Most of us have become so accustomed to the mobile workspace that we forget that there was a time when connectivity was not a given.
When you had to leave the office, everyone had to be informed and all decisions would have to wait until you return to be attended to, along with all the telephone messages that you received while you were away, says Mark McCallum, director and head of Global Services Africa, Orange Business Services.
Fortunately, we now live in an era where we can be productive in any location, but the new mobile workspace does have certain security risks attached to it. Proactive companies know that plugging this potential security breach is vital.
Your IT department would love nothing better if all employees are at their desk, using nothing but their laptops, connected only to the company network, in only one building, at all times. But we live in the real world.
Secure data storage provider IronKey performed a study in 2012 that found that in developed countries, around three quarters of IT decision makers feel that data is safe from loss or theft when it is accessed at the office. This confidence dropped to just over half of when company data is accessed at home and just under half if it is accessed on the road. Already, more than 25% of people work remotely and this number is set to climb.
It is clear that companies are not waiting for the worst to happen before taking action and 59% of US companies have policies in place that only allow employees to use devices that are approved by them. In 38% cases, companies exact even stricter control by only allowing employees to use devices provided by the company. Although Africa is slightly behind this trend, hackers and intellectual property thieves are not limited by borders and companies in developing markets need to have policies in place even in instances where only the top executives have remote mobile access to the network.
IT departments therefore have their hands full trying to maintain the benefit of the flexibility offered by mobile access, without sacrificing security.
The first line of defence is to ring fence the network and introduce strong firewalls for any mobile device trying to gain access. All mobile devices should be seen as possible impostors that can only be trusted after performing a strong authentication. This authentication would not be saved, but required every time an employee accesses the company server, and even when going away to another mobile window and returning to the company one. This secures company information even when the device is stolen. This would apply to any programme that accesses company data, documents emails, and contact and supplier lists.
One aspect of mobile security that cannot be stressed enough is the creation of a strong policy document with the IT manager. It should clearly define what access or level of clearance each role in the company is given. It may even be split up, for instance some employees may be given access to sensitive information at the office, but not when they are on the road.
To enable companies to achieve these capabilities, Orange has established an extensive footprint on the African continent that provides significant flexibility in terms of security. Customers benefit from 15 gateways located at Tier-1 peering points in Europe, Asia Pacific, The Americas and Africa. Orange delivers Internet traffic to the nearest gateway and applies geo-localisation so that users experience the Internet as if they were accessing it locally. These gateways provide firewall and optional application firewall capabilities.
Security policy is distributed across the 15 gateways, applied everywhere, with the ability to fine tune these security policies per site. It also enables hybrid networking and enforces one central policy, which operates independent of the device or user location.
On the operational side, companies may in future even create a function where information is written and stored in two ways, one sensitive and one non-sensitive, to allow different levels of access to the same information.
Another new technology used to secure data is known as virtual desktop technology. This creates and destroys desktop sessions every time a user connects from a mobile device, leaving no residual data on the device.
Depending on its device policy, companies may want to encourage employees to acquire certain devices that are better suited to performing their tasks, or providing employees with them. The IT department may even decide to use different security clearances to different devices, depending on their security capabilities.
As with all security policies, mobile data security will only work if there is buy-in from employees. It is therefore very important to have a meeting with all involved and explain why the company needs to take steps to protect its information. Employees also need to know about policies such as remote wiping of a phone’s memory if it gets lost, which means the company data will disappear along with their baby photos.
The understanding and consent of employees will go a long way towards ensuring that the company is able to keep its most important intellectual capital close to its chest.