MITIGATING THE RISK OF AGILE AND REMOTE WORKING USING MOBILE DEVICES
THE MOBILE SECURITY PROBLEM
If you are reading this guide, it’s likely that you are weighing up the benefits of a more mobile workforce which may include remote working. You might even be starting to reap the rewards of this flexible approach. Whatever the individual benefits may be, protecting your firms’ data and reputation can have its challenges.
Virtually all UK Legal Practices now rely on some form of digital communication or services, and understandably, the challenge of protecting data may seem like an ever-more daunting one. Consider these three key questions:
- What happens when devices are lost or stolen?
- Is your firm’s data secure on these devices?
- How do you prevent unauthorised access to data from devices?
Get IT wrong and you could face ransom payments from cyber criminals, or large fines for regulatory breaches from the Solicitors Regulation Authority. It is no surprise then, that cyber security is a high priority item on the boardroom agenda – yet most Practices have been unable to mitigate the most common threats in the past year. In their recent survey about cyber security, Ipsos Mori found the average cost of a breach to a medium sized firm to be £16,100, and that in the last 12 months almost half of those surveyed had identified at least one cyber security breach or attack.
In this guide we explore the corporate mobility landscape and the common challenges Legal Practices are facing, as they rush to execute their strategy. By following a simple framework, our guide will cover:
- Creating a secure foundation for mobile devices accessing your network.
- Setting up compliance rules to adhere with regulatory requirements.
- Deploying mobile cyber security successfully with automatic threat remediation.
A SECURE ENVIRONMENT FOR MOBILE DEVICES
For most firms, the rise of flexible, remote working has brought with it a dramatic change in priorities and annual budgets. We’ve heard several horror-stories in our professional networks of breaches of employee and payroll records, leaks of case files and even theft of intellectual property. As our priorities relating to data security have changed, so to have our annual budgets. Spending on wireless and mobile telephony has typically overtaken the desk-based telephone system and can occasionally shock even the most seasoned Finance Directors with their unpredictability.
When planning to create and implement a mobility strategy, your practice must include input from all stakeholders to ensure its success. The strategy should outline the individual priorities and needs of each department within the firm and align them with short and long-term goals. It should answer some key questions including the number and type of devices you are managing, how and why these devices are being used, and what services your devices are connecting to internally.
Only once you’ve answered these questions can you begin planning the next steps for the implementation of your mobility strategy. Despite the peculiarities of your firm and the demands of your workforce, the most successful strategies deliver three core benefits:
- Measurable ROI in months, not years. Whether managing the firms or employee-owned devices, a mobility strategy is a good opportunity to realise capital and operational expenditure savings. Employees who are encouraged to use their own mobile devices will save having you purchase often expensive alternatives. You can also transfer more of your data traffic onto Wi-Fi networks, cutting the cost of your monthly mobile data plans.
- More satisfied and productive employees. Employees who have the ability to connect to the firm’s network from anywhere can take advantage of dead-time, including the twice-daily commute and time between meetings, to complete work-related tasks. Research suggests a mobility strategy can increase employee productivity by as much as 23 percent.
- Simple and highly-secure access to client data and applications. Building a mobility strategy helps you control and manage mobile use so that employees use mobile devices more securely, for example, using pre-configured Wi-Fi networks. The monetary value of this approach cannot be overstated.
FIVE COMPONENTS OF A SUCCESSFUL MOBILITY STRATEGY
Whether part of your employee handbook or not, elements of bring-your-own-device (BYOD) initiatives are commonplace. Take your cloud email provider for example, if you use Office 365 or Google for your business email, the chances are some of your most eager employees have tried to access it from their personal devices. While unmanaged, a stolen device could represent one of the biggest threats your Law Firm may face. A good mobility strategy should consider managing the following components.
1. Mobile Device Management (MDM)
When considering flexible working, a mobile device management solution is a must-have. Your chosen solution should give you visibility and a level of control over all device types, whether they’re mobile phones, tablets or laptops. Managing devices with different operating systems may sound like a minefield, but the right solution will automatically configure devices according to your security policies, ensure that devices remain compliant before accessing your network, and allow you to locate, lock, wipe and act on threats immediately.
▪ Support Legacy Systems
▪ Mixed Device Ownership
Users may own and use multiple mobile devices to access the firm’s data. Your solution should allow you to set up user and group-based compliance rules, that will help your bring-your-own-device strategy to succeed. If your firm has a mixed device ownership model, you might want to create separate rules for your corporate devices and those owned by your users.
▪ Location Based Compliance
In addition to user-based rules, you should consider automatically enforcing policies based on the location of a device. For example, if you supply regulated services, you may be required to disable smartphone cameras or screenshot functions, to prevent card details from being written down or stored. Use advanced rules to enforce restrictions by location and allow full use of device features offsite to drive user adoption.
