What happens to your company's security when hackers break into the network at the coffee shop your marketing head frequents?
What happens to your company's security when your sales manager leaves his phone in a taxi?
What happens to your company's security when your vice-president gets divorced and the spouse absconds with a laptop?
The number one cause of cyber security breaches is employee negligence. Combine that with an increasingly mobile workforce, and the potential for disaster becomes frightening.
The security staff at Global Digital Forensics has mitigated hundreds of cyber incidents, and we've helped companies in all sectors establish remote work security policies and practices. Based on all that experience, here are ten steps you can take that will secure your mobile workforce from about 90% of the threats out there.
- Create a Clear Mobile Device Security Policy (and enforce it) - For cybersecurity to work, everyone in an organization has to be on the same page. Cookie cutter policies are not ideal, as every organization has a unique environment and needs. A vulnerability assessment will help to determine specific security concerns, and from that a policy can be crafted. A good security policy is a black and white document, and it should make clear what is acceptable and what is not. Once the policy is created, everyone in the organization needs to thoroughly understand it, and review it at regular intervals. The Mobile Device Security Policy should also be presented to new hires and temp workers. The consequences of unacceptable behavior should also be clearly defined, and enforced.
- Ensure Secure Connections – Communications throughout the network should be encrypted. Remote connections should be made through a Virtual Private Network (VPN), or network hardware that encrypts traffic to and from remote devices. Encrypted VPN connections are one of the best ways to prevent Man-in-the-Middle attacks, which occur when an attacker gets between sources and destinations on the network and intercepts data transmissions.
- Provide Antivirus / Anti-malware Solutions – Every computer with access to the company’s network and data must have anti-virus and anti-malware software installed. There are many software solutions available, and probably one best fits your particular security concerns. Whatever software you use, make the installation mandatory and, of course, make this explicit in your security policies.
- Layer Security and Separate Networks – Mobile devices should be limited to certain areas of the network. This will make it more difficult for an attacker to reach the more important areas of the network and limit the potential damage of an attack. Ideally, there should be totally separate networks for employees and visitors, and even separate networks for different security levels of employees.
- Use the Principle of Least Privilege – Users should only have access to the data and programs they need to do their jobs, and no more. This is a cornerstone of security. It also ensures that if a particular user is compromised by an attacker, through a phishing attack or some other type of social engineering, the attacker will only have access to a limited pool of data. Those with the highest privileges should also have commensurate knowledge about good security practices. Privileges for temp workers and interns should also be very strictly controlled. There is no reason for everyone in a company to have equal access to data on the network.
- Beware of Public Wi-Fi – Wi-Fi networks in coffee shops, airports and the like are a huge security concern. Public Wi-Fi is an easy target for hackers and an easy way for an attacker to get into a computer and install malware. Remote workers with access to privileged data should be issues mobile broadband cards for laptops or mobile data plans for smartphones that can then be used to “tether” a laptop to a more secure mobile network.
- Enforce a Strong Password Policy – The main point of failure in 85% of all hacks is a weak password. You simply must enforce a strong password policy. Strong passwords consist of at least 10 characters (the more the better), a mixture of both uppercase and lowercase letters, a mixture of letters and numbers, and at least one special character (e.g., ! @ & $ % # ?). As strong passwords can be more difficult to remember, there are plenty of reputable secure password library utilities available to help keep them straight and easily available. Using the same password across multiple platforms is also a major vulnerability. If a user has the same password for their Facebook account, Gmail, Amazon, etc., then hacking one account can lead to hacking all accounts, including your company email accounts, online software platforms and more. A strong password policy should be employed and enforced, ensuring only unique, complex passwords are used, and users should be forced to change their passwords at regular intervals.
- Enforce Two Factor / Multi-factor Authentication – Attackers are very sophisticated these days, and a simple username/password combination is not enough. Two-factor and multi-factor authentication tools add steps, such as responding to a text message, which make it much harder for an attacker to gain access. Whether it’s a text, or responding to an email, a fingerprint, voice authorization, or a combination of these, every step that’s added increases security. Find the solution that works for you and make it mandatory for remote access. At the very least, remote workers should have to complete two-factor authentication to get on your company network.
- Ensure Device Security – Mobile devices are easy to steal and easy to lose. One way to help avoid disaster is to enforce strict remote lock and data wipe protection. An organization should have the ability to remotely lock or erase a potentially lost phone, tablet or laptop. For organizationally-issued mobile devices this is easy; for BYOD (Bring Your Own Device) users it can be difficult to separate personal data from work related data. There are workarounds, like setting up two different environments on a device, separating business from personal. The organization can lock their portion and wipe their data, and the user can deal with theirs however they see fit. The best and most secure way to handle this situation is to issue specific devices which are to be used strictly for company business.
- Control Apps and Updates – Mobile applications (apps) are notoriously insecure. They are designed for ease of use, and often security is the last thing on the minds of app developers. Add that to the sheer volume of app choices and it’s no wonder they create security problems. Strict control of apps must be maintained for any device which will be used to access organizational resources, with only apps from an IT pre-approved list allowed. Approved apps and app security protocols should also be spelled out in the mobile device security policy. Keeping applications, operating systems, software and security software updated is also extremely important, as outdated software is one of the most common threat vectors attackers use to compromise networks. Mandatory app checks at regular intervals should be policy. It’s also a good idea to throw in some unannounced spot checks to make sure everyone is staying on their toes.
Remote working is only going to become more common, and cyber crime is showing no signs of abating anytime soon. As the “gig economy” grows, and as technology continues to change the landscape of the workplace, remote workers will increasingly be a security concern. Implementing the items listed above is a good start, but for more ideas, or a comprehensive cyber security assessment, contact GDF at 1-(800) 868-8189.