Analysis: Era of mobility threatens the corporate data of UK businesses.
Tube Strikes. The mere mention of those two words strikes fear, anger, annoyance and frustration into many a London worker. And let’s be honest, Londoners, including me, do not take well to the strikes. Last summer London struggled through two 24-hour tube strikes, plunging the commuter population into abject chaos.
I do not use the word chaos lightly, as I myself witnessed the queues to walk on pavements, Uber price surges adding to the gridlocked roads, and Boris bikes abandoned in bushes. I even saw a three-person argument over the last remaining Boris bike in Blackfriars quickly escalate with the two businessmen and woman having to be calmed and dispersed by City police.
That chaos nearly threatened the UK capital once again, with London Underground staff planning a walkout over the weekend. The RMT union has, thankfully, called off the walkout which was due to commence from 9pm Saturday 6 February for 48 hours.
However, there is talk of a further 24 hour strike from 6.30am on Friday 12 February. This gives Londoners two choices – #1 ready yourself for commuter battle and get into work using any mode of transport possible, be it planes, trains or automobiles. #2, avoid it all and work from home. The second option, I think you’ll agree is the option which most sensible people would choose – one that leaves you calm, collected and ready for the day’s work ahead.
The second option is all the more easier to take as we live in the age of mobility, a time where technology has truly transformed the workplace and enabled employees to work from anywhere and at any time. As Geraldine Osman, VP International Marketing at Nexsan, told CBR, businesses do not need to be disrupted by the planned tube strikes.
"With London set for another tube strike next week, businesses need a way to save their employees the arduous struggle into work, whilst also ensuring a strong level of business continuity.
"The disruption and frustration will be high, but in an age of mobility, it seems surprising and unnecessary that businesses should suffer significant financial losses. Whilst workers such as teachers, nurses and the retailers need to be on premise, there are many office workers, who could work from home."
However, working from home has a dark side. A dark side which is enabled through unsecured personal devices and unprotected networks, which leave corporate data open to malicious attacks and threaten the business.
Working from home means that the employee is accessing corporate data outside of the company’s network perimeter, with many unsecure devices like laptops and phones not just accessing, but storing data. One of the ways data can be put at risk is through malware, as Check Point’s director of UK & Ireland, Simon Moor, told CBR:
"When working remotely, employees are outside of the corporate security umbrella. They may be working on an unsecured laptop that hasn’t been issued by their employer, or using a public WiFi network, or cloud services that they may not be able to access when in the office.
"So there’s a much greater risk of getting infected by malware and other threats such as drive-by downloads from websites. Those infections can then be introduced into the corporate network as the organisation’s main defences may not detect them."
There is also the issue that working from home isn’t really just working from home; devices have enabled employees to work literally anywhere, offering up corporate data to a host of other threats. Chris McKie, vice president EMEA at NetMotion Wireless, told CBR:
"Increasingly, however, ‘working from home’ means working anywhere but home – in cafes, libraries or public parks. Public WiFi connections are typically open networks that do not require authentication. They are vulnerable to ‘evil twin’ WiFi attacks, in which hackers set up a fake network to mirror the real one.
"When users unwittingly connect to the fake, the hacker can steal account names and passwords, redirect victims to malware sites, or intercept files. A breach of this sort can cause significant damage to company reputations: the worst-case-scenario is a single employee device compromising the entire network."
When out and about there is also the risk of losing data – we have all heard the media reports of lost laptops, phones and USBs being lost on trains (not going to happen on Monday) and when employees are off site. This losing of data, however, is not the fault of technology, but of the employee – a key link in the chain which firms must not overlook.
Speaking to CBR, Jon Moger, Senior Director at HPE Aruba, drew upon the companies own research to illustrate the threat of underestimating employees: "Our own research shows that the current mobile workforce, #GenMobile is engaging in risky behaviours. Those behaviours include over sharing (6 out of 10 regularly share their work and personal devices with others) and doing things their own way (50%+ disobey their bosses).
"Misusing mobile devices is also a key finding: 31% have lost corporate data via mobile device misuse. While other research findings suggest much of this may go unnoticed by the business, it’s only a matter of time before it doesn’t."
Although the threat of employees working from home is very real, mitigating the risks associated with home working should be easier as BYOD takes hold in the enterprise. Businesses must accept, in this age of mobility, that perimeter defences are no longer enough and further measures must be taken in order to secure both the corporate network, and data.
First of all, businesses need to identify what data is their most valuable; the next step is to lock it down. One of the ways to lock down data is encryption and VPNs. As Stephan Love, Security Practice Lead EMEA at Insight UK, told CBR: "One of the most effective methods is encryption.
