CIOs, CTOs, Risk and Cybersecurity experts will often state that the three most important components of a physical security plan for your business are access control, surveillance, and security testing. To this we feel the need to add the importance of a multi function, agile governance framework, employees continual training and risk awareness, specifically within the context of business devices security, and in particular portable devices - like laptops, phones, tablets and other handheld consoles... which are increasingly used in multi locations and purpose with the adoption of remote and hybrid working practices.
How do you keep your portable business devices as secure as possible in 2022, in a hybrid working environment?
Together with our panel of IT and security experts, we have created the essential business device security 2022 checklist for remote or hybrid working environments, looking across:
Zero Trust Information Architecture requirements;
The role of elements such as multi authentication protocols;
Phishing and cyber fraud prevention;
How the adoption of BYOD policy can balance benefits and security risks;
The importance of employees awareness and training programs on business security:
Additional security solutions that work with the growing culture of digital nomads, remote or hybrid working, essentially "working from anywhere and anytime and on any device", from VPN to tagging and repatriation solutions for business devices
Evolving Information Architecture requirements to keep your business devices and data safe
Welcome to the Zero Trust Movement. The Zero Trust Movement has been born from the digital transformation:
On one hand the adoption of the rapidly changing new technologies has made it possible for business data to go out of the business digital walls;
On the other, the demand for more open and collaborative technologies has made it more possible for outside staff, devices and platforms to permeate inside the business digital walls.
Quoting another extract from the excellent recent report on Zero Trust compiled by Gartner, “the modern enterprise network infrastructure has no single, well recognised and clear security perimeter anymore” Hence the approach to system architecture needed to evolve accordingly, using a new set of building rules assuming that no person, device of network should be trusted at any time. But how do you explain it to your teams and implement the vision of Zero Trust effectively?
We asked Founder and Portfolio CIO of Hypatia Smart Technologies Danette Copestake to share some of her wisdom with us:
"One percent doubt is zero percent trust.” Danette explains.
"Zero Trust is a security philosophy and set of principles that fundamentally breaks down silos and brings together IT, security and business application owners to work together using a common vocabulary and policy model.
It is based on the principle of verified trust. In order to trust, you must first verify. A Zero Trust security model reduces risk across all environments by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorised devices."
Forming a culture of good security habits about office and portable devices to highlight the need of continual awareness about security and potential scamming is important (We talk about this point in more details a little further down).
But training and awareness measures can't cover every eventuality. It's important for businesses to put in place a broad spectrum of complementary solutions to cover as many angles as possible. Instantiating multi factor authentication on all devices is one of the key parts of the security spectrum to consider.
Larry Leung, Microsoft Power Platform Developer at LCBO told us more about the adoption of multi authentication solutions and other essential measures when it comes to business device physical security: "While turning on or applying multi-factor authentication doesn't solve the entire problem, it helps greatly". Larry adds that adoption is growing: "I've seen it turned on or made available in a lot more places."
Even so, it's not about implementing one solution but looking at a range of relevant ones. Larry concurred with the multi pronged approach, explaining that some more traditional solutions are still very relevant to layer within the estate of business security measures: "After that, it's probably the age-old password. Strong passwords are great but strong passwords are hard to remember and many organizations have policies to change passwords every 90 days or so." How do you deal with this aspect without unnecessarily burdening your IT service desk? Consider implementing a password management vault. Password managers are a great tool to supply as part of your employees self serve security toolset.
BYOD business policy - How to balance benefits and security risks?
As rightly stated by Cyber Security website Comparitech: "Despite concerns about Bring Your Own Device (BYOD) security risks, employees over the past years have enjoyed the multiple benefits of BYOD. So too have employers, who are unlikely ever to stop staff from bringing their own devices to work or using them remotely for work purposes. The challenge remains to identify security risks associated with BYOD and find the most appropriate solutions to mitigate these risks."
Risks are spread across data leaks, exposure, cross contamination, malicious apps and insider attacks.
Read more in this insightful article by Comparitech writer Penny Hoelschler
NOTE: Comparitech is a pro-consumer website providing information, tools, reviews and comparisons to help our readers in the US, UK and the rest of the world improve their cyber security and privacy online, since 2015. Comparitech editors cover a wide range of cyber security topics. Comparitech extensively test and review products including VPNs, password managers, ID theft protection, antivirus, network monitoring tools, firewalls and more.
Millions of people have visited Comparitech.com and trust us to help them make more savvy decisions when purchasing cyber security products.
Phishing and cybersecurity role in monitoring and testing the robustness of data, platforms and devices security
From our expert panel, Tom King, Head of Cyber Security at Coventry Building Society explains that:
"Many cyber frauds and other attacks, such as ransomware, start with phishing. Phishing has been with us for years and it’s a threat which is unlikely to disappear any time soon. But the good news is that having multiple layers of defense can protect your business. For phishing, it’s critical to focus on both people and technology.
It’s vital to educate your teams on how they can identify phishing attacks and what they should do. Using examples of real phishing messages which have targeted your business can grab attention in your awareness campaigns. Benign phishing exercises can help keep awareness at a high level."
