Managing Security in the Age of Mobility

The world has gone hyper-mobile. Your employees can – and do – work from anywhere, at anytime. And this is how it should be. Businesses today need workers to be available, agile and flexible – all of which is offered by mobility. To enhance efficiency, achieve business goals more quickly and remain competitive, businesses are allowing increased access by authorized users to corporate applications, data and other resources – no matter where they’re located.

This is not a new concept. Mobility challenges in the business world have been around for a while. Employees have been demanding remote access and telecommuting support for decades. So what’s different? The increased rate of change and innovation in mobility solutions, especially in the consumer world. With or without permission, employees are incorporating new consumer mobile tools, software, apps and gadgets into their lives – and want to use them at work. As a result, businesses are challenged to keep up with the accompanying security challenges.

Best Practices in the Age of Mobility

Although the network environment presents potential vulnerabilities, there are steps you can take that you should start practicing today.

Use an encrypted email program. All of the employees in your organization check emails when they’re away from the office, whether on a phone, tablet, laptop or watch. You get some protections depending on the type of email protocols and ports that you use. For example, when you use POP3 to connect to your email account, you need to change from the default Port 110 to Port 995 to ensure encryption. Likewise, if you use the Internet Message Access Protocol (IMAP), you want to use Port 993 rather than default Port 143 for your emails to be encrypted. For Simple Mail Transfer Protocol (SMTP), you want Port 587, not Port 25.

You may however want to use a third-party encryption tool for particularly sensitive data. You may have avoided email encryption in the past because users rebelled against the difficulty of encrypting and then decrypting emails using existing tools – which were, admittedly, clumsy and cumbersome. But state-of-the-art email encryption software products make these processes much easier. In fact, with many of these newer tools, encryption can be done outside of the users’ awareness.

In particular, “gateway” encryption tools allow you to set policy-based encryption, which means that the enterprise establishes policies on which emails are automatically encrypted – emails containing customer financial data, for example, or personally identifiable information or any information sent to or from HR accounts. In this day and age where much of business is conducted via email versus over the phone, encrypting sensitive messages is increasingly essential for safeguarding enterprises.

Require multi-factor authentication (MFA) upon network sign-in. MFA is a security methodology that requires users to present multiple forms of identification to confirm that they really are who they say they are. After all, when it comes to signing in to the corporate network, a username and password no longer suffice. They’re too easily guessed, lost or stolen, giving bad actors free range through whatever digital systems and data that the user is authorized to access. The most common form of MFA is two-factor authentication, or 2FA. This adds one additional layer to the usual username/password scenario. For example, some enterprises will set up 2FA systems that require users to enter PINs that are texted to their smartphones upon signing in to the corporate network. Biometric measures, such as fingerprint or facial recognition, are also becoming increasingly popular.

If you haven’t yet implemented MFA tools, you will find that they’re quite complex, requiring input from multiple IT specialists – mobile, infrastructure and app development professionals, among others – to get up and running. Because these tools increasingly provide software agents for protecting VPNs and SharePoint and database servers, they require a lot of integration. The general move of enterprises to the cloud is also affecting the selection of MFA options you have, and cloud-based MFA is easier to both support and manage. Small wonder that most enterprises are going that route, especially with today’s mobile workforce.

Switch to a business-class cloud storage and file-sharing service. Whether you like it or not, there are good chances that your employees are already using a free consumer-grade file-sharing service. Instead, find one that is business class that not only requires role-based authentication, but that encrypts all data so you’re protected from ransomware threats while still being easily accessible by your mobile workers.

Enforce use of VPNs. Although many employees don’t like using VPNs, and complain that they are cumbersome and slow down performance, they are vital to secure remote connections to the corporate network. However, not all VPNs work on smartphones or tablets. The ones that haven’t been designed for mobile run into issues like gaps in coverage, problems when roaming and eating up too much bandwidth or battery life. You thus have to choose your VPN provider carefully. For example, if your users frequently move from Wi-Fi to 4G, or from one 4G network to another, they often lose their VPN connections – and VPNs not specifically designed for mobile can get into endless loops as they try, and fail, to reestablish connection. When this happens, users have no choice but to shut down their devices and start over. This is obviously not a viable way for an enterprise to manage its mobile users. Additionally, check the VPN’s vendor to make sure it supports 128-bit encryption (at a minimum) and has anonymous DNS services. You also want one that doesn’t log connections, for the sake of user privacy. The bottom line: You need a VPN – but do rigorous field tests before requiring your mobile users to deploy one.

Although most email services provide some form of a virtual private connection – for example, Outlook Web Access (OWA) provides secure access for local users to MS Outlook accounts – typically a VPN will use dedicated connections and encryption to provide users access to an entire network. This approach lowers the effectiveness of perimeter security, and could lead to breaches.

However, cloud security is rapidly replacing the need for VPN services. Typically, by separating data access from network access, cloud-based security gives users access to the private applications and services they need to use, but not the network as a whole. This secures the resources themselves, and it also allows the organization to move those applications or services to a different data center or network, with no effect on the user.

Deploy automatic updates. Even if the user is connected via a VPN, malware can sneak into the corporate network if the user’s device isn’t properly configured, patched and secured. Remove the burden of updating mobile devices and software from mobile workers’ shoulders by activating automatic updates (especially for security software). This practice will lead to happier employees and a more secure network. Of course, there are occasions when an update to a major program – say, an upgrade to a smartphone OS – can cause problems. You read about these in the computer trade press from time to time. So yes, sometimes you may want to block automatic updates until the vendor has worked out the bugs. But most of the time, you will want mobile device and software updates to be installed automatically for your users.

Educate mobile users. This recommendation is the big one. You could use one of the many emerging products that restrict mobile employees’ online activities, monitor their digital behavior or essentially try to control users. But that type of monitoring can backfire, leading to frustrated employees and a decrease in productivity. Instead, educate employees by explaining the difference between safe and risky behaviors. Make sure employees understand how to avoid phishing, malware downloads and online scams. Explain to them at regular intervals that they shouldn’t sign in to the corporate network via unsecured public Wi-Fi hotspots.

Make sure they understand that email access via public Wi-Fi allows for local attacks from hackers with monitored Wi-Fi settings and packet analysis from services like Wireshark. Monitoring foreign device access to email services is one way to address this threat.

Ensure that every wireless device connected to your network has an authorized configuration and security profile. If you don’t know what the device is or who owns it, it doesn’t get access. The network should be scanned constantly to identify rogue access points or unauthorized devices and to expose attempted attacks.

Note that these threats all involve human behavior, so they cannot be guarded by any security software or hardware tool – they require awareness and discipline. This is simultaneously your most important mobile security measure and the most difficult to implement satisfactorily. Don’t be content to merely explain mobile security to users once. Continually reinforce this with repeated training, quizzes and internal certifications that have to be refreshed on a semi-annual basis for all mobile users.

In Conclusion

New devices, software and apps are flooding the consumer market at a tremendous speed and subsequently entering enterprise businesses through the back door. You need to accept that your networks and IT environments will be large, extended, and at times, porous. Mobility is present in the workplace, so by practicing the above measures, you can enhance the safety and security of your business.