"Every organisation should be able to admit; "Yes, our network was hacked and data was stolen. However, your customer information is secure. It has made no difference to the business – reputational or financial – as we have protected ourselves so the data, if it fell into the wrong hands, is useless."
However, encryption is not the be all and end all when it comes to security, as Norman Shaw, CEO and Founder of ExactTrak, told CBR: "Companies need more than encryption which is difficult to prove after the fact. They need to consider geo-location tracking, technology that provides a verifiable audit trail, and the ability to destroy data remotely if it’s lost irrevocably. "
Businesses should also ensure that any corporately owned device has multi-factor authentication, but, as Chris McKie of NetMotion Wireless told CBR, just securing the device is not nearly enough where security is concerned.
"The best way to address these risks is to ensure the security and connectivity of each individual application, not just the device as a whole. Per-application management gives enterprises the flexibility and control to manage specific data, rather than relying on the security of the end-point device and its user."
Secure private cloud technology should also be deployed, allowing collaboration between colleagues to flow even when they are not on-premise together. For an all in one solution, Cath Hackett of Becrypt advocates the use of VDIs, telling CBR:
"A far more cost efficient way to ensure data and the corporate network is protected is to utilise a virtual desktop infrastructure (VDI). There are now devices available that can be plugged into a home PC, or even a TV so long as it has a keyboard and is connected to the internet that provides a highly secure virtual desktop.
"All data is encrypted, there is a locked down connection to the applications that the staff member needs to do their job. It is all presented in a web browser so there are no training overheads, and no possibility that data can be lost, shared with third parties without the appropriate permissions, and no infection from malware."
However, even with encryption, VDNs, VDIs and private cloud, businesses must also communicate and educate the employee – because, as we know, the employee and human error continues to be the weak link in security. Intel Security EMEA CTO Raj Samani said:
"With many employees planning to work from home to avoid travel chaos, it’s crucial that enterprises educate staff on policies for using their devices remotely, outlining which applications and websites are permitted as well as providing advice on where not to access corporate data. By investing this time now, companies can avoid suffering any more disruption than necessary during the tube strike."
Businesses need to have a strong policy in place, incorporating both technology and education to mitigate the risks associated with working from home. Most importantly, when working out strategy and policy regarding working from home, businesses need to understand what is needed, the desired outcomes and the obstacles with which both employee and employer will be faced. Chris Boyd, malware intelligence analyst at Malwarebytes, told CBR: "A solid policy on which apps and programs are permitted will help, but given the number of departments remote workers can be assigned to this can always be a lengthy task.
"Having a clear idea of what security tools will be onboard, how they will update, and how the data on the device will be encrypted are all essential to ensuring remote workers have clean and secure devices to work on, along with being able to mitigate the risk of a lost or stolen laptop."
To be honest, businesses should already have measures on board due to BYOD, and tube strike or no tube strike, security measures and best practices should be in place for employees working from home. As Paul Ducklin, Senior Technologist at Sophos told CBR, even if you haven’t embraced flexible working, your employees probably have:
"Even if you don’t already have an official ‘work from home’ IT plan in place, your staff have probably been doing it for years anyway – doing work stuff at home and doing home stuff at work. Unless there are obvious regulatory reasons why you can’t allow home and work to mix, you’re better off not fighting it, but rather trying to keep it under control, and even turning it into a benefit."
On the one hand if your employees are braving the commute on Monday, they might be a little late and frustrated but the corporate data and network will, however, be safer under the corporate umbrella. However, this kind of thinking can be turned on its head – flexible working and working from home can be safe and productive if the right security measures and policies are in place.
As Nexan’s Geraldine Osman said:" The actions of the tube strikers are beyond our control, but modern technology can ensure businesses stay productive and minimise the cost impact."
If you do have employees working from home, tube strike or no tube strike, they can follow these best tips from Brian Kinch, FICO’s Fraud Specialist, to stay safe and productive while off-site.
– Make sure you have automatic software and antivirus updates enable and maintain your firewalls.
– Make sure that you’re clear about your company’s data-protection policies and what you are and aren’t allowed to store on your machine – don’t save anything remotely if your computer could be infected with a virus.
– Keep sensitive data safe – for example, don’t use your computer to check personal emails or surf the web while you’re working, and make sure you don’t save important documents on any personal cloud sites.
– Regularly check what information is stored on your server, and especially ensure confidential or monetary data is protected.
– Make sure you know who to call from your company if something bad happens. Have an offsite backup to recover from, and if you’re suspicious about something on your PC then disconnect it from the Internet and work offline."