR system with your IAM system, then their access removal is even more assured and timely because HR is the first team in an organization to find out about a termination.

remote workers are being safe
Credit: Thinkstock
Have a contingency plan for lost devices

Just as important as making sure you don’t lose productivity due to data loss, you should be prepared to deal with data being compromised due to mobile systems being lost or stolen. There are two main ways to prepare: For starters, it is important to encrypt drives and remote device wipes. Encrypted drives make the data unreadable to anyone except the properly authenticated user. Yes, there is an asset loss from a financial perspective, but coupled with the lack of source of truth on your mobile systems, there should not be a loss from an information security perspective. Alternatively, or in addition to that, you can use remote device wipe software to delete all data on a mobile system once it reconnects to the internet. It typically can then be reused, but again, it’s better to have an asset loss than a data compromise.