Benefits and risks of a mobile workforce and strategies to help mitigate associated risks.
Shopping for a mobile device management solution for your organization or simply considering bring your own device (BYOD)? Well, we all know the convenience and benefits regarding the use of mobile devices in an organization, some of which include: increased productivity and efficiency, decreased response time, less overhead, etc. However, we may tend to forget that along with the benefits, there are risks with a mobile workforce that need to be carefully considered.
For those organizations currently considering the use of mobile devices, this article will cover briefly what mobile device management is, some of the benefits and risks, as well as strategies that need to be considered to help mitigate the risks within a mobile workforce.
What is Mobile Device Management (MDM)?
Management of mobile devices can be achieved by implementing a mobile device management (MDM) solution. An MDM solution is software that allows an organization to centrally manage and secure mobile devices. With an MDM solution, an organization could enforce access controls on the entire device or for specific applications, or the solution could remotely wipe the data on a device in the event a device is lost or stolen. Overall, the goal of an MDM solution is to support the use of mobile devices in a secure manner to ensure corporate assets are protected. To learn more about MDM solutions, see PCmag.com for their evaluation of various MDM solutions.
Benefits of a Mobile Workforce
- Increased productivity and efficiency – There are many apps and tools that support a mobile workforce and most of these tools are specifically designed with productivity and collaboration in mind. Being able to work at a desk then seamlessly move to a smartphone and back allows an employee to work efficiently wherever they may be.
- Decreased response time – Having a mobile workforce helps decrease response time and increase customer service. Allowing an employee to resolve an issue wherever they are instead of having to drive into the office significantly reduces the turnaround time for problem resolution.
- Employee hiring and retention – Finding the right employee and retaining them is a hard and expensive task. When a company provides a mobile work solution, they are no longer bound to hiring local. They can cast a wider net and find the right talent anywhere in the world without requiring the new employee relocate or settling on an okay candidate because of location. A mobile work solution also allows for employees to have a more flexible schedule and, in turn, creates a happier work environment. It allows the employee to have a better work/life balance where they can work from home to support a sick child or take off early to run some errands and then jump on later that evening and get caught up on work.
- Less overhead – Having a mobile workforce often means less overhead. If the employees can work remotely, a company no longer needs to maintain a large office space, pay for heating and cooling, parking, etc. The company can move to temporary offices that can scale up or down based on projects or need, rent out space that is no longer needed, or downsize to a space of hotel suites instead of dedicated desks.
Risks of a Mobile Workforce
Companies are struggling to find a balance between allowing their employees the freedom of mobility against the security of the enterprise’s assets and data.
While not comprehensive, NIST 800-124 r1 lays out seven high-level threats and vulnerabilities as well as provides additional details for each one. I highly recommend reviewing the entire NIST 800-124 document as it has a lot of good information on managing and securing mobile devices in the enterprise. Below is a list of the mobile threats defined by NIST.
- Lack of physical security controls
- Use of untrusted mobile devices
- Use of untrusted networks
- Use of apps created by unknown parties
- Interaction with other systems
- Use of untrusted content
- Use of location services.
Strategies to Mitigate/Reduce Mobile Security Risks
So, how can a company reduce the risk of a having a mobile workforce and start reaping the benefits? Listed below are 10 mobile workforce security strategies below that can help.
1. BYOD Policy
Implementing a mobile workforce policy documenting the acceptable use as well as tips to reduce the risk of a breach, attack, or lost device is an important first step. BYOD should not be adopted blindly without a policy to ensure the program aligns with your overall strategic IT security policy to ensure its success.
2. Enable the passcode/biometrics
It is good practice to force the use of a passcode and/or biometrics on all mobile devices. In the event that a mobile device is lost or stolen (or you have a nosey friend), having a passcode/password or biometrics on your mobile device will at least slow down the casual thief. More is always good, so push for six characters instead of four, and if you are a bit paranoid and use a passcode, consider wiping down your screen occasionally.
