Workforce norms are fast-changing with a major chunk of the workforce adopting new models of working. Remote working, global travel, flexi-working are common these days, leading to a host of new trends. Bring-your-own-device (BYOD), remote access, document sharing are some areas where organizations must create policies to protect their data. Quite often, data thefts and breaches happen not through external threats, but knowingly or unknowingly by internal employees. How the, do you ensure that data and documents are secured for access and usage, in an increasingly mobile workforce?
The most important agenda is to decide the level of “control” on exhibits. Too many secure measures, and it can hamper productivity, as well as disgruntle the employee since it indicates lack of trust and openness. Not enough measures, and the threat of frtygdata-theft is high. Technological capability, cultural nuances, IT infrastructure are some of the factors organizations must assess before deciding on the security policy.
Moreover, there is no cookie-cutter approach, you may need to create user-based security levels depending on function, role, and flexibility regime and so on. It is critical to understand that each organization will have its own basis for putting together a unique policy for itself. Moreover, these policies must work across channels, as work is becoming increasing multi-channelled with employees flitting between desktops, laptops, mobiles, and tablets for work.
Designing the security principles for mobile: Security for mobile devices must be based on the principle of “least privileged” i.e. each employee gets access to data which is critical for his or her immediate work. IT personnel, line managers and human resources must think through these access privileges especially with respect to highly sensitive data and documents and outline the policy.
Set your application security levels: Most workforces operate on some kind of SaaS application and how and where these applications are accessed, is an important parameter to look into. Data may be accessed one time through remote VPN, or may persist on mobile devices, altering the security level of the data/document. The configuration of such SaaS applications must be thoroughly understood by the IT team and accordingly privileges set.
Define the critical components: Critical data must be identified and treated as it deserves – with utmost care and confidentiality. Storage mechanisms and backup mechanisms for such data must be fool-proof. The latest in persistent storage for such data is storing it on the cloud, yet again the decision is to be made whether a private, public or hybrid cloud? Access rights must be thoroughly and periodically scrutinized. Moreover, the plan of action in case of a breach must be devised and communicated effectively, for easy recovery.
To BYOD or not?: Should employees be allowed to bring their own devices? Assess the risk level in deviating from a company-owned device policy. A new device in the network has the potential to create havoc by acting as a leak-source for data. Have a preventive plan in place, with remote monitoring and controls in place, if you must go the BYOD way. For this it is important to have a robust Mobile Device Management policy in place.
Making Mobile Device Management work for you: Many levels of control are available in modern MDM measures. While superficial controls such as passwords and biometrics may be an option, also explore advanced controls such as encryption and remote-wiping, a must have for critical data and documents. Also, different devices may require different levels of MDM.
These are just some of the measures for securing the data on mobile devices. An important role that cannot be ignored is communication and education. While technology may do its part, employees must be trained on data security on a periodic basis. Security protocols, emergency actions, behaviors and how to identify any anomalous device behavior are some of the key points to be covered. As much as the threat can originate from your employees, it can also be highlighted and neutralized by them, provided they are well informed.