ISACA Journal
Volume 4, 2,017 

Features 

Mobile Workforce Security Considerations and Privacy 

Guy Ngambeket, CISA, CISM, CGEIT, ITIL v3 , PMP 

In 2012, a software developer who mainly worked remotely for a US firm had the idea of fully outsourcing his work to China.1 He was finally caught after a few months because of suspicions about the origination of his virtual private network (VPN) connections. Indeed, he literally sent his physical VPN key access to his remote “employee” to allow him to access the company’s systems. Although this story might appear to some extent anecdotal, it raises some serious issues about security considerations and even privacy around remote working and what it entails. How is it possible that an employee gave unauthorized access to his company information to an outsider for so long without it being noticed? What are the legal and reputational consequences for the company? Are the connections of employees always monitored, and what are the employer’s intentions when monitoring them?

Remote working has a lot of advantages, both for the company and the employees. In the past years, it has become increasingly used by companies as a perk. In some countries such as the UK, it is even an employee right to request mobile working.2 The desire for mobility comes from the sense of flexibility, liberty and self-management it entails, especially for those who need to watch over their children and/or have a long commuting time to reach their physical office location. It also gives a sense of job ownership to the employees, although it often adds a “hidden” pressure on them. For example, remote employees do not want their management to think that if they are not delivering as expected it is because working remotely is holding them back; therefore, they will work even more than the contractual hours to deliver. It also helps companies cut costs, especially in rent and utilities, and find skilled employees regardless of their location. With the progress of technology, the mobile workforce is a trend that is not going to stop and will even expand. It is forecasted that by 2020, 72.3 percent of the US workforce will be remote.3

It is also clear that this modern workforce comes with risk, which can be substantial if not properly addressed.

Mobile Workforce and Technology

Technology enables the mobile workforce. In recent years, many technology companies such as Google, Amazon and IBM have started to invest massively to offer cloud-based services to respond to businesses’ expectations. Beyond being willing to promote workforce mobility, an investment should be made in technology to effectively implement it.

With the development and continuous improvement of cloud technologies, it is now very easy to bring almost all the tools used at the physical workplace to employees’ homes and even to their smartphones. In many companies, employees are even allowed to use their own devices and install security systems to secure information.

There are also many companies providing various tools for videoconferencing, conference calls and document sharing such as Skype, Webex and Google Hangout, that enable connection and collaboration among employees and with customers. One recent major example of investment in cloud-based technology is PricewaterhouseCoopers’s (PwC’s) partnership with Google to switch to collaborative tools in order to stay at the forefront of the technology and use the full opportunity that mobile workforce offers.4 According to a survey conducted by PwC, 77 percent of chief executive officers (CEOs) believe that technologies are a top value driver for collaboration.5 This is another indication that the trend of workforce mobility is likely to continue. New related solutions and concepts are still to come.

Other major beneficiaries of these cloud services are entrepreneurs and start-ups, who have not only seen a dramatic decrease in IT cost and skills dependency from where they were years ago, but also have been able to find the right people around the world to support their business without having to worry about immigration. This is particularly important as the world is currently experiencing a surge of start-ups, challenging existing business models by introducing digitalization and big data. In response to that, companies are transforming their businesses to survive by following the trends. Increasingly, customers’ data are collected, stored and analyzed to predict customers’ needs.

Key Risks Associated With the Mobile Workforce

As pointed out earlier, the goal of workforce mobility is to enable employees to work wherever they want. They could be working at home, which is relatively secured, or they could choose to work in public area like cafes, parks or bus stops. Of course, this causes serious threats, not only to data integrity, but also to the physical security of employees. These threats are more easily mitigated when working in a physical office because there are plenty of countermeasures companies have been implementing for decades. While the negligence of remote employees can be one major source of risk related to the company’s assets, there is also risk related to cloud technology. The key areas of risk to consider when it comes to a mobile workforce follow.

