Mobile devices are everywhere, according to Pew Research, around 77% of all Americans own a smartphone and more and more people are relying on mobile devices for both work and play. With the mass adoption of mobile devices, companies are becoming increasingly reliant on a mobile workforce because mobile devices offer the capability for companies to keep their employees connected and available at all times. It allows employees to work anywhere in the world at any time. While some employees may consider this a bad thing because they want to leave work at work and not be “on call” 24/7/365, others have embraced it as an opportunity to have a flexible work schedule and create a better work/life balance. For companies, however, mobile workforce security needs to be carefully addressed.
Benefits of a Mobile Workforce
Increased productivity and efficiency
There are many apps and tools that support a mobile workforce and most of these tools are specifically designed with productivity and collaboration in mind. Being able to work at a desk then seamlessly move to a smartphone and back allows an employee to work efficiently wherever they may be.
Decreased response time
Having a mobile workforce helps decrease response time and increase customer service. Allowing an employee to resolve an issue wherever they are instead of having to drive into the office significantly reduces the turnaround time for problem resolution.
Employee hiring and retention
Finding the right employee and retaining them is a hard and expensive task. When a company provides a mobile work solution, they are no longer bound to hiring local. They can cast a wider net and find the right talent anywhere in the world without requiring the new employee relocate or settling on an okay candidate because of location. A mobile work solution also allows for employees to have a more flexible schedule and, in turn, creates a happier work environment. It allows the employee to have a better work/life balance where they can work from home to support a sick child or take off early to run some errands and then jump on later that evening and get caught up on work.
Having a mobile workforce often means less overhead. If the employees can work remotely, a company no longer needs to maintain a large office space, pay for heating and cooling, parking, etc. The company can move to temporary offices that can scale up or down based on projects or need, rent out space that is no longer needed, or downsize to a space of hotel suites instead of dedicated desks.
Threats and Risks of a Mobile Workforce
With the rapid change in the business landscape towards a mobile workforce, companies are struggling to find a balance between allowing their employees the freedom of mobility against the security of the enterprise’s assets and data. Stacy Collett, a contributing writer for CSO, recently wrote about five new threats to your mobile device security which documents new threats to the mobile devices and in turn, new threats to the enterprise. As more and more companies are moving to, or supporting, a mobile workforce, the number of threats and malware are going to continue to rise. According to Nokia’s Threat Intelligence Report, malware has infected 1.35% of all mobile devices, and smartphones have been deemed the most vulnerable mobile devices, as smartphones account for 85% of mobile infections.
While not comprehensive, NIST 800-124 r1 lays out seven high-level threats and vulnerabilities as well as provides additional details for each one. I highly recommend reviewing the entire NIST 800-124 document as it has a lot of good information on managing and securing mobile devices in the enterprise. Below is a list of the mobile threats defined by NIST.
- Lack of physical security controls
- Use of untrusted mobile devices
- Use of untrusted networks
- Use of apps created by unknown parties
- Interaction with other systems
- Use of untrusted content
- Use of location services
Nine Strategies to Mitigate/Reduce Mobile Security Risks
So, how can a company reduce the risk of a having a mobile workforce and start reaping the benefits? I have listed nine mobile workforce security strategies below that can help. While not explicitly mentioned below, it is highly recommended that the organization documents their mobile risks and creates a mobile workforce policy documenting the acceptable use as well as tips to reduce the risk of a breach, attack, or lost device.
1. Enable the passcode/biometrics
It is good practice to force the use of a passcode and/or biometrics on all mobile devices. In the event that a mobile device is lost or stolen (or you have a nosey friend), having a passcode/password or biometrics on your mobile device will at least slow down the casual thief. More is always good, so push for six characters instead of four, and if you are a bit paranoid and use a passcode, consider wiping down your screen occasionally.
2. Utilize a VPN Service
Open Wi-Fi networks are dangerous. Open networks are ripe for snooping, compromise, and attack. With a mobile workforce, open networks are used frequently, from working at a local coffee shop to doing some work at the airport before a flight, the device and the data are at risk. Since much of the workforce will inevitably end up on an open network at some time, it is recommended to enforce the use of a VPN solution to protect their devices and the data from attackers. VPNs are not expensive and can provide a lot of protection from Wi-Fi sniffing and man-in-the-middle attacks. If you want to go cheap and use a free VPN service – beware. You get what you pay for. VPN services are not cheap to provide so the free services are recouping their money somehow, it may be via ads or they are selling your information.