3. Utilize a VPN Service
Open Wi-Fi networks are dangerous. Open networks are ripe for snooping, compromise, and attack. With a mobile workforce, open networks are used frequently, from working at a local coffee shop to doing some work at the airport before a flight, the device and the data are at risk. Since much of the workforce will inevitably end up on an open network at some time, it is recommended to enforce the use of a VPN solution to protect their devices and the data from attackers. VPNs are not expensive and can provide a lot of protection from Wi-Fi sniffing and man-in-the-middle attacks. If you want to go cheap and use a free VPN service – beware. You get what you pay for. VPN services are not cheap to provide so the free services are recouping their money somehow, it may be via ads or they are selling your information.
4. Patch and Update
Not updating mobile devices leaves them open for malware and attack, so patch and update your devices. If you want to force the issue, sandbox the device until it is updated before allowing it to have access to the enterprise.
5. Whitelist Apps
Downloading unofficial apps or sideloaded apps is the number one way to get malware, Trojans, or viruses on mobile devices. Many organizations want to install their custom apps, and in doing so, force users to enable “Unknown sources” or jailbreak the device to get the app installed. This is not good. By doing this, the mobile device is now vulnerable to all sorts of nasty things. A user can install pretty much anything and you have just removed a major security feature of the device. Instead, it is recommended to whitelist application – essentially you select the apps that are allowed to be installed, or at minimum blacklist known malicious apps. If you have an enterprise app, push that app out using an MDM solution (see No. 8 below) since trust is automatically established.
Always backup mobile devices and backup frequently. The nature of the devices being mobile lend them to be at a higher risk of being destroyed, lost, or stolen. Backing up the devices also gives the company and employees the benefit of limiting the damage of ransomware attacks. Also, you probably do not want to have the conversation with a user that you have to remotely wipe their mobile device and all data will be lost because there are no backups.
7. Implement a remote wipe and the “find my device” feature
If for any reason a user’s mobile device is lost or stolen, having an option to remotely wipe and/or locate the device can be invaluable. A phone can easily be replaced and if you performed backup like in No. 5, a user can be up and running with a new phone in minutes. Paying $600 for a new iPhone is a whole lot cheaper than dealing with a breach of sensitive information. Also, if you can remote wipe and brick the phone, the shady character who took it now only has a fancy coaster and you can feel a little better about the situation.
8. Encrypt your devices
Always enable full-disk encryption on mobile devices. It is quick to implement, and the user will probably never know it is enabled. There are many tools out there like FileVault, BitLocker, PGP encryption, etc. Enabling encryption will ensure that a thief will be unable to access the device or the data without knowing the password.
9. Implement MDM to centrally manage devices
As discussed earlier in this article, Mobile Device Management (MDM) is a centralized mobile device management system. A MDM can make your life a lot easier if your job is to try to manage and protect mobile devices. MDM solutions are plentiful these days, so you should have plenty of solutions to choose from. When selecting your MDM tool, I recommend per point #1 documenting a mobile device policy then searching for a tool that can manage the controls that you have documented. For reference, According to Financesonline here are the top 20 mobile devices management software solutions for 2019.
Phishing is a leading way that malicious users steal data. You can have all the protections in the world enabled but if your employees do not understand what phishing is and how to detect it, you may be at risk. Be sure to document your mobile device policy and create mobile workforce training to help your employees understand the threats and risk of being mobile and tips on how to mitigate them. Be sure to include acceptable use, tips on traveling abroad, and tips on how to not leave your devices in plain sight.
The use of mobile devices or BYOD come with risks and benefits. Following the above mobile workforce security safeguards, the enterprise will be well on their way to mitigate risk and safeguard against loss, and you and your employees will be able to take advantage of the benefits that having a mobile workforce can bring. Mobile security, especially if the mobile devices are being used to support business and access sensitive data, is integral in reducing risk and protecting company data. A security assessment, which may include mobile devices, is required as part of a SOC 2 examination and is the core to FedRAMP and HIPAA assessments as well. Linford & Company would be happy to answer any questions about mobile security, enterprise security, or our services in general. Learn more about our services like SOC 2, FedRAMP, and HIPAA audits.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.