Mobile working offers great business benefit but exposes the organisation to risks that will be challenging to manage. Mobile working extends the corporate security boundary to the user’s location. It is advisable for organisations to establish risk-based policies and procedures that cover all types of mobile devices and flexible working if they are to effectively manage the risks. Organisations should also plan for an increase in the number of security incidents and have a strategy in place to manage the loss or compromise of personal and commercially sensitive information and any legal, regulatory or reputational impact that may result.
2. What is the risk?
Mobile working entails the transit and storage of information assets outside the secure corporate infrastructure, probably across the Internet to devices that may have limited security features. Mobile devices are used in public spaces where there is the risk of oversight and they are also highly vulnerable to theft and loss.
If the organisation does not follow good practice security principles and security policies the following risks could be realised:
Loss or theft of the device
Mobile devices are highly vulnerable to being lost or stolen because they are attractive and valuable devices. They are often used in open view in locations that cannot offer the same level of physical security as the organisation’s own premises
Some users will have to work in public open spaces where they are vulnerable to being observed when working on their mobile device, potentially compromising personal or sensitive commercial information or their user credentials
Loss of credentials
If user credentials (such as username, password, token) are stored with a device used for remote working and it is lost or stolen, the attacker could potentially compromise the confidentiality, integrity and availability of the organisation’s Information and Communications Technologies (ICT)
An attacker may attempt to subvert the security controls on the device through the insertion of malicious software or hardware if the device is left unattended. This may allow them to monitor all user activity on the mobile device that could result in the compromise of the confidentiality or integrity of the information
Compromise of the secure configuration
Without correct training a user may accidentally or intentionally remove or reconfigure a security enforcing control on the mobile device and compromise the secure configuration. This could expose the device to a range of logical attacks that could result in the compromise or loss of any personal or sensitive commercial information the device is storing
3. How can the risk be managed?
3.1 Assess the risks and create a mobile working security policy
Assess the risks to all types of mobile working (including remote working where the device connects to the corporate network infrastructure). The resulting mobile security policy should determine aspects such as the processes for authorising users to work offsite, device acquisition and support, the type of information that can be stored on devices and the minimum procedural security controls. The risks to the corporate network from mobile devices should be assessed and consideration given to an increased level of monitoring on all remote connections and the corporate systems being accessed.
3.2 Educate users and maintain their awareness
Without exception, all users should be trained on the secure use of their mobile device for the locations they will be working in. Users should be capable of operating the device securely by following their user specific security procedures at all times, which should as a minimum include direction on:
- secure storage and management of their user credentials
- incident reporting
- environmental awareness (the risks from being overlooked, etc.)
3.3 Apply the secure baseline build
All ICT systems should be configured to the secure baseline build including all types of mobile device used by the organisation. Consider integrating the security controls provided in the End User Device guidance into the baseline build for mobile devices.
3.4 Protect data at rest
Minimise the amount of information stored on a mobile device to only that which is needed to fulfil the business activity that is being delivered when working outside the normal office environment. If the device supports it, encrypt the data at rest.
3.5 Protect data in transit
If the user is working remotely the connection back to the corporate network will probably use an untrusted public network such as the Internet. The device and the information exchange should be protected by an appropriately configured Virtual Private Network (VPN).
3.6 Review the corporate incident management plans
Mobile working attracts significant risks and security incidents will occur even when users follow the security procedures (such as a forced attack where the user is physically attacked to gain control of the device). The corporate incident management plans should be sufficiently flexible to deal with the range of security incidents that could occur, including the loss or compromise of a device in international locations. Ideally, technical processes should be in place to remotely disable a device that has been lost or at least deny it access to the corporate network.