The challenges of securing mobile workers and keeping data secure

Get a copy of the upcoming book "Secure Operations Technology"

securing mobile workers

Recently, Apricorn announced new research highlighting that 95 percent of surveyed organisations in the UK recognise problems with mobile and remote working, and nearly one in five (18%) suggest their mobile workers don’t care about security.

In this podcast, Jon Fielding, Managing Director for Apricorn in EMEA, talks about the challenges related to securing mobile workers, and how they can be solved.

Here’s a transcript of the podcast for your convenience.

Hello, my name’s Jon Fielding, I’m the Managing Director for Apricorn in EMEA. We are here to talk today about a survey that we ran over the last few weeks. We surveyed 100 IT business decision makers across a range of industries in companies with thousands users and more, asking questions around about working and GDPR in particular.

We were trying to pick out trends from those surveys that reflect the temperature of those two topics in the markets today. And we found it quite interesting, so I would say the headlines that I’ve found there is a real lack of control of data within organizations, and particularly around the protection of that data.

100 percent of the survey respondents stated that they had at some time, some of their employees were mobile workers. On average, we found 37 percent of the company’s employees were mobile. That’s quite a large proportion of the company. And bear in mind these companies were thousand users and more, so you can do the math. So, within that we found that 95 percent of respondents recognized the real challenge of mobile working – whether it be the technology they need is deployed to support mobile workers, setting in the data that was leading the organization, or even educating the employees.

One startling fact that we got back from the survey was that 18 percent said, nearly one in five of the people we interviewed, said that their mobile workers did not care about security at all. So, when I look at that stat, what I think that really means is that I think we recognize that employees value convenience over security. And so there needs to be a move from organizations best they can, they will deploy security solutions that are automated and seamless and give the users no choice. So, moving on from that is 44 percent of our respondents recognize that mobile working with would create great liability and opportunity for data breach. In fact, one third of our surveyed audience have already suffered from a data breach as a direct result of mobile work. So, they’re quite startling figures as well. And then when we look at the challenge that mobile working brings to compliance for example, to the European Union GDPR that were adopted in May of this year, 30 percent of our respondents were saying that they obviously recognize mobile work was an extra challenge to compliance.

securing mobile workers

Aegis Secure Key 3z

So, one statistic, one trend that we saw in these surveys is there is a definite move now from companies to actually block the use of mobile devices. So in 2017, when we ran a survey, we found around about one third of companies had an information security policy that blocked the use of mobile devices whether they enforced it or not. This year it was over 55 percent. That’s quite a large leap. And I think that’s because what we’re finding now is the rates of evolution of the functionality and the technology that users have access to, whether it be their smartphone or tablet, is outpacing an organization’s ability to deploy technology and support of that.

Because of course if you’re a relatively large company, like the companies that we were talking to, there’s a process you have to go through to be able to deploy and you settle this from a QA and test point of view. So, we were finding that there’s kind of a knee jerk reaction in reality, just a block.

The time our results came out we had a very interesting case study hit our desk, where IBM announced that they’re actually blocking all USB devices across every employee globally. So, when I look at that, I do see that as rather a blunt tool to solve a problem. They cited two concerns on that issue. One, they were worried about loss. Okay, I understand that, and secondarily they were worried about misuse. In both cases the main concern was the reputational and the financial damage either of those could do to the company. Okay. All relatively valid concerns.

If we look at the issue of loss, a mobile device by its very nature, by definition mobile, it can be lost. But if you encrypt that data in hardware on the device, then the liability that you pick up is minimized or there’s is a cost of loss of the device you’ve invested in. But, really the important thing is that data accessible to anybody other than who is authorized to access it?

So, my point would be, instead of just blocking mobile devices, I would suggest that what you need to do is put in an information security policy you enforce with respect to where you identify a corporately mandated software/hardware encrypted USB stick for example, where you can lock down your port so only accept that device, you provide it to only those employees that have a valid business case to be able to use a device like that, and block out everybody else and everything else. In which case you haven’t gone from a blanket ban approach. We have a more pragmatic approach where you’re not restricting the business practice by not allowing people to take the data across a USB port. And I would say the memo that IBM released to announce this actually themselves admitted this was a restricted business practice. So, I think that there is a pragmatic way of doing this, as I say to ensure that you have a policy that enforces only a white list of products that you’ve selected as a company. It’s available to those that have a valid business case to use that.

securing mobile workers

Aegis Padlock DT FIPS – USB 3.0 Desktop Drive

So, as we went through our survey. Yeah, one question that we were really focused on is you know how are people managing the data that they have access to that they collect and they process within their organization, because of course when we look at the European Union General Data Protection Regulation, it’s all about the protection of personally identifiable information. So, we want to see to test the temperature of that. We have some quite worrying figures back from that. So, about 50 percent of respondents admitted that they had no real comfort that they could have control and knowledge of the data that was coming into them, that they were collecting and processing through their systems. Likewise, just under half (so for some 48 percent and for others 49 percent), the respondents were saying that they could not be sure that they had adequate enforcement of encryption of their data at rest, in transit, and in the cloud.

So, when you look at those two stats, you’re basically saying in broad terms. half of the companies don’t have any control of the data and can’t be sure it’s encrypted. Now we look at that in the context of the General Data Protection Regulation, that’s worrying.

So, again you know we go back to the position of ensuring that where you have personally identifiable information – whether it be at rest, whether it be in transit, whether it be in the cloud that is encrypted – that is protected, and then it can only be accessed by those individuals that are authorized to access that device.

So, you know we would say that the first thing that companies need to do now is really look at data mapping the information they bring into their company. Are they collecting just the information they need to run their business. They have some spurious or redundant information they don’t need, they should cull that information, they need to follow its flow through their business systems and their business processes and make sure that only people that should have access to it have access, where it needs to be protected as encrypted, etc. I also think there needs to be an adaptation of any information security policy that exists at the moment that should cover the GDPR. That’s that change that we’ve had come into play recently, and to be sure that if people are marketing out their consumer database they have consent from those consumers who actually receive that information, there’s a very easy way for them to unsubscribe from those emails.

securing mobile workers

Portable HDD line of Aegis Secure Drives

That was really a summary of our survey, statistics and findings that we had within that. I would encourage people to come and have a look our seb site – www.apricorn.com – where they will find the range of products that we have that we think support some of the issues that we talked about today.

We are a secure storage innovator, we provide a broad range of products from two terabytes and two gigabytes to 12 terabytes, from USB to desktop devices that will provide the sort of encryption that we talked about, particularly for mobile working. So, I really hope that you found what I had to say interesting, thank you very much for listening, and again my name is Jon Fielding from Apricorn. Look forward to hearing from you soon.