UPDATED SEPTEMBER 2020
Current events have forced many businesses into quickly enabling staff to work from anywhere at any time. Desktops were replaced by laptops that could be taken home, staff using personal devices to access company data, and quick adoption of cloud and mobile apps. The ability to keep your business running took precedence over strategic planning, and now is the time to enable your remote workforce to be productive and secure. This mobile workforce evolution comes with many benefits, but if it’s not approached with careful thought and planning, it can also come with a unacceptable level of risk.
Are you certain your private and confidential information isn’t ending up on unsecured personal devices or in personal cloud services where it’s completely out of your control? Is that smartphone encrypted and locked with a PIN? Carefully thought-out policies and technical controls can help you mitigate the risks in our increasingly mobile world. Here is a look at the steps you can take to secure your mobile workforce.
1. Determine the Current State
You likely have information that needs to be protected in a multitude of different locations. Find out where the data is, how it’s accessed, and where it might go.
- Locate your sensitive information: Is it stored on laptops, network drives on your file server, in SharePoint, in Office, transferred via email?
- Determine the accessibility of the information: Do employees access email on their smartphones? Do they access other services like OneDrive or Dropbox? Are those cloud services configured properly so that the content isn’t being shared with the wrong people?
- Who is connecting to your cloud and network data. Are you sure it’s an authorized user? Do you trust the device they are connecting with and where they are connecting from?
2. Determine the Desired State
Determine what you want for acceptable behavior and ensure it’s in a policy that new hires and current employees receive, read thoroughly, and sign. This is known as an Acceptable Use Policy (AUP), and it’s important that there’s clear direction for employees including, but not limited, to:
- Approved services where sensitive data can be sent and saved (e.g. email, OneDrive vs. OneDrive for Business, Dropbox, SharePoint Online, etc.)
- Approved devices that can be used to access or store sensitive data (e.g. the company-owned smartphone, employee's personal devices like phones and tablets, home computers, etc.)
- Approved methods for securing user identities (e.g. strong passwords and required periodic password changes)
- The rights the company retains with regard to personal devices (e.g. the right to completely wipe a device and delete all its contents, or the right to selectively wipe only company data from the device, etc.)
- Security requirements for devices (e.g. device encryption, passwords and PINs, screen lock limits, etc.)
3. Implement Technical Controls to Enforce Policies
Your policy will guide employee behavior; technology can help ensure mistakes or malicious activities are limited. The implementation of technical controls is not a “one-size-fits-all” endeavor. Increased security usually means increased inconvenience, so it’s important to find balance between security and usability. Here are a couple high-level considerations to get things started:
Choose how you want to control information:
- Multi-Factor Authentication (MFA) is a great option to ensure the front door to your data remains locked from unauthorized access and its usability has improved greatly in recent years. Many find the push notification option the easiest to use. You simply enter your username and password and receive a popup notification on your phone, tap 'Allow,' and you’re in. There are many other options as well.
- Mobile Device Management (MDM) takes control of the entire device. It’s the most intrusive option for end-users, but it offers significant protections. It’s important to note that there is no separation of personal and business data with an MDM-only solution. If you wipe a device, everything is deleted, including personal photos and music.
- Mobile Application Management (MAM) controls just the apps. This solution is less intrusive for users, but it’s also more limited. “Containerization” allows you to wipe business apps while leaving personal data untouched - not all apps are supported and additional effort may be required to get things setup.
- Information Rights Management (IRM) sets security on individual files. This solution offers significant protection and flexibility because the files remain protected no matter where they end up. However, this requires ongoing effort for users to set and maintain appropriate permissions. Additionally, Microsoft identities (user accounts) are required.
Choose your settings:
There are many options to consider but at a minimum you should enforce encryption, require a PIN, and enforce a screen lock timeout. Additional options include, but not limited to:
- Block copy/paste,
- Block screenshots,
- Prevent 'Save As' operations to unmanaged locations,
- Number of failed login attempts before self-wipe,
- And, much more.
There is a lot to consider when determining how best to utilize mobile technology in order to maximize benefits while minimizing risks. It’s a complex topic that should be part of your cloud security strategy and customized to your individual business needs.
If you would like to learn more about securing your mobile workforce, contact us at firstname.lastname@example.org or call 888.624.6737 to speak to a Systems Engineering representative. Clients, please reach out to your Account Manager.