Company Assets
The biggest risk in this area is loss or damage to the assets when they are in possession of the remote employees. These assets can be physical (laptops, mobile phones, tablets) or logical (customers’ data, employees’ data, other critical information). Threats can range from a child pouring water on a laptop to a device shared within the employee’s family without appropriate safeguards to a computer screen inadvertently left unlocked while displaying sensitive information. There are many situations that can lead to the impairment of assets. In a simple example, Kendi, who is an employee of ABC, has an important call to discuss confidential information. She decides to make the call from her garden and her neighbor and even one of her guests is listening to the conversation. In the worst-case scenario, Kendi’s part of the conversation is recorded and that information disclosed to the general public. The consequences could be catastrophic for her firm, its clients and even herself.

Also, hackers or other individuals or organizations willing to steal data from a company can take advantage of remote workers to accomplish their tasks knowing they are more likely to succeed by attacking one isolated employee than breaking the security layers of an entire organization.

Personal Security
Employees who are carrying or storing important assets of companies at home are at increased risk of being attacked to take control of the asset. It can be a single robber who is willing to steal a mobile phone and resell it without any knowledge of the contents, or it can be a more organized criminal group that is fully aware of the value of the data in the employee’s possession.

This is particularly true for workers who consistently work at home because the level of home security is unlikely to be as rigorous as at an office building, and criminals realize, from the worker’s regular, daily routine, that they can take time to plan their activities and, therefore, increase their likelihood of succeeding.

Cloud Technologies
Whether a company partially or totally outsources its systems and infrastructures, typical IT risk related to confidentiality, integrity and availability around IT governance and management, access to programs and data, change management, and operations still holds. In addition to the risk that usually exists in an office environment, the risk arising from Internet use and all that entails increases significantly. Indeed, because cloud providers have many customers, the information they store and manage has great value for hackers, who will try to take advantage of Internet use to find breaches into the information system and gain access to the data.

It is critical for companies to be aware that cloud providers have their own employees who can access companies’ data (thereby customers’ data) and steal that data for various purposes.

Regulation and Compliance
Depending on their activities, companies are required to comply with various laws and regulations regarding their information systems and the data they manipulate. These regulations differ from one country to another. In the US, health care data security is chiefly governed by the US Health Insurance Portability and Accountability Act (HIPAA), while in the UK there are the National Health Service (NHS) Act of 2006, the Health and Social Care Act of 2012, and the Data Protection Act.

Companies need to be extremely careful about regulations with which all the stakeholders involved in mobile working must abide. In general, companies are liable for the security of their information systems, regardless of whether or not they outsource their IT. It is the company’s responsibility to ensure that customers’ data remain confidential and accurate. If the cloud vendor or a remote worker is located in a region or country where data protection is not stringent, the data could potentially be at risk.

Privacy Concerns

When setting up policies relating to the mobile workforce, companies may take actions that can be viewed as privacy breaches for employees. Some companies monitor all activities (including communication) and files on devices given to the employees and even track their location. Of course, if there is no mandatory regulation that protects employees’ privacy, there can be abuses that can have tragic consequences.

Companies will always promote the benefits of monitoring their devices for security or business reasons, but employees need to be aware of privacy concerns and ensure that their personal life and information will not be impacted. According to a survey conducted by MobileIron, 30 percent of mobile employees are ready to quit their company if their devices are monitored.6

Working remotely can often affect or expose your family. Recently, the children of Professor Robert Kelly walked into his office during his television interview with the BBC, followed by his wife, who was trying to pull them out of sight.7 That video was viewed millions of time on social media networks, and his family became public.

Recommendations

There are several measures companies can take to protect their assets and resources. The first is to clearly identify and document all potential security and privacy risk areas that relate to mobile working. It will help the company to structure its response to those risk areas and find appropriate measures. Some typical responses that can be implemented follow.

Security and Privacy Policies
Appropriate policies and related procedures should be defined to give clear directions on how assets and resources should be used remotely to guarantee their security. The acceptable use policy should clearly state what remote employees can or cannot do with the assets of the company, placing particular emphasis on personal use.

Human resources policies have to be clear on privacy issues, so those policies should clearly define the boundaries within which monitoring and (potentially) tracking will be performed and how employees’ privacy is protected by the company. Companies should make sure that their employees are aware of those policies and have given their consent. These policies should be enforced and monitored by an independent function, and employees should have a dedicated person or team to speak to if they feel that their privacy is not respected.

