How to secure your agile workforce
The security risks from mobile working are very real, but implementing the right strategy can give great benefits from your agile employees
Virtually all companies now have to contend with an increasingly agile workforce. According to a recent survey by Cisco, 23% of knowledge workers currently have the freedom to choose where they work, but another 44% expect to have that choice within the next three years. The advent of notebooks, tablets and powerful smartphones has meant that it's increasingly easy to work from home, in transit, and from a hotel room or coffee shop.
But the rise in mobile working has brought with it an increase in risks as well. In the days when all the company's computers were physically inside the corporate premises and not internet-connected, your biggest problems were from infected removable storage such a floppy disks and rogue employees. Even when internet connectivity was widely added to business networks in the late 1990s, strict control over what was installed on employees' PCs, anti-virus software and a good firewall would cover most issues.
Now, however, your employees could be at their desks with a company notebook or hybrid tablet that they also use at home and in public places. Their smartphones could well be connected to the corporate Wi-Fi when the employee is in the office. They could also be bringing their own notebooks and tablets to work, also known as BYOD (Bring Your Own Device). All of these provide new ways that the security of your company network and data could be compromised, so protecting against the potential threats requires a range of strategies.
The first step is to instil the importance of security amongst your employees. You can have the most potent and capable security software suites and hardware implementations, but if someone leaves their password on a Post-It note attached to their computer, gaining access isn't going to be that hard. If your employees use any of their devices in public places either those supplied by your company or their own then they need to be aware how easy it will also be for someone to look over their shoulder to see what security details they are using to log into their computer and online systems.
Some notebooks are available with screens that offer privacy settings that greatly reduce the angle of view, but your employees still need to get into the habit of enabling this feature. Regularly raising cybersecurity awareness and providing staff training is essential, because human beings are always likely to be the weakest link in the security chain. This should include emphasis on keeping operating systems and software up to date with the latest patches. Although you can use remote management systems to enforce this on systems owned and supplied by the company, this won't be the case with BYOD. Also, for the smaller end of the SMB spectrum, centralised management systems with remote update capability may well be too expensive to implement for just a few devices.
Instead, it's important that you continually advise staff to remain updated, perhaps notifying them via a company newsletter when new patches become available. Keeping track of what devices are in use, so you can assess the risks posed, is an integral part of this strategy. Nobody likes the interruptions to work caused by installing updates, so suggest ways these can be kept to a minimum, such as accepting the options offered to install these when computers are turned off at the end of the working day. It's important that smartphones be included in this regime, too.
The key reason for keeping your patching up to date, as well as running both antivirus and anti-malware apps, is to protect against malicious software. Ransomware has particularly been on the rise over the last five years, with the WannaCry outbreak that hit the UK NHS so badly in 2017 just the most publicised example. Exact figures vary wildly, because until GDPR came into force, many companies hid breaches to avoid the bad publicity and potential legal consequences. Research from Cisco claims that businesses are seeing a shift away from ransomware to cryptojacking, with malicious cryptominers increasing by 1,000% in 2017. But ransomware has also become more sophisticated, with more variants of a smaller number of family types. This has made detection and blocking prior to execution increasingly hard. According to the Cisco 2018 Annual Cybersecurity Report, 46% of companies admitted that they suffered a cyber-attack in the past year, while 48% said that the attacks resulted in damage worth over $500,000. Meanwhile, 40% of companies admitted that they felt overwhelmed by security demands and struggled to remain proactive when it came to threat detection due to a lack of in house skills.
Cisco has some great tips on its SMB blog about how to protect your business from ransomware. Aside from preventative training, Cisco urges that employees be encouraged to report incidents and told how to do so, so they avoid the urge to hide things for fear of reprisal. Another important piece of advice is not to throw away any paper that might have information on it that could lead to a compromise without shredding it first. Cyberthieves do look through the rubbish bins of a target organisation as part of their research to tailor their phishing attacks.
Cisco also suggests that you keep your network segmented. Create a guest Wi-Fi login (most routers offer this) for BYOD systems to use, which you can change regularly. Implementing 802.1x for corporate devices can help you give these more privileges than BYOD ones. But also be strict about how you allow privileges to your users on the network. If a user only has access to their own machines and the shared storage or printers that are used in their work, you can limit the damage from a breach of their security.
It's also advisable that remote workers only be allowed to connect to the internal network via a VPN. Even SMBs can implement this technology, since most SMB-focused broadband routers have built-in support for acting as a server for OpenVPN, PPTP or IPsec VPN connections. This is particularly important for the most agile employees who regularly work via public Wi-Fi connections in hotels or coffee shops. These kinds of WLAN can fall prey to "man in the middle" attacks where a fake access point is set up using a clone of the SSID of the public Wi-Fi. If your employee is using a VPN, they will still be secure if they accidentally connect to this, because traffic to and from the company network will remain encrypted. Another thing to bear in mind is to avoid public Wi-Fi networks that don't ask for a password.
There are many new hazards from an increasingly agile workforce. But there are also huge potential productivity benefits from allowing your staff to have the freedom to work where they want, when they want, without being tied permanently to a location or set working hours. Those who are rarely in the office won't need a permanent desk, either, so you can reduce premises size and associated expenses. Agile staff generally claim to be happier too. With the right strategy for the security of your agile workforce, you can have these benefits without losing out from the risks.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Dr James Morris has worked as a technology journalist for over 25 years, including spending nine years on the staff of market-leading computer magazine PC Pro, the last five of which were as the publication’s editor. He specialises in enterprise-grade software and hardware, with a particular focus on content creation. He launched a pioneering video channel for HEXUS.net in 2006 and ran the video reviews channel for TrustedReviews.com for four years. He also runs a successful online digital content and commercial video production company, t-zero communications Ltd.
Dr Morris is a prolific technology writer and contributes commercial content for major IT brands including AMD, BlackBerry, Dell, Cognizant, HP, and IBM. He published a book on artificial intelligence, Can Computers Create Art? in 2009. He is also an academic, and is currently Pathway Director of the MA, Interactive Journalism at City, University of London.
Previously, he was course leader for the BA in Web Media Production at Ravensbourne University. He has a PhD in Philosophy, Art and Social Thought from the European Graduate School in Switzerland, a Master's in Media Arts from the New School in New York, USA, and a Bachelor's in Social Anthropology from the London School of Economics.
Dr. Morris can be found on Twitter at @Cyberwest, or emailed at j@tzero.co.uk