Today's talent is no longer bound by the cubicle. For many, home offices and Wi-Fi-enabled coffee shops are the new workplaces. One study shows that 41% of employees in North America alone work outside the office at least some of the time.
For 73% of modern workers, the idea of being able to work from anywhere in the world is considered a major plus. While the concept of a mobile workplace can offer work-life benefits to employees, it can also present unique information security challenges that weren't present in the closed offices of yesterday.
Are Mobile Workers at Increased Risk of Security Attack?
Users are less likely to perform secure behaviors on mobile devices, regardless of where these devices are being used. Critical activities such as deleting suspicious or spam emails, securely managing sensitive files, and using a VPN when connecting to public Wi-Fi tend to be performed less on mobile devices than on computers.
Organizations should consider both regulatory requirements for PCI-DSS compliance and risk mitigation when shaping a security policy for a flexible workforce. Join us as we review the most important components of reducing security risks in a mobile workplace.
1. Restrict Physical Access
Physical theft of a company-issued laptop, smartphone, or tablet can present a nightmare of risks. While passwords can protect most casual thieves from gaining access to a device's content, seasoned cybercriminals can often crack basic device passcodes and uncover encrypted data stored on the device.
- Change Vendor-Supplied Default Passwords (PCI 2.1)
- Configure Devices for Known Vulnerabilities (PCI 2.2)
In many cases, Mobile Device Management (MDM) and monitoring solutions are crucial to mitigate data loss if a device is stolen by someone who may have the ability to crack secure passwords and encryption. Your security policy should dictate that theft must be reported promptly so that IT administrators can immediately restore the device to its default settings.
2. Monitor for Malicious Files
Every device used to support a flexible workplace can present a potential point of entry for hackers. If a mobile worker uses a company-issued laptop, PC, mobile phone, and tablet, they could have four possible points of vulnerability. Continually monitoring for Malware, malicious code, and other device attacks through critical file monitoring is crucial to ensure that every remote device is protected.
To remotely detect the presence of malicious files, organizations should consider:
- Agent-Based File Integrity Monitoring Software (PCI 11.5.2)
- Automated Audit Trails (PCI 10.2)
- Implementing Remote Security (PCI 8.1)
Malware can land on an employee's remote device at any time, which is why continuous monitoring of critical files can allow organizations to ensure their data and devices are protected in real-time. A file integrity monitoring tool that can completely reverse negative changes to critical files can offer additional protection in excess of PCI regulatory requirements.
3. Opt for Company-Issued Equipment
While "Bring Your Own Device" (BYOD) is a popular option for bootstrapped startups and other flexible organizations, using company-issued equipment as a standard rule can significantly ease the process of reducing risks.
According to Forbes, employees equipped with a dedicated work device experience a 64% increase in work-life balance and a 63% rise in task efficiency. The company-issued hardware approach not only enhances efficiency but also fortifies your company's cybersecurity measures. Opting for company-issued equipment instead of BYOD can allow you to:
- Control Updates (PCI 6.2)
- Update Security Patches (PCI 6.1)
- Control Data Back-Up (PCI 12.10)
-
Create and Enforce Acceptable Use Policies (PCI 12.2)
4. Facilitate Secure Applications
Cloud-based applications are a crucial productivity tool for the mobile workforce. Cloud-based enterprise resources planning (ERP) software, customer relationship management tools (CRM), and other applications allow employees to securely access data from home or any other location worldwide. While the cloud can enable productivity, it can also introduce certain vulnerabilities.
Application security is crucial to providing remote workers with secure access to data. IT should:
- Install Application Security Patches (PCI 6.4)
- Be Vigilant About Security Vulnerabilities (PCI 6.3)
- Develop and Monitor Web-Based Applications for Security (PCI 6.3, 6.4, 6.5, 6.6)
-
Utilize Data Access Controls (7.1)
5. Be Aware of Insider Threats
Verizon's 2024 Data Breach Investigations Report found that violation of security policies and misuse of resources are the most commonly displayed behaviors by employees who cause a security breach, with 76% of breaches involving the human element (8% of which involving malicious privilege misuse). Providing comprehensive training to employees is critical, mainly if they will be working from home on a regular or recurring basis. Potential ways to mitigate insider risks in a flexible workforce can include:
- Creating an Acceptable Use Policy (PCI 12.2)
- Educating and Screen Employees (PCI 12.6, 12.7)
- Providing Education on Unauthorized Device Access in a Mobile Workplace (PCI 12.2)
Employees should be aware that their use of company-issued devices is monitored, even when working remotely. IT should provide clear education on acceptable use in any environment, including the importance of not letting friends or family members use a company-issued mobile device regardless of an employee's degree of access to sensitive information.
While a mobile workforce may represent the future, it can introduce particular risks and concerns for regulatory compliance and security policy. With the appropriate attention to relevant PCI requirements, training, and technology, organizations can ensure that a flexible workforce is prepared to protect sensitive data.
For more information on how CimTrak can help with security and PCI compliance, download the PCI DSS v4.0 Solution Brief today.