Training and Awareness Programs
One of the most effective ways to secure company assets is to offer regular training and awareness campaigns. These events should describe the risk associated with information systems used by employees who are working remotely and the potential consequences of a privacy breach for the employee, the company, its customers and staff. The awareness communications should discuss topics ranging from avoiding domestic accidents that can damage assets to not plugging an unknown universal serial bus (USB) drive into a company laptop to using public devices to access business applications. Ultimately, employees have to commit to information security; otherwise, many other measures could be useless.

Actively involving employees in defining and monitoring the security of company assets gives them a better sense of ownership and increases compliance to the security policies. Also, remote workers have to be consistently made aware that their personal security could be at risk and they should do their best to avoid being in threatening situations.

Insurance
If customers’ data are disclosed, financial damage can be significant. By taking out an insurance policy against loss or damage of assets, companies can protect themselves against such costs. Of course, the insurance premium can potentially rise due to the increased risk arising from remote working.

Monitoring Cloud Providers
The choice of cloud provider is the key decision companies must make once they commit to using cloud services. The provider must be appropriate not only in terms of cost, but also with regard to reputation, compliance with regulations and evidence of a strong control culture.

In relation to the last item, the vendor should be able to produce a third-party assurance report, signed by an independent auditor, which shows the status of its internal security control. Of course, the provider’s system of internal control should always be in addition to the controls managed and operated by the company itself. It is worth noting that just receiving the report is not sufficient; companies need to analyze it in detail and ensure that the level of security is appropriate to their business.

Secure Remote Communications
Remote communication is definitely one of the key areas to look at carefully with regard to mobile working. The company’s systems are not only accessed from its offices, but also from unknown locations that can present their own risk and weaknesses. To avoid, or at least to significantly decrease, the risk of intrusion into company systems, continuous network monitoring should be performed using the most advanced and up-to-date technology the company can afford.

In addition, critical communications between devices and the company’s servers should be encrypted. Employees should regularly be made aware to avoid using public Wi-Fi, unless appropriate security measures (e.g., VPN connection) have been implemented.

Secure Devices and Their Content
If a device is lost, intruders can easily get access if it has not been properly secured. Therefore, critical data should be encrypted, and strong password and session security configuration should be enforced. The screen lockdown after a period of inactivity should be set to a low value. Antivirus software should be regularly updated using a “push” method, and devices whose antivirus software is not up to date must be restricted from connecting remotely to critical systems.

From a physical perspective, computer locks can be given to employees so they can physically lock their computer when they are away from it. On mobile phones or tablets, device management applications and suites such as Good or MobileIron can help secure business data.

Endnotes

1 BBC, “US Employee ‘Outsourced Job to China’,” 16 January 2013, www.bbc.co.uk/news/technology-21043693
2 Gov.UK, “Flexible Working,” https://www.gov.uk/flexible-working/overview
3 The Telegraph, “Today’s Mobile Workforce: Any Time, Any Place,” 5 September 2016, www.telegraph.co.uk/business/ready-and-enabled/todays-mobile-workforce-any-time-any-place/
4 Archer, T.; M. Daigle; “PwC and Google for Work,” https://gsuite.google.co.uk/intl/en_uk/learn-more/pwc_and_google_bringing_transformation_to_work.html
5 PricewaterhouseCoopers, “Redefining Business Success in a Changing World—CEO Survey,” January 2016, https://www.pwc.com/gx/en/ceo-survey/2016/landing-page/pwc-19th-annual-global-ceo-survey.pdf
6 Cook, D.; “Employees Expect Mobile Device Privacy at Work,” BenefitsPro, 22 July 2015, www.benefitspro.com/2015/07/22/employees-expect-mobile-device-privacy-at-work
7 BBC, “BBC Interview With Robert Kelly Interrupted by Children Live on Air,” 10 March 2017, www.bbc.co.uk/news/world-39232538

Guy Ngambeket, CISA, CISM, CGEIT, ITIL v3 , PMP
Is a risk assurance professional with eight years of experience. He has worked at PricewaterhouseCoopers Cameroon, France and the United Kingdom. He is currently enrolled at London Business School, where he is studying for a Master in Business Administration (MBA). He can be reached at guy.hnd@gmail.com.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.