Tom also adds:
"But this is not enough. People-focused messaging needs to be backed up by technology defenses and there are many solutions which can help. The following list is just a start point of areas to cover – a modern antivirus / EDR solution, well-configured email filtering and anti-spoofing, configuring Microsoft Office to help defend against malicious macros and implementing two factor authentication. The National Cyber Security Centre has further useful pointers on how to build your business security technology."
Employees training and continual awareness programs around business device security
Building a robust Accountability Framework in your business is key to ensure a comprehensive approach to device and data security. Businesses can get in depth guidance and support from the ICO on this matter.
What is the ICO Accountability Framework exactly?
Put simply, the ICO Accountability Framework is a way for businesses to assess their organisation's overall degree of accountability (and guide the development of a best practice framework)- in ways that are relevant to their business.
It's a comprehensive framework that covers aspects such as evaluating training programs, whether at inception or refreshers; how does a business ensure their own trainers have receive adequate training in the first place to train employees effectively and impactfully; how can they measure how well the measures in place are working...
Why are accountability training programs important?
"This makes sure that all employees receive appropriate training about your privacy programme, including what its goals are, what it requires people to do and what responsibilities they have." *
You can find more details on the ICO Acountability Framework here.
* source - ICO website
VPN and encryption to protect business devices when out of the office physical walls
A VPN enables encrypted data to travel securely over a shared or public network to their recipient, in a way that’s unreadable without a specific decryption key.
From the user’s perspective, it creates a connection between the user’s computer and a corporate server, irrelevant of the public network it uses to travel through.
Like every great technology innovation, VPNs bring some risks and need for security features to be put in place by a business: Strong authentication a kill switch. If a computer loses the VPN connection, either the Internet connection is shut down or the apps that are using the connection are shut down. This prevents the Internet address from being exposed.
More recently however, some network providers have begun implementing Zero Trust Architecture principles as we discussed earlier in this post. As we continue to see remote and hybrid working practices; and expect that they are here to stay, Zero trust might become the primary security approach.
Business devices tagging and tracking solutions (and the challenge of protecting data privacy)
Solutions like Apple Air tags could be a powerful solution to keep a live tracking of all business devices with a remote force working from anywhere at times: Home, co-working spaces, airport lounges, High Street cafés..... As always however, technology benefits bring with them new and more complex issues, this time around how to ethically combine tracking for a Good Purpose and ensuring individuals' privacy is not invaded or seen as stalking them. Generally speaking, the level of good far outweighs the potential risks of (unavoidable) evil - hence once again the importance of implementing strong framework around continual risk awareness, assessment and mitigation as previously discussed above in this article.
Kelli Nguyen, Editor of Linkedin News, recently raised awareness on how this is a tangible challenge, and how Apple plan to improve their service in the future from this aspect.
Remote wiping solutions
Remote Wiping are software solutions that gives an administrator the ability to remotely delete and destroy data on a device or system. It's often implemented in line with mobile device management (MDM) or part of the offering of risk management systems. It can cost around £10 per device per year.
Lost and found reporting -and repatriating -solutions for portable business devices
Cost effective and simple to use self serve solutions lowering the risk associated with lost devices are also worth evaluating as part of your business security plan. Of course, remotely wiping off data and writing off the device can be an option; but it might not be a cost effective or realistic solution to every business, especially start ups and SMEs - which account for 99.9% of the business population (5.6 million businesses)*.
Device Register from Found is an innovative, app based solution that adds a protective layer to your physical portable devices. The principles are really simple: Each employee gets an individual account loaded with their own inventory of business devices, which get marked with hard wearing QR codes bespoke to your company. If a device is lost, anyone with a smartphone can scan the QR code and report it as found and alert both Found and the business of the location, date and time. Employees or central teams then use the app to arrange for a courier pick up (an integrated service to the app) and safely repatriate the device to a pre agreed address. Voila!
Meet our panel of business, device and data security experts
Danette Copestake - Danette is Founder and Portfolio CIO of Hypatia Smart Technologies. She is passionate about collaborating with ambitious businesses to provide strategic advice and guidance and to ensure that they are underpinned by robust and secure IT infrastructure. Danette enables business growth by encouraging a culture of innovation, service and trust.
Larry Leung - Larry is a Microsoft Power Platform Developer and IT Procurement Aficionado at LCBO, with over13 years of procurement experience in a number of IT and Professional Services roles - across multiple public and private sector positions, involving the acquisition of hardware, software licensing, consulting and outsourcing services.
Tom King - Tom is an innovative security leader, CISSP, SANS and CEH certified, with over 20 years IT security experience. Tom is currently Head of Cyber Security at Coventry Building Society.
Evaluating the right security strategy for your business and devices
Tackling the area of business device security is a complex and multi layer area for ay given business and one that requires a true multi function, aligned strategy to be successful and remain up to date and agile. A huge part of the success if to have a culture of shared accountability, and also one that encourages employees empowerment- helped by equipping the business and all employees with simple, easy to use self serve solutions like Device Register to monitor, report and get their devices back and keep business data as safe as possible and work disruptions to a minimum.
Over to you:
How many does your business tick off currently? What aspects have we missed out in your opinion?
Join the conversation by leaving a comment below or follow Found on Linkedin to keep up to date with our future conversations on this topic.