3. Patch and Update
According to Skycure, more than 70 percent of mobile devices still run on security patches more than two months old and 6 percent run patches that are six or more months old (also if you live in Boston, take note, as Boston topped a list of tech cities with the largest growth in network incidents with a more than 960 percent increase). That is not good. Not updating mobile devices leaves them open for malware and attack, so patch and update your devices. If you want to force the issue, sandbox the device until it is updated before allowing it to have access to the enterprise.
4. Whitelist Apps
Downloading unofficial apps or sideloaded apps is the number one way to get malware, Trojans, or viruses on mobile devices. Many organizations want to install their custom apps, and in doing so, force users to enable “Unknown sources” or jailbreak the device to get the app installed. This is not good. By doing this, the mobile device is now vulnerable to all sorts of nasty things. A user can install pretty much anything and you have just removed a major security feature of the device. Instead, it is recommended to whitelist application – essentially you select the apps that are allowed to be installed, or at minimum blacklist known malicious apps. If you have an enterprise app, push that app out using an MDM solution (see No. 8 below) since trust is automatically established.
Always backup mobile devices and backup frequently. The nature of the devices being mobile lend them to be at a higher risk of being destroyed, lost, or stolen. Backing up the devices also gives the company and employees the benefit of limiting the damage of ransomware attacks. Also, you probably do not want to have the conversation with a user that you have to remotely wipe their mobile device and all data will be lost because there are no backups.
6. Implement a remote wipe and the “find my device” feature
If for any reason a user’s mobile device is lost or stolen, having an option to remotely wipe and/or locate the device can be invaluable. A phone can easily be replaced and if you performed backup like in No. 5, a user can be up and running with a new phone in minutes. Paying $600 for a new iPhone is a whole lot cheaper than dealing with a breach of sensitive information. Also, if you can remote wipe and brick the phone, the shady character who took it now only has a fancy coaster and you can feel a little better about the situation.
7. Encrypt your devices
Always enable full-disk encryption on mobile devices. It is quick to implement and the user will probably never know it is enabled. There are many tools out there like FileVault, BitLocker, PGP encryption, etc. Enabling encryption will ensure that a thief will be unable to access the device or the data without knowing the password.
8. Implement MDM to centrally manage devices
Mobile Device Management (MDM) is a centralized mobile device management system. A MDM can make your life a lot easier if your job is to try to manage and protect mobile devices. MDM solutions are plentiful these days, so you should have plenty of solutions to choose from. Some highly-rated tools are VMware’s Airwatch, Codeproof, Meraki, and MobileIron. When selecting your MDM tool, I recommend documenting a mobile device policy then searching for a tool that can manage the controls that you have documented. For example; the eight things above, Geofencing, Remote Lock, etc.
Phishing is a leading way that malicious users steal data. You can have all the protections in the world enabled but if your employees do not understand what phishing is and how to detect it, you may be at risk. Be sure to document your mobile device policy and create mobile workforce training to help your employees understand the threats and risk of being mobile and tips on how to mitigate them. Be sure to include acceptable use, tips on traveling abroad, and tips on how to not leave your devices in plain sight.
Why Not Ten?
So, why not ten strategies? Because the 10th item would have been to install Anti-Virus (AV) or anti-malware software. Most AV and anti-malware for mobile devices lack functionality. They use up resources, are an avenue for attack, can be easily bypassed, only detect instead of prevent, and due to the nature of sandboxing in mobile operating systems, they are not very useful.
With the usage of mobile devices growing, the number of mobile workers will also continue to grow causing challenges for enterprises to keep their data and assets secure. By following the above mobile workforce security safeguards, the enterprise will be well on their way to mitigate risk and safeguard against loss, and you and your employees will be able to take advantage of the benefits that having a mobile workforce can bring.
Mobile security, especially if the mobile devices are being used to support business and access sensitive data, is integral in reducing risk and protecting company data. A security assessment, which may include mobile devices, is required as part of a SOC 2 examination and is the core to FedRAMP and HIPAA assessments as well.
Linford & Company are experts in SOC 2, FedRAMP, and HIPAA assessments and would be happy to answer any questions about mobile security, enterprise security, or our services in general. Learn more about our services like SOC 2, FedRAMP, and HIPAA audits.
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.