Ensure your chosen solution provides support for legacy systems. While most solution vendors are proud to support the latest operating systems, there are many larger firms that still rely on legacy systems for various reasons. To ensure consistency of your security policies, and reduce the workload of its management and enforcement, choose a single solution that lets you uniformly manage all assets accessing your network.
2. Application Management
In 2018, it was forecast that UK adults would spend an average of three hours a day using mobile devices4 – with the four most popular consumer applications being social networks. To prevent accidental data leaks to social networks, it would be wise to contain and manage your critical business applications within a secure and encrypted environment, such as a password- restricted folder. When your employees are onsite, consider using application management to apply a kiosk-mode to display only approved applications and nothing else – users will be less distracted by irrelevant notifications from their personal applications, and ultimately more productive.
▪ Secure Access for Applications
If you restrict the hours and the range of IP addresses that your users can access corporate applications, such as Case/Practice Management Software, Digital Dictation and billing apps, it’s likely you currently use (and perhaps frequently deal with the headaches of) full Virtual Private Network (VPN) connections. With contained applications, your chosen solution should eliminate the need of complex and costly VPN connections, and automatically enable secure access to everything behind your firewall, on a per-application basis.
▪ Secure Browser
Most Law Firms will require access to the internet via a browser, of which there are many to choose from for each platform. It is important when selecting a preferred or default browser, to consider the risks associated with each type of browser, and balance this with the functionality the developer promises. For your managed devices, consider using a browser which can restrict access to websites that may contain malware, compromise device security, and even categories of websites that are irrelevant to the job at hand such as social networking or explicit sites. With a secure browsing solution, you will also be able to provide access to intranet websites without needing a device VPN connection.
▪ Secure Email
Stealing information from a Law Firms email account is a lot easier than you may think. For example, on Apple iPhone’s that have been jailbroken, an unauthorised user could gain full administrative access to the device with ease, and export emails and attachments in seconds. Ensure that you implement a solution that provides secure and fully encrypted access to your firm’s organisations email, and also offers the ability to control information and attachments within the application. The ideal setup will give you the ability to delete attachments remotely and prevent data from being moved outside of the application with restrictions against copy and pasting and screenshots.
▪ Productivity Tools
When your employees are on-the-go, equip them with a suite of productivity tools to help them get the job done in an encrypted workspace. The best solutions offer the same level of control we recommend to prevent data leaks from your email application, and also provide direct access into your content repositories (such as Box and Google Apps) to create and edit and save documents, spreadsheets, presentations and PDFs.
3. Expense Management
As our personal habits and business practices have changed, mobile data usage has quickly become a bug-bear for all law firms, delivering unpredictable monthly invoices. With the rise of streaming video and music services, data usage on unmanaged devices can quickly grow out of control, leaving your practice stuck with the bill. To achieve more predictable monthly invoices, your chosen solution should be able to set limits and alerts on individual data usage at home and overseas, and also integrate with your telecommunications supplier. Along with these alerts, you can create automatic actions that can be taken if the need should arise.
4. Anti-Virus and Anti-Malware Protection
Analysts at Gartner have predicted that by the end of 2019, one-third of reported malware will come from mobile devices. For flexible workers using mobile devices that access your network, the biggest risks come from malicious software and content-based attacks (such as viruses hidden within Excel spreadsheets). At a minimum, the most effective way to mitigate against these risks is to ensure all applications are regularly updated, and that an anti-malware product is installed on devices where necessary. However, we highly recommend that you chose a solution that follows the GCHQ’s twelve principles for securing devices6, and most importantly will:
Detect devices that have been jailbroken or rooted
Alert users when malware is detected
Uninstall infected applications or wipe devices
Block ransomware apps that take control of devices
5. Patch and Update Management
Device manufacturers and software developers regularly release updates for their products, which include new features as well as important fixes for security vulnerabilities. Installing these updates (patching) is not only one of the most important aspects of keeping your organisation protected but is also a key requirement of the Government’s Cyber Essentials scheme. A good Mobile Device Management (MDM) solution should be able to audit all of your devices, and report which operating systems or applications need updating – delivering notifications and forcing users to comply within set time-limits; and, automatically update applications within your corporate directory or container.
SECURITY POLICIES AND REGULATORY COMPLIANCE
In addition to the requirements of your own commercial agreements, there are many regulatory frameworks across the United Kingdom which mandate or influence operational policies and processes. Depending on the size and scale of your law firm, you may already have appointed employees responsible for certain obligations, such as a Data Protection Officer with GDPR. Usually the COLP. When planning a flexible working strategy, it is critically important to engage with and collect feedback from key stakeholders (nb. compliance officers) across the firm, to ensure your mobility strategy adheres with all requirements.