Last month, Parliament Street revealed that within the last year, commuters lost over 26,000 electronic devices on London’s Transport for London (TfL) network. Working on the go has become commonplace for many employees, but the security risks of mobile working are often overlooked. Below Jan van Vliet, VP and GM EMEA at Digital Guardian, discusses the risks hidden in your mobile workforce.
The devices employees use to mobile work – such as laptops, mobile phones and iPads – often carry sensitive company data on them: confidential emails, classified documents or personal (even financial) information. When these devices are lost, the risk of unauthorised access and a consequent data breach or leak increases.
Under the General Data Protection Regulation (GDPR), loss of a corporate mobile device containing personal data constitutes a breach, with fines up to €20 million or 4% of total annual worldwide turnover. It’s clear that the repercussions of an employee losing a company laptop or phone have never been higher.
Unfortunately, it is impossible to stop employees losing mobile devices altogether. In order to minimise the risk of data loss or a fine, it may seem tempting to limit mobile working, but this could have a negative impact on both productivity and employee satisfaction – flexible working is an expectation for most employees these days, as 9 to 5 working life becomes less common. It is, therefore, very important that organisations put in place policies and security measures for mobile and remote workers so that the risk of data loss is reduced.
1. Craft a mobile working policy
Employees must be clearly briefed on their organisation’s procedures and best practices regarding remote and mobile working. The policy should cover several bases, including:
- Applications and assets that employees are permitted to access from mobile devices
- Minimum required security controls for devices
- Company-provided components, such as SSL certificates for device authentication
- Company rights for altering the device, such as remote wiping for lost or stolen devices. This includes company liability for an employee’s personal data, should a device have to be wiped as a security precaution, as well as employee liability for the leakage of sensitive company data brought about by employee negligence or misuse
- Responsibility for regularly backing up company data and storing it appropriately
Because BYOD usage takes data outside of the control of many other enterprise security measures, it is important that organisations encrypt sensitive data at rest and in transit. The purpose of data encryption is to protect digital data confidentiality as it is stored on computer systems and transmitted using the internet, or other computer networks. Data protection solutions for data encryption can provide encryption of devices, email, and data itself. In many cases, these encryption functionalities are also met with control capabilities for devices, email, and data. Secure, encrypted email is the only answer for regulatory compliance, a remote workforce, BYOD, and project outsourcing. Premier data loss prevention solutions allow your employees to continue to work and collaborate through email while the software and tools proactively tag, classify, and encrypt sensitive data in emails and attachments.
3. DLP (Data Loss Prevention)
Remote and mobile working has rendered the traditional network perimeter almost obsolete. It is no longer feasible to put a wall around your organisation’s IT and assume that your data will be secure. Organisations must shift their focus away from securing the perimeter to securing data, regardless of where it resides. DLP is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorised users. DLP software classifies regulated, confidential and business critical data and identifies violations of policies defined by organisations or within a predefined policy pack, typically driven by regulatory compliance such as GDPR. Once those violations are identified, DLP enforces remediation with alerts, encryption (as mentioned above), and other protective actions to prevent end-users from accidentally or maliciously sharing data that could put the organisation at risk. DLP tools also monitor and control endpoint activities, filter data streams on corporate networks, and monitor data in the cloud to protect data at rest, in motion, and in use. These solutions shed light on how employees are trying to move data around in ways that are violating security or privacy policies, and stop it from happening. This can prevent mobile workers from obtaining data that is deemed too sensitive.
Regular training sessions can help employees to understand the risks and potential consequences of losing a mobile device, empowering them to be more cautious. Within these training sessions, it is also important to highlight the importance of timely reporting of lost or stolen devices.
Overall, mobile working is an important part of today’s enterprise culture. While organisations cannot stop employees from losing devices, they can certainly prevent the likelihood of a data breach or compliance failure following suit. Through employee training, defined policies and focusing on data- centric security technologies to help protect data at the source, organisations can significantly reduce the risk factor associated with lost devices.