Today's talent is no longer bound by the cubicle. For many, home offices and wi-fi-enabled coffee shops are the new workplaces. Citrix writes that 61% of modern employees work outside the office at least some of the time and that the average employee today uses 3 or more devices daily to work.
For 81% of modern workers, the idea of being able to work from anywhere in the world is considered a major plus. While the concept of a mobile workplace can offer work-life benefits to employees, it can present unique information security challenges that weren't present in the closed offices of yesterday.
Are Mobile Workers at Increased Risk of Security Attack?
Studies indicate that users are less likely to perform secure behaviors on mobile devices, regardless of where these devices are being used. Critical activities like deleting suspicious or spam emails or treating sensitive files securely drop on mobile devices versus computers, which could be a result of ease of use. Organizations should consider both regulatory requirements for PCI-DSS compliance and risk mitigation when it comes to shaping a security policy for a flexible workforce. Join us as we review the most important components of reducing security risks in a mobile workplace.
1. Restrict Physical Access
Physical theft of a company-issued laptop, smartphone, or tablet can present a nightmare of risks. While passwords can protect most casual thieves from gaining access to the content of a device, seasoned cybercriminals are often able to crack basic device passcodes and uncover encrypted data stored on the device.
- Change Vendor-Supplied Default Passwords (PCI 2.1)
- Configure Devices for Known Vulnerabilities (PCI 2.2)
In many cases, mobile device management (MDM) and monitoring solutions are crucial to ensure that data loss can be mitigated if a device is stolen by someone who may have the ability to crack secure passwords and encryption. Your security policy should dictate that theft must be reported promptly for IT administrators to immediately restore the device to its default settings.
2. Monitor for Malicious Files
Every device used to support a flexible workplace can present a potential point of entry for hackers. If a mobile worker uses a company-issued laptop, PC, mobile phone, and tablet, they could have four possible points of vulnerability. Continually monitoring for the presence of Malware, malicious code, and other device attacks through critical file monitoring is crucial to ensure that every remote device is protected.
To remotely detect the presence of malicious files, organizations should consider:
- Agent-based file integrity monitoring software (PCI 11.5)
- Automated Audit Trails (PCI 10.2)
- Implementing Remote Security (PCI 8.1)
Malware can land on an employee's remote device at any time, which is why the continuous monitoring of critical files can allow organizations to ensure their data and devices are protected in real-time. A file integrity monitoring tool with the ability to completely reverse negative changes to critical files can offer additional protection in excess of PCI regulatory requirements.
3. Opt for Company-Issued Equipment
While "bring-your-own-device" (BYOD) is a popular option for bootstrapped startups and other flexible organizations, using company-issued equipment as a standard rule can significantly ease the process of reducing risks.
As Forbes writes, your employees are likely free to use their personal devices however they like in their spare time. When a device is connecting to your company's protected network, how it's been used is "very much your business." Opting for company-issued equipment instead of BYOD can allow you to:
- Control Updates (PCI 6.2)
- Update Security Patches (PCI 6.1)
- Control Data Back-Up (PCI 9.5)
Create and Enforce Acceptable Use Policies (PCI 12.3)
4. Facilitate Secure Applications
Cloud-based applications are a crucial productivity tool for the mobile workforce. Cloud-based enterprise resources planning (ERP) software, customer relationship management tools (CRM), and other applications allow employees to securely access data from home or any other location worldwide. While the cloud can enable productivity, it can also introduce certain vulnerabilities.
Application security is a crucial part of providing remote workers with secure access to data. IT should:
- Install Application Security Patches (PCI 6.1)
- Be Vigilant About Security Vulnerabilities (PCI 6.2)
- Develop and Monitor Web-Based Applications for Security (PCI 6.3, 6.5, 6.6)
Utilize Data Access Controls (7.1)
5. Be Aware of Insider Threats
Pricewaterhouse Cooper research found that violation of security policies and misuse of resources are the most commonly displayed behaviors by employees who cause a security breach. Providing comprehensive training to employees is critical, particularly if they will be working from home on a regular or recurring basis. Potential ways to mitigate insider risks in a flexible workforce can include:
- Creating an Acceptable Use Policy (PCI 12.3)
- Educating and Screen Employees (PCI 12.6, 12.7)
- Providing Education on Unauthorized Device Access in a Mobile Workplace (PCI 9.2)
Employees should be aware that their use of company-issued devices is monitored, even when they are working remotely. IT should provide clear education on acceptable use in any environment, including the importance of not letting friends or family members use a company-issued mobile device regardless of an employee's degree of access to sensitive information.
While a mobile workforce may represent the future, it can introduce particular risks and concerns for regulatory compliance and security policy. With the appropriate attention to relevant PCI requirements, training, and technology, organizations can ensure that a flexible workforce is prepared to protect sensitive data.
For more information on how CimTrak can help with security and PCI compliance, download the PCI checklist today.
April 14, 2016