Employees today aren't tied to an office the way they used to be. Thanks to laptops, tablets and mobile phones, they can work just as well at home or in a café, which means they can be more flexible about when, where and how they work. But the mobile workforce and BYOD (bring your own device) has created a new headache for security and IT teams: how do you keep all that work secure? Here are some tips.
1. Define your devices
Geoff Hill, founder of boutique security consultancy Artis-Secure, says the security team "are asking for trouble if they just allow any device into the organization, because then they can't define the attack surface." His advice: create an approved list of devices and offer employees a choice from that. It's also important to have a good mobile device management solution in place that can quickly perform a remote wipe of a compromised device.
2. Lock them
Enterprises should enforce either biometric or PIN-based device locking for mobile devices. Independent security consultant Graham Cluley is a fan of Apple's fingerprint locking system, but says that company policy should require that a device is unlocked with a PIN if it hasn't been used for a while. "Your fingerprint is everywhere," he explains. "There are videos online of people taking prints from glasses and using them to open a device."
3. Know your apps
It's not just the device that can put your security at risk, but what's on it. As Cluley explains, apps aren't always developed securely. One way to mitigate this is to restrict what employees can download. Enterprises can even set up their own app stores that only allow users to install approved apps on devices they use for work.
4. You need backup
Cluley says it's simplest if the company owns the device: "You can tell employees you need a backup policy, but you can also ensure their personal files are backed up." This is where the cloud comes in, but Hill cautions that "you can't necessarily rely on a third-party cloud provider; you have to take their word for it that they're doing a good job on security."
5. Keep it private in public
Another threat is the use of free public Wi-Fi. These hotspots can range from simply insecure to malicious: hackers can set up "evil twin" networks that seem legitimate, and then use them to steal passwords and other data. One way to prevent this is to require the use of a virtual private network (VPN) to connect to the office.
6. Carry out an audit
This brings us to the issue of securing the data carried on mobile devices. Before any security policies can be put in place, it's vital to do an audit of what data you hold, how sensitive it is and who has or needs access to it.
7. Encrypt your data
Encrypting data is one way of securing it, but this requires a lot of computing power. Hill points out that you need to differentiate between stored and active data, and also be aware of data in transit. "Encryption is only part of the picture," he says. "It protects data at rest, but not necessarily data in transit."
8. The value of authentication
Multifactor authentication can also help. The most common form is two-factor authentication, where a user receives a text message or uses a token to generate a key each time they log in. Another option is "three of five" authentication, where five individuals have a key or password and at least three of them must authenticate before anyone can proceed. "You have to pick and choose where you use that," says Hill. "You don't need it for, say, press releases, but more sensitive data should be protected in this way."
9. Keep data off devices
The best way to ensure that mobile devices aren't a security risk is simply not to put data on them. You can use a remote system such as Citrix to provide a window into what your employees need to access, rather than letting them take sensitive material out and about with them.
10. Education is vital
Implementing security for an enterprise that offers BYOD inevitably runs into practical and ethical issues. Hill says it's vital to make it clear to everyone that, if a device is being used for work, the business has to be in control of that device: "You need to educate people about what BYOD means – that anything on their phones is in effect the property of the company."