The mobility and remote-access boom is technology powered but business driven. As small and mid-size businesses (SMBs) increasingly look toward technology to help them rebound in 2010, improved mobility solutions, greater employee productivity and a growing social media presence are all key strategies. Empowering employees with remote access can help SMBs thrive — allowing them to improve customer service and add agility to their business model.
But increasing mobility also means increased risk to security of computing systems, data and the welfare of the very businesses that use mobile devices. We know, for example, that growing use of social networking and video-sharing websites increases network exposure to viruses and malware. And contacting those sites via roving laptops or handheld devices, which tend to be harder to secure, only exacerbates the risk.
This trend challenges SMBs to attain an all-inclusive view of who is entering the network and what data or software resides on mobile devices, and to create a well-controlled but user-friendly environment that protects sensitive business information. Security is a primary reason many organisations either resist enabling remote/mobile access for employees or confine it to a very select group of users.
Without question, opening the infrastructure to a remote connection always involves risk. Without proper safeguards, organisations are susceptible to data theft, network abuse, viruses, worms and other network security threats. Here are tips on managing the mobile workforce and wireless network:
* Secure the VPN: If you choose a VPN for access, it is critical to consider which information your organisation is willing to share over a remote connection. If you are planning to transfer data that is in any way sensitive, be wary of pre-installed VPNs. Though most operating systems have built-in VPN protocols that can be implemented at a low cost, these protocols typically rely on little more than usernames and passwords, usually lack robust authentication and encryption components and can easily become open doorways that allow hackers to introduce worms, viruses and bots into corporate networks. For increased security, dedicated VPN applications can be configured to require all IP traffic to pass through the VPN tunnel and grant only selective access. But a multi-layer security strategy is the strongest, and even with the most sophisticated VPN applications, mission-critical systems containing sensitive business information should employ supplemental file-encryption and authentication tools.
* Secure mobile devices: If users have access to notebook PCs or smartphones, implement a layered security strategy, such as a combination of password protection, firewalls, partial or whole-disk encryption and antivirus/antispam software. Most security measures can be transparent and user-friendly, and adding layers to your security significantly raises the barrier to intrusion and data loss.
* Password protection and encryption: Ensure that each mobile device is password protected as well as encrypted. Also, consider using an automatically generated one-time password that is only valid for a single login session. Depending on the delivery method there is a risk of interception, however, the password will be invalid for future sessions. Finally, urge employees to use strong passwords. "Password" and "1234" are not acceptable anymore. A strong password should have an equal mix of numbers, letters and (if case-sensitive) upper and lower-case text.
* Develop and enforce a security policy for remote devices: Let's face it — most network users just don't think much about security until they have had an incident. Education is critical because employees engaging in risky practices often don't know they are doing so, or they underestimate the potential impact of their behaviour. Hold training sessions for all users who have remote access or mobile devices and refresh them regularly on security policies and practices. The most powerful component in an effective solution is a community of informed and compliant users guided by savvy leadership. Training users to avoid risky behaviors is the first step.
We close with two items your organisation doesn't want to learn the hard way:
* Keep sensitive data under house arrest: In the news over the past few years we have seen an increase in devices being lost or stolen, containing personal and confidential information. In many of those stories, the lost or stolen devices contained names, birth dates and Social Security numbers for thousands of individuals. For example, in 2010, an unencrypted laptop containing the Social Security numbers and medical records of 12,500 patients at a healthcare facility in Florida was stolen from an employee's home.
Such stories are familiar and making news more often, also making a simple point: sensitive data, quite simply, should not reside on a mobile device unless the organisation has taken strong and multilayered steps to encrypt and fully secure the data. If the asset itself lands in the hands of someone else, the information must still be safe. If an organisation cannot secure mobile devices adequately, it should only store sensitive data on servers in safe, secure locations. Equip your system with the tools to authenticate and approve secure access, even from remote locations (that is entirely possible), but do not allow downloads.
* Be wary of email: We say this ad nauseum, and yet it seems we can never say it enough. The risks from mobile devices come in part from employees who make personal use of them, including access to their personal email, so they need to treat this problem as if it were their own — because it is. Educate your staff on how to prevent viruses and worms from spreading via email attachments, and be sure they recognise phishing scams when they see them. Make sure all employees know not to open executable files or any attachment from an unfamiliar address. Further, they should understand that viruses are not just spread from attachments but can be found in embedded items as well. The bottom line? Don't open spam or suspicious looking emails from unknown senders.