Mobile work: On the go, securely
Home Office, Remote Work, mobile working and much more are terms that reflect the so-called world of work 4.0. All of these models are based on the desire of many, especially young, employees to have more flexibility in organizing their daily working hours. In our article we show which data protection and technical hurdles need to be taken into account and how you can overcome them.
A question of definition: What is meant by mobile work, home office and the like?
Although this question seems trivial at first, it is important for the company to take a close look at what the new working models mean for the company and its employees; after all, the legal framework is based on this. For example, does “home office” really just mean working from your desk at home? Or can the employee also go to a café to work? How flexible is the home office designed: Is it possible to be reached during regular office hours? Are there only core times? Or are working hours completely flexible?
When it comes to mobile work, things become even more complex: here, too, some employers determine that this essentially only means the option to work from home. Others allow working from anywhere, but only within Germany or the EU, some companies only allow moving between headquarters and others also allow working in non-European countries. Depending on which model is chosen, different legal frameworks and data protection regulations must be adhered to.
Mobile work: Challenges for cyber security
Companies that allow their employees to work from anywhere must take particularly strict data protection measures so as not to provide attackers with a gateway for cybersecurity attacks. Therefore, the following points should be carefully considered:
1. Secure the connection to the company network
Basically, any Internet connection that has not been configured by the company itself should be viewed as unsafe. This includes the network at the employee’s home as well as networks in coworking spaces, cafés, hotels, etc. However, in order to have access to company resources, employees must use WiFi or mobile data.
In order to secure the connection to the company network, you should always have one VPN can be used, which encrypts the data transmission. In addition, work devices should be equipped with a firewall and a secure browser that does not track any data. If employees work a lot with the tablet, a pis-App-VPN to. This ensures that all end devices use the Internet securely in accordance with the EMM.
2. Authentication and encryption
If employees want to work remotely, the business devices used must first be documented. The use of private devices to access company data is fundamentally prohibited, as security cannot be guaranteed and important protective measures such as the installation of a MDM (Mobile Device Management), may not be carried out without the consent of the employee.
The safest way is to issue certificates for the laptops in use, without which they cannot enter the network. The company must also establish a password policy that requires complex passwords to access company resources and regularly asks users to change this password. In the event that one of the passwords is spied out, unauthorized access is prevented by regular changes at not too short intervals. Payment transactions, billing, logins and more should always be provided with two-factor authentication.
3. Preventing Attacks
Every work laptop should be equipped with an up-to-date antivirus program that reliably detects threats. These are often already included and are regularly renewed by the operating system provider. Mobile service devices must also be equipped with an MDM, which limits functionality to a certain extent and, for example, blocks certain websites and apps that can compromise the security of the data. A spam filter in the email program also prevents phishing emails from reaching the employee’s inbox.
It is particularly important, especially for employees who work on the move a lot and also use laptops in public places, to train them in cyber security awareness. This includes, for example, the correct handling of passwords, information on dangers such as Social Engineering and how they recognize this threat. This is not only important for older employees, because it is a fallacy to believe that the so-called “digital natives” are automatically aware of all threats to cyber security. In some cases, the opposite behavior can be observed here, namely that a lot of data is voluntarily released, e.g. for newsletters, registrations for online seminars, product tests, etc. Although not everything comes from a reputable source. Before the young generation is released into the mobile working world, specific training must also take place here.
The protection of personal data when working mobile
The technical security of service devices provides the important basis for the comprehensive protection of the personal data of customers and employees, as well as internal company data. In principle, this data should never be stored on the device itself – automatic uploading to a secure cloud is preferred. Depending on the requirements, companies may even have to host their applications themselves, e.g. in the healthcare sector.
If this is not the case, a server within the EU is always preferable, as it can be assumed that it must be GDPR compliant. In any case, only the data that is absolutely necessary should be collected from each person. Access to this data must also be regulated by assigning access rights. After all, not every employee needs access to customer data and not everyone needs access to the company’s billing system.
Working mobile can be safe – with the right preparation!
As you can see, some preparation is required when companies allow their employees to work remotely. Ultimately, this additional effort is still worth it, because not only does the company position itself as an attractive employer, but the security beyond the standard also prevents attacks that can occur when employees are sitting in the office.
We generally recommend introducing an MDM or EMM in your company as a fundamental basis for workplace safety. With this you can keep an eye on all of the company’s devices and even provide remote support in the event of a problem – no matter where your employees are!
