Employee mobility is no longer a privilege or nice-to-have, but a given in today’s workplace. At even very small organizations, it’s not uncommon to find executives or sales people who are on the road more often than they are settled in the office, and gone are the days when working remotely is considered the entitlement of a select few. 

Life is a highway

Employee mobility is no longer a privilege or nice-to-have, but a given in today’s workplace. At even very small organizations, it’s not uncommon to find executives or sales people who are on the road more often than they are settled in the office, and gone are the days when working remotely is considered the entitlement of a select few. With modern mobile devices, cloud-based applications, and always-available WiFi, working from anywhere at any time has become a breeze. From a security practitioner’s perspective, however, mobile devices in the workplace create myriad challenges.

Device security is largely in the hands of users, carriers, and manufacturers. Historically, carriers and manufacturers are slow to push updates to end users; end users, for their part, neglect to update devices, don’t take the time or know how to configure the most secure settings, and are more prone to download malicious apps or click on suspicious links from a mobile device than on a laptop or desktop. Even if all the right steps are taken to protect the device itself, users are going to connect wherever they can connect, and freely available WiFi has become ubiquitous. And expected.

Life’s like a road you travel on

In June 2016 Xirrus, a WiFi network provider “surveyed more than 2,000 executives and IT professionals in the U.S.,” according to the company’s website, and found that 91% of users do not believe public WiFi is secure, yet 89% of users choose to connect through public WiFi anyway. Not surprisingly, business users are most likely to connect to public—and often insecure—WiFi at hotels, coffee shops/restaurants, and in airports.

Source: https://www.xirrus.com/pdf/Rolling-The-Dice-With-Public-Wifi.pdf

Users aren’t only connecting sporadically either. Thirty-one percent of respondents said that they connect to public WiFi every day, and another 37% responded that they connect to public WiFi between one and three times per week. And if security practitioners reading this are thinking, “Pshaw! End users never listen to security’s advice,” well, on more than one occasion, security professionals have admitted to InfoSec Insider that convenience trumps security, even when using their own devices. Long passwords? Good in theory, less so in practice. Always connecting through VPN? Maybe not so easy when you’re about to board a plane and need to get that presentation/report/email to your boss/colleague/business partner.

When there’s one day here and the next day gone

For the sake of argument, let’s say that not even one security practitioner responded to this survey. Nonetheless, the data show that managing mobile users must continue to be a chief concern for enterprises. While respondents seem to understand that the onus is on them if they get hacked (85% of respondents), knowing one’s responsibility and staying secure (or losing his or her employer’s data) are different things entirely.

Source: https://www.xirrus.com/pdf/Rolling-The-Dice-With-Public-Wifi.pdf

Where blues won’t haunt you anymore

Even though mobile is nothing new and security teams have been dealing with an expanding and shifting perimeter (if one ever existed in the first place) for years and therefore know that protection needs to be placed on the data itself, encryption still isn’t used consistently enough, companies are not segmenting their networks well enough, and not enough education—at least according to survey respondents—is provided to really keep our devices, data, and users safe. Easy mobile access is a cruel temptress, and the reality is that users (including security pros) want anytime, anywhere access.

If the data are any indication, security teams need to (finally!) start putting an emphasis on implementing the right technological solutions—like encryption, segmentation, and buttoned up access rights—to keep organizational data secure. There’s plenty of industry chatter about doing so, but still a whole lot of lost and stolen data.