According to ComputerWeekly and the latest mobile security report by global mobile connectivity firm iPass, your biggest threat to company data security is your remote or mobile workforce. In a poll of 500 CIOs and IT decision makers in the UK, US, Germany and France, 57 percent of organizations suspect that their mobile workers have been compromised or caused a mobile security issue in the past year.
Some of the report’s most striking highlights:
- More than half of organizations fear that their mobile workers have been hacked.
- 81 percent of respondents have knowledge of Wi-Fi-related security incidents in the past 12 months.
- While most respondents have implemented BYOD (Bring Your Own Device) policies, 94 percent of CIO and IT admin security professionals said BYOD has actually increased the overall mobile security risks.
- This growing mobile workforce is trending towards increased cyber security risk, as the McAfee mobile threat report of Q1 2018 states that 16 million users were hit with mobile malware in the third quarter of 2017.
Raghu Konka, vice-president of engineering at iPass commented in ComputerWeekly that “…There is no escaping the fact that mobile security threats are rising, and while it is great that mobile workers are increasingly able to work from locations such as cafes, hotels and airports, there is no guarantee the Wi-Fi hotspot they are using are fully secure.”
Highlighted in a recent Tech.co blog, a Gallop poll reports that 43 percent of employees worked remotely in 2016, further noting that, “A globe-spanning 2017 study from Polycom confirms that the remote workplace is on the rise: 62 percent of 25,000 surveyed workers reported regularly taking advantage of flexible working practices offered to them.”
It’s possible that the corporate enterprise threats of malware, phishing, identity theft, ransomware or worse from mobile employees may put an end to this trend.
Back to the Company Cubicle…??
Does this latest report spell the end of mobile employee freedom? Are the Starbucks Office Warriors a thing of the past? Is the remote worker’s daily attire of yoga pants and t-shirts to be retired and consigned back to the “office professional” dress code and mandatory 9-to-5 in-office attendance residing in “Cubeland?” Well, let’s not go overboard all at once here, some people still get their best work done from remote locations or at home on their laptops, clad in Speed Racer PJ’s eating a wheel of cheese (TMI?).
What it comes down to is a set criteria that mobile or remote employees must follow—and CISO’s must enforce—to ensure a safe “cone” of security to the corporate network and its valuable assets and resources.
Neill Feather, president of web security firm SiteLock, spoke with TechRepublic's Dan Patterson about the unique challenges of maintaining security with a distributed workforce.
Some of the criteria he includes in this checklist below, along with some other standard and new practices we’ve uncovered:
- Have a cybersecurity travel policy in place.
- Consider banning all “free” Wi-Fi hotspots unless they are from a corporate-subscribed, reputable business carrier with secure company logins spread about most global metropolitan locations (AT&T, Verizon, BT, and others offer this service).
- Mandatory VPN use when using Wi-Fi.
- Use of Multi-Factor Authentication to access and use any company apps, resources tools or data.
- Device and User Authentication.
- Educating your mobile workforce on the importance of cybersecurity – in and out of the office
- Training.Training.Training.
OK, you probably agree with most of these, but is it truly feasible to ban all mobile employees from using free Wi-Fi hotspots? Some remote workers will stop at nothing to get Internet access, corporate security be damned. CISO’s would agree that banning free public Wi-Fi spots across the board may not be possible, and that it’s far better to instill a sense of obligation to utilize only the designated company Wi-Fi hotspots where corporate subscriptions are secured (or ones you know and trust, as noted below). And the use of a solid company VPN solution goes without saying.
Feather clarifies the argument,
[a]void using public Wi-Fi networks such as those in cafés or restaurants as they are inherently insecure. Only use wireless hotspots that you know and trust. For instance, the coffee shop in your area where they provide you with a password to use the Wi-Fi. Always check if you are connected to the correct network as hackers usually set up fake Wi-Fi hotspots near legitimate public Wi-Fi networks. Never use public Wi-Fi without turning on your firewall. Do not use unsecure websites that only have “HTTP” before their URL, not HTTPS.
Other suggestions include:
- Inventory the list of apps/resources employees need or use (or consequently, set a list of standard, company-sanctioned resources and apps for them to use on approved devices or home smart offices). And make sure to put the right protocols in place for each of those applications to help drive a more secure environment for your employees.
- Have a cybersecurity breach plan in place so that both employees and managers know what to do WHEN they are attacked (not IF, believe me, it's going to happen).
- Smart home router security — in a recent SecurityBrief News blog, Trend Micro says the router is the central connection hub for all smart home office devices including computers, smartphones, and other endpoints employees use.
In this way, if robust security isn't in place at this critical juncture, employees leveraging their home network for work activity could be opening themselves up to considerable risk. Worst of all, a device infected at home could potentially impact the entire enterprise network once the staff member brings the endpoint back to the office for work. Remote Desktop Protocol (RDP) attacks can also be used to brute force logins of home devices.
Securing the Smart Home Office Router
Just like an enterprise network - home networks need protective measures, too. Trend Micro says there are three important issues IT teams should consider for their mobile workforce:
- Incorrectly configured networks: this can extend to a range of different factors, but the bottom line is that an incorrectly configured home network can provide an easy open door for malicious actors.
- Default or weak Passwords: if employees don't adjust the security credentials of their smart home routers and keep the default password in place – or use a password that is considerably easy to guess – it presents low hanging fruit for hackers. It's imperative that default credentials are replaced with strong passwords once the smart home network equipment is deployed.
- Firmware updates: not updating devices with the latest patches can also create easily exploitable vulnerabilities that result in significant security gaps and other problems.
Additionally, GlobalSign would be remiss if we did not mention that digital certificates address both user and machine security and authentication use cases for computers, email, documents and mobile devices. And the important differentiator of certificate-based authentication is that, unlike some solutions that only work for users, such as biometrics and one time passwords (OTP), the same solution can be used for all endpoints – users, machine, devices and the now millions of end-points that comprise the Internet of Things (IoT).
Time to face facts: Americans alone logged 457.4 million trips for business in 2016, with little sign of this trend slowing. In fact, it is more likely to increase year on year, with domestic business trips predicted to reach 483 million by 2020. Let’s all do our part to make sure we’re secure out there, just in case your superhero PJ’s aren’t enough!
Other resources:
- White Paper: Certificate-based Authentication for Access Control.
- TechRepublic’s 10 ways to raise your users’ cybersecurity IQ.
- Top-Ten VPN’s.