The modern workforce is realizing profound productivity gains through the mobility enabled by connected devices. A recent global study found that 89 percent of respondents cited flexible working as helping their business grow, as compared to only 68 percent in 2016. Indeed, how many of us feel we would be able to do our jobs just as well without our laptops, or smartphones? The business case for the mobility enabled by connected devices is apparent.
But, the rush to encourage workplace IT mobility in the early 2010s subsided, if not outright reversed, at some businesses once the security risks fomented by that enhanced mobility also became apparent. It is clear that security and mobility go hand-in-hand, and that to continue to reap the benefits of workplace mobility, potential IT risks must be first addressed.
That’s quite a tall order, however, as almost every device in the workplace these days is connected in some way, and there is no better example of the security risks than the “Fancy Bear” hacker attacks that occurred this summer. The devices this hacker group targeted weren’t anything unusual; in fact, it was quite the opposite: printers, which many of us take for granted security-wise, when in fact printers and scanners and similar devices are connected to the same company network as any other computer. And, this is exactly how Fancy Bear gained access to vulnerable networks. The hackers used these devices as a beachhead to reach other network areas, continually laddering up to more and more sensitive information.
So, if any connected device can be exposed, and just about every device is connected, what is a CSO to do? Fortunately, the situation is not nearly as dire as would first seem. For example, with regard to the Fancy Bear attacks, in some cases the weakness was as simple as that the default passwords on the devices had never been changed - this is a common mistake I see all the time working with customers at Brother International Corporation. Just because something is very simple doesn’t mean it’s not very important! Along these lines, the Fancy Bear hackers were also able to penetrate an organization just because the latest security update was not applied on a particular device. This is another all-too-common mistake.
Furthermore, the Fancy Bear attacks don’t address another common entrypoint for exploiting a mobile workforce, and that is a lack of awareness by employees as to security best practices. How many debilitating hacks have begun by one employee clicking on an external link from an unknown source that turned out to be malicious, for example? It’s our job as IT administrators to make them aware of the dangers.
Big picture, ensuring your mobile workforce is also a secure workforce requires a two-pronged approach. The first prong is organization-wide device awareness. This can mean everything from making sure IT administrators are always staying current with the firmware and implementing software updates, to proactively doing their industry research about the latest threats like Fancy Bear.
As a corollary, I do feel this is an argument against Bring Your Own Device policies - it’s impossible to be organizationally aware if it’s up to each employee what device they’re using (and whether it’s secure, etc.). But, I also don’t think that’s an impediment to workplace mobility anymore, as enterprise options have improved by leaps and bounds since the days when a certain business smartphone was the only game in town.
The second prong is employee awareness, as IT administrators and security professionals can only do so much. Every employee’s eyes and ears need to be attuned to potential risks. After all, many security issues are actually caused by accident, so teaching the members of your organization how to be responsible with their devices is a must.
As with many things in life, workplace mobility has swung on a pendulum, from a free-for-all enabled by the early days of IoT to something of a backlash in recent years due to businesses becoming aware of the many risks that overly loose mobility policies can pose. But, I am confident that with smart security policies, any organization can find the perfect balance between the numerous benefits of flexible work enabled by connected devices, and safeguarding that workforce from the potential risks thereof.