Back to Cybersecurity Basics – Part 1: Mobile and Home Working
‘Complexity is the enemy of IT Security’, it’s a phrase we hear time and again in this industry and rightly so. With each new way a hacker tries to target an organisation, there seems to be a new product that springs up to protect the network.
Now whilst these are very much required, we sometimes tend to complicate things.
Over the next few days, we’ll be looking at 10 areas of cybersecurity and provide our readers with some ideas on how to succeed.
Mobile and Home Working
We’ll start by looking at Mobile and Home Working…
As I sit here writing this, I’m sat at home and sadly won’t be going anywhere soon due to some of the worst snowfall we’ve had in a long time. Luckily, not only for me but also ITB we have a well versed Mobile and Home Working policy.
Today is a perfect example of why, if you haven’t already, you should develop a mobile working policy and train staff to adhere to it. If we didn’t have one in place, we would be losing a number of days work.
Whilst allowing your employees to work remotely is great for productivity it also comes with additional risks, such as the loss or theft of the device/credentials, infections from rogue networks and being overlooked (somebody looking over your shoulder). These are all manageable if the following steps are taken:
- Assess the risks and develop your policy based on these
Your policy should consider the possible reasons users are authorised to work offsite, device provisioning and how they will receive support should they need it. You then need to think about what information they need access to and what they are permitted to store on the devices.
Once this is outlined you can then turn your attention to securing the devices. What are the minimum security controls you need to put in place? Anti-Malware, 2-Factor Authentication and Encryption should be a minimum requirement for each device.
- User Awareness
It’s important for all users to be made aware of their responsibilities when working from home/remotely and they should have a clear set of procedures to follow. These should include how they store and manage their credentials, what they need to do in the event of an incident and the threats from being overlooked.
- Apply a secure baseline build
For each staff member permitted to work remotely, apply a baseline build to their device. Ensure at this stage that all relevant security controls are in place and working.
- Protect data at rest and in motion
Ensure that only the information that is absolutely necessary is kept on the device when working remotely. If a connection is needed back to the corporate network, ensure that this data is encrypted.
- Update corporate incident response plan
Despite your best intentions, security incidents will occur. Be sure to update your corporate incident response plan to include technical procedures to remotely access and disable a device should an incident occur.
Join us for part 2 when we look at Security Awareness.