Remote employee and work from anywhere (WFA) policies have been steadily building in the workforce for some time— but COVID-19 forced many teams to work from home with little warning, expediting the process in 2020. In our first blog of our Cybersecurity Awareness Month series, Enforcing Standard Cybersecurity Measures for Remote Work, we covered six baseline security measures for remote and WFA teams. As professional and personal activities intermix on mobile devices, IT professionals and business owners must review the new work environment as a new set of potential vulnerabilities.
For week two of National Cybersecurity Awareness Month, REDW Cybersecurity Senior Manager Jennifer Moreno covers six core security steps for mobile devices, and the essential elements of a cybersecurity awareness education program to keep yourself and your WFA team in check:
1.   Setup a Mobile Device Gatekeeper
Protect access to a mobile device with a PIN, password, and/or biometrics, if any kind of business data is accessed—even email and texts. If possible, utilize multi-factor authentication and encryption on employee devices. Consider what could happen if a device falls into the wrong hands and there’s no gatekeeper.
2.   Refine Your Standards for Downloading Apps
Make sure employees know how to identify risky mobile apps before installing them to a tablet or smartphone. Here are a few basic things to lookout for:
- Use an official app store provided by either the device manufacturer or employer. Official stores offer higher standards for privacy and security compared to smaller or independent app stores. Keep in mind malicious apps can still appear in an official store before being identified.
- Avoid interest in apps that have not earned a high number of positive user comments and a 4 to 5 star rating. Cyber hackers have been known to publish dangerous or fraudulent applications to gain access to and potentially take control of your mobile device. You’ll often find helpful information reading legitimate user comments—doing a few minutes’ research before downloading can save a lot of distress later.
- Research the app’s privacy and data sharing settings before downloading. Many users may have downloaded or naively accepted user agreements to popular apps (such as TikTok) and so have granted questionable platform access to their keystrokes, location, contacts, images and other private, sensitive data.
- Check when the app was last updated. Technology security is constantly changing, so recent updates will indicate the developer is actively working to maintain the app’s performance and fix any known issues.
3.   Reject Connecting to Unprotected Wi-Fi
Make it part of your IT policy to reject connecting mobile devices to “Free Public Wi-Fi†networks. Employees should be wary of networks offered at stores, restaurants, or cafes. While sipping their morning brew at the local coffee shop, a hacker—who knows the spot attracts an unsuspecting and device-savvy crowd—can help themselves to your sensitive business data.
4.   Keep Up with Mobile Device Software Updates
Regularly install security and software updates to mobile devices to patch up identified security risks. Often, these updates include bug-fixes or patches that trusted device developers have found in their own security and performance. Keeping up with these fixes gives employees their best chance at staying protected when cyber criminals discover weaknesses in popular device software.
5.   Consider a Device Remote Wipe Option
Consider the capability to remotely wipe a mobile device to its factory settings, in case of loss or theft. Organizations that authorize a corporate email connection to a company-owned or personal device should especially consider utilizing this capability and firmly warning team members of its necessity and possibility for application.
6.   Backup Your Essential Data
Employees must always, always have a backup of their data for easy recovery if a device becomes compromised, lost or stolen. It is also good practice to have backup redundancies — external hard drives are not immune to spills, drops, theft, and device function errors. Cloud backups are convenient – just ensure you know where data is being stored, as well as data privacy rights on specific platforms.
Cybersecurity Awareness Training
Invest in cybersecurity awareness education. Your team members encounter phishing emails on a daily basis—ignoring them will not make them go away or help them recognize more expertly devised tricks.
Take the proactive approach and provide continuous security awareness education.
Ongoing training that embraces interactive training modules, assessments, and how to identify phishing attempts directed at your employees will mitigate cyber risks associated with fake wire transfer requests, bank account changes, payroll changes, payment of phony invoices, and ransomware threats. It will also mitigate credential theft risks, which can lead to a data breach.
When implementing your security awareness program, start with a baseline test to determine the organization’s risk percentage. Throughout the year, this baseline will help determine if training has been successful, or if additional training is needed in certain areas.
Be sure to implement and communicate a security awareness training policy for the organization, or update your Acceptable Use of Technology policy to include your mandatory training program. Develop an annual plan that identifies when phishing and other trainings will be assigned throughout the year—and stick to it.
There are many great computer-based training platforms on the market to choose from; if you are uncertain about the direction to take with your cybersecurity education program, reach out to your trusted advisor.
While you’re mitigating cyber risk to your organization, you are also helping do the same in your team members’ personal lives.
REDW Can Help You Be Cyber Smart
If you have questions regarding mobile device security, or would like recommendations in cybersecurity awareness training for your organization or team, don’t hesitate to reach out to Cybersecurity Senior Manager, Jennifer Moreno. We’re here to help you #BeCyberSmart.