Tips for Securing Your Mobile Workforce

April 21, 2020
 
Remote work is the new normal for many organizations. And as more employees rely on their mobile devices to stay connected and get work done, the need for mobile security becomes even greater.
 
Malware infections and unsecured access to sensitive company data are just some of the threats you need to consider. And regardless of who owns the mobile device—whether the organization or the employee—there's a greater risk than before of an infected device connecting to your corporate network and causing a widespread infection.
 
Employee working on their mobile phone in front of their laptop.

Limited Visibility Creates Unlimited Challenges

Employees working from home in large numbers increases the risk the personal devices are used to access your corporate network or assets. This can mean limited visibility into the use of these mobile devices, let alone control.
 
As a result, you must rely on your employees themselves for critical steps like keeping devices up to date. Unfortunately, if they don’t update their operating system and applications regularly, they leave the window open for bad actors to exploit vulnerabilities.

Mobile Threats Are on the Rise

Malware targeting mobile devices is a growing problem. A 2019 Check Point survey found that nearly a third of surveyed businesses were impacted by threats related to mobile devices.
Additionally, McAfee researchers found that total mobile malware detections grew from about 25 million in the first quarter of 2018 to more than 35 million in the fourth quarter of 2019.
 
Graphic of Mobile Device malware detections by the numbers. Detections grew from 25 million in 2018 to 35 million at end of 2019.

Biggest Mobile Device Threats

While malware is a serious threat, it's not the only one by far. Here are some of the other threats, along with tips to protect against them.

Data Leakage

Data leakage can be as simple as an employee storing confidential files in a public cloud storage service (like Google Drive or Apple iCloud) or forwarding a sensitive email to an unsecured email service.
  • Create a data classification system to help your workforce identify sensitive data.
  • Implement user policies that restrict the access of sensitive data from unapproved apps, as well as restrict the sharing of confidential information outside the organization.
  • Consider using data protection tools to restrict how data is shared and used.

Unsecured Wi-Fi

Because of the COVID-19 pandemic, public places like coffee shops are closed almost everywhere, so you don't have to worry much about public Wi-Fi at the moment. But even a home Wi-Fi connection may not be secure due to improper configuration or outdated security protocols.
 
An enterprise-class virtual private network (VPN) is the best way to provide a secure, encrypted connection. Restrict or forbid access to critical assets for users working without a VPN session, and segment your network so you can treat other traffic as guest access.

Phishing and Social Engineering 

Phishing is a bigger threat on a mobile device than on a computer because it's harder to spot phishing websites on mobile browsers. Mobile users also can't take common security precautions such as hovering over a link or sender's address to identify a red flag.
Awareness training is a good first line of defense against phishing. Educate your workforce on the increased risks of phishing and social engineering when using mobile devices.

Other Best Practices to Implement for Your Mobile Workforce

Many of the best practices that apply to cybersecurity in general are also effective against mobile threats. These are some of the top strategies to consider:

24x7 Network Monitoring

Monitoring your network 24x7 is critical to your ability to respond to threats effectively. If a mobile device becomes compromised, you need to identify the problem quickly.
 
Around-the-clock monitoring is even more important when many employees work from home. They often establish a more flexible work schedule based around family needs, which means they may access your network and data anytime, day or night.
 
If your IT team is stretched too thin—especially in a time when it must support a bigger remote workforce—consider a managed threat detection and response provider. It's a cost-effective alternative that extends your defenses beyond your premises.

Endpoint Security 

Consider implementing a managed device program and requiring employees to enroll their personal devices. This enables you to better control what corporate data they can access and how, helps ensure they keep devices up to date, and helps address security risks like stolen or lost devices.
 
Additionally, if you have a managed detection and response provider, take advantage of the vendor's endpoint agent to gain visibility into your remote workforce.

Credential Protection 

To protect against compromised user credentials, use multifactor authentication (MFA) as much as possible. Don’t use it just for your applications, but also for your VPN, intranet, and any other system your workforce may access remotely.
 
For increased protection, consider a solution that helps you quickly identify credential theft, so you can require password resetting before a bad actor takes over an employee's account.
 
Cloud infrastructure monitoring: Your mobile employees likely rely on cloud-based applications.
 
While enterprise-class cloud applications have built-in security, it's not enough to protect you from a data breach.
 
Monitor your cloud workloads and applications for security risks. Ensure that your data-use policies also apply to cloud apps, and reinforce those policies just like you would for on-premises data.
Create mobile device policies: Before you allow your mobile workforce to use their personal devices, create policies to minimize your biggest risks.
 
Here are some questions to address:
  • What type of work-related activities will you allow on mobile devices?
  • What type of data can employees access on their devices? Do you a have data-classification policy, or will you create one?
  • How will you enforce security requirements, such as regular patching?
  • What are the alternatives for employees who can't meet the security requirements?
Once you've established policies, educate your mobile workforce. But don't take a "set-it-and-forget-it" approach. Integrate policy-related topics, along with best practices, into your ongoing user-training program so employees receive periodic reminders and refreshers.
 
Mobile graphic with "5 Questions to ask when securing your Employees' Mobile devices" with information from the 5 bullet points above.

Getting Started

Protecting your mobile workforce from today’s cyberthreats is essential, but it isn’t easy. If you need help figuring out how to best do so, reach out to the Arctic Wolf team. We understand that, in these challenging times, organizations can benefit from expert guidance as they first navigate the risks created by remote and mobile employees. 
Previous Article
COVID-19 Weekly Threat Roundup: April 24
COVID-19 Weekly Threat Roundup: April 24

COVID-19 Weekly Threat Roundup includes info on the latest cyberattacks, with attack vectors, IOCs, and sec...

Next Article
COVID-19 Weekly Threat Roundup: April 17
COVID-19 Weekly Threat Roundup: April 17

×

Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Company
!
Thanks for subscribing!
Error - something went wrong!