It’s difficult to remember a time before mobile working. Most businesses now rely on staff being contactable when travelling or working remotely – and employees expect to be able to work and access company documents when away from the office.
Most companies have also solved the whole bring your own device (BYOD) question. They have taken measures to counteract the risks; for example, they have strengthened their firewalls and introduced tiered systems of mobile access.
However, with the number of security breaches continuing to rise, many companies are wondering if they are doing enough. Earlier in 2017, the UK government released the results of a cyber security survey which revealed that seven in ten large businesses had identified a breach or attack. These cases include Uber, which recently revealed being hacked late 2016, exposing the personal information of 57 million customers and drivers.
The credit rating company Equifax and Yahoo have also recently admitted their own breaches.
Yet because these are all large, high profile businesses, it’s easy for smaller companies to think it won’t happen to them. Yet, worryingly, the survey also points out that small businesses can be hit particularly hard by a cyber attack, with nearly one in five taking a day or more to recover from their most disruptive breach.
Mobile devices seen as vulnerable
None of these incidences seem to have been caused by lack of mobile security. But, unfortunately, cyber criminals will always find the vulnerabilities and it seems that mobile devices are often seen as this weak spot. In fact, in a study for Check Point software, 20 per cent of companies polled said their mobile devices had been breached and nearly all (94 per cent) expected the frequency of mobile attacks to increase.
Mobile apps are another target, especially those which enable users to store personal details. Increasingly, apps are being used by workers in the field such as insurance risk assessors, sales reps and customer service agents. They can store significant amounts of data – often customer information and personal details – and are extremely vulnerable to hackers.
But it’s not just sudden proliferation of security breaches that’s drawing attention to mobile security.
As the deadline for compliance with the new General Data Protection Regulation (GDPR) in May 2018 comes closer, businesses are now also faced with the threat of large financial penalties. Gartner notes that ‘by 2019, 30 per cent of organisations will face significant financial exposure from regulatory bodies due to their failure to comply with GDPR requirements to protect personal data on mobile devices’.
So how can businesses – and especially small businesses without a huge IT department – exercise ‘due diligence’ and protect their data to the required levels?
As I see it, there are four main areas of best practice:
Don’t ignore patch updates
Updating patches regularly would have negated many of the problems associated with the recent WannaCry ransomware attack. Easier said than done for many hard pressed small businesses where patching can be seen as a hassle. However, making sure the latest anti-virus and anti-malware software is in place and firewalls and gateways are up to date is a vital first step to protecting data.
Staff must understand the issues at stake
A mobile security strategy should include who can access what, a policy on mobile apps and storage of confidential company details – not just on mobile phones, but also on laptops, tablets and USB sticks which can be easily mislaid.
Education is key here. For example, some people like to save work in multiple locations to ensure accessibility and to know there is a back-up. Employees should ensure passwords are strong and they carefully manage and protect both their own personal data and the company information entrusted to them.
Businesses should protect other potential weak spots such as mobile printing. If documents are sent to print from a mobile phone to an office, they can easily then get into the wrong hands. They should ensure to use printers that hold documents until a user enters the right PIN code or other authentication and use encryption.
Adaptive authentication
Adaptive authentication based on certain parameters can ensure that while employees have easy access to low risk data, a company’s confidential information is kept safe and only access by those with the right authority and trust.
This may mean that access to some parts of the network require only a single password, whereas reaching HR data, for instance, requires two-factor user authentication and a digital certificate, even for the same user.
Layers of security
An increasing number of organisations are implementing several layers of mobile security to plug every vulnerability. This can include mobile device management, mobile application management as well as anti-malware and anti-ransomware. There’s no one size fits all here, just a policy of adding protection at any weak point.
Mobile working has so many productivity benefits that outweigh the need for all these measures. However, caught between the cyber criminals and the regulators, businesses need to get their house in order. It’s not rocket science, but more efficient housekeeping that will ensure security.
Alistair Millar is group marketing manager of Altodigital.