Today’s workforce has undergone a significant transformation. As organizations adopt more flexible work policies to accommodate shifting demographics, we are not far away from a workplace in which the majority of employees are considered “contingent.” According to a recent Intuit report, 40% of the workforce will be “contingent”—self-employed, contractors and temps — by 2020.
More importantly, however, the mobile workforce of today probably includes your typical employee. In fact, over half of the U.S. population can be considered a remote worker. This number is only expected to increase each year.
Mobile Users Are Everywhere
For most organizations, the definition of a mobile user has expanded dramatically and can almost be anybody in the company. Some may work from home only one day per month, or even if you have a laptop — guess what? You’re a mobile user. If you’re on vacation and bringing a company device along, you’re a mobile user. Think about your organization and try to find an employee who doesn’t meet this current definition. Unless you’re a financial institution that doesn’t allow employees to have a laptop, almost all of your employees can probably be considered a mobile user.
With the rise in both the BYOD-friendly mobile policies and a contingent workforce, there’s a significant strain on data security. For most companies, mobile users present the most significant risk.
Generally speaking, most data breaches can be tied to people, especially those with the least amount of training and oversight.
It’s Only Overwhelming If Not Managed
Not only that, but as we add so many security controls in our organizations that it’s easy to get sloppy. It seems like year after year, there’s more for IT departments to manage and it can be overwhelming. You need to put in practices to filter out the exceptions and determine what’s bubbling up to the top, particularly with the remote workers.
Before we address how mobile workforce risk can be mitigated, there’s one risk that is often overlooked, which not only pertains to the mobile workforce but also in-office employees. It surrounds employee terminations — whether they give notice on their own or are terminated.
Your staff may have access to one or more mobile devices, and as soon as the employee is terminated, you should consider freezing the device so it can’t be used before it’s returned. Even if it gets lost in the mail or the employee refuses to return it for some reason, the device would be unusable and any data on it would be protected.
Read: Avoiding Endpoint Bloat
When it comes to working with mobile users, freelancers, contractors or business partners of any kind, organizations should:
- Assess Risk: Conduct, and respond to, regular risk assessments that look both at how data is stored and how data is accessed.
- Harden access: Ensure access to internal systems requires strong authentication and apply strict limits on information available to the outsider. Experts recommend two-factor authentication techniques, such as a combination of a token and a password, for external access.
- Isolate access: Cordon off externally-accessed systems and networks from the rest of the internal network using internal firewalls (similar to a network DMZ used to isolate sacrificial servers). Log and review traffic that traverses the internal firewalls to the externally-accessed systems.
- Log and audit: Maintain and review logs of external access. Unexpected access may turn out to be a false alarm, but check and verify.
- Regularly review: Business partners, freelancers and contractors come and go; and their IT needs may change over time. Restrict or revoke access as necessary.
- Use Mobile Device Management (MDM) software whenever possible to manage endpoints.
- Test security patches as extensively as possible without disrupting corporate workflow. When Patch Tuesday comes, you should test for a week, and once you’re comfortable in a testing environment you can push the patches to the rest of the organization.
- Remind your employees not to leave laptops in their car or unattended.
- Lock your screen even at home, as your kids or a visitor can get access.
- Use a secured VPN connection to your network whenever possible.
- Embrace cybersecurity training! A cybersecurity-aware staff may be the best defense against potential attacks and threats. Have fun with this, and include a corporate rule that anyone leaving their screen unattended has to buy donuts for the team.
- Don’t bring corporate devices to unfriendly foreign countries.
Ultimately, every organization must be prepared for a breach with a data breach response plan and a trained team to handle the incident. This can help both mitigate the breach and its fallout.
We understand that managing a mobile workforce can be overwhelming. But we’ve got you covered if you want to gain a better grasp of the cybersecurity basics around threats, risk and protection. Review our comprehensive cybersecurity 101 guide.