The increase in business lounges at airports, or executive suites at hotels and convention centers are just some indications of a more mobile corporate leadership and workforce. All of which create new risks when it comes to IT and information security. Workers of all types are more likely to take calls on the go, use their tablets or notebooks to work on sensitive data on the train or plane, and store documents on personal devices in the age of Bring Your Own Device.
Train workers to be security aware
Securing these endpoints, and training staff not to disclose information inadvertently in public, to colleagues or partners is all part of the endless challenge facing IT and human resources in the face of advancing technology.
The first and most sensible approach is through training in how to use devices properly in public. Workers may think they’re smart enough, but sensitive information being photographed by over-the-shoulder-surfers and going viral, or people eavesdropping casually on financial chats they can use to their advantage are two regular examples of lapses where workers think no one cares or is paying attention.
This education can be done as part of existing legal compliance and safety awareness training, extending how to handle sensitive information to on-the-go scenarios and teaching the basics of secure mobile working. And you can add new methods to existing security advice, essential in a world of information theft, business fraud and espionage:
- Ensuring devices are password protected and locked whenever you put them down, while never leaving them unattended.
- Provide workers with blackout privacy filters for travel and public use to limit who can see the screen.
- Using wiped devices when travelling, only copying company data to them from the cloud when you’ve passed through airport security in countries known to scan devices for business information.
- Keeping paper to a minimum and securing sensitive documents in lockable briefcases at all times.
Use IT Solutions to protect mobile workers
Beyond the physical methods that workers can use, the IT department can protect smartphones and devices, and the conversations we have with them, using a range of extra tools. Adding extra layers of security like VPNs and two factor authentication to devices keeps data safe between the business and device, limiting a hacker’s ability to intercept it.
Even if your workers do find a quiet spot or a private booth to make work phone calls using VoIP networks, they’re still at risk of being intercepted. Secure voice solutions can be used to keep conversations private, just like your data. The use of TLS (Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol) technology helps encrypt the conversation from end-to-end. In many verticals, especially financial, government and health, secure voice solutions are being mandated as best practices and will soon be a legislated requirement.
Finally, any business, that rely on consumer applications should ensure:
- All privacy options are switched on, when using Facebook Messenger for example
- “https://” is used on all business websites
- Strong password security is required for all business applications from email to data sharing on Google Docs, Dropbox or other services
IT should also have an aggressive lost-device protocol in place, with workers reporting devices lost as soon as possible, so technicians can remotely wipe lost or stolen machines, and limit access to business data from them.
All of this is largely pointless if the business lacks proper data security controls. So, now is probably a good time to audit the business for insecure Amazon AWS buckets, open cloud data storage services and easily-guessed passwords to critical services or documents. Checking the business networks, endpoints and servers using penetration testing services should also be high on the agenda.
Using every solution available will help protect a business from risk, and teach employees the value of data and their part in helping keep it secure. While it’s perfectly acceptable to litter training presentations with James Bond or other spy references, data and information security is a truly serious matter for the company, especially with the risk of heavy fines for GDPR data breaches and other regulations should an insecure device or USB drive be stolen, or used to breach company networks.