Mobile devices need protecting too

Attacks on or by end devices that are not on the company premises happen again and again. A VPN is important and indispensable for remote connections to the corporate network, but it is only half the battle. Secure data is achieved through information security, not just through IT security. And information security also includes a few aspects that some companies do not think about. Many companies are still lacking a usage policy which covers end devices and remote use. Regardless of whether they are combined in one policy or split over two, these areas must be covered. It is just as important that employees know that policies exist and have read and understood them. This implies clear, concise language without technical terms. CISOs often write too much and lose themselves in the details. If users manage to read the text at all, they often miss the point. 

There are lots of useful templates on the internet. Many are free to use, for example here (English) or here (German). Other policies are subject to copyright but they can still serve as a useful point of reference. If it fits, use it, if it doesn't, scrap it. Important aspects include applications and data that can be loaded onto a mobile device, whether private use is permitted and to what extent general good conduct is assumed, and whether use is monitored by the company. It is imperative that rules in the event of loss or theft are defined. Contact details for reporting incidents and emergency plans are immensely important. It makes sense to distribute the most important rules to employees in the form of a small printout the size of a credit card.

Once the rules are established, technical measures need to match. VPN software from NCP helps to secure data during transmission. The need to protect information stored on mobile devices is obvious. Whether a folder, the entire hard disk or, the entire device is encrypted depends on the specific requirements. Any companies that do not want to see their sensitive data extorted or used by the competition cannot do without encryption. If applications and bandwidth are available, not storing any data on the device and use network drives or a virtual desktop instead can lead to greater security.

BYOD devices deserve further consideration. IT departments cannot implement many measures on employee-owned devices. The safest way to maintain compliance with the GDPR is to use a container. A container provides access to the professional environment and company data but there are no interfaces to the host system. Data security solutions offer another possibility. They encrypt devices, emails and data and are often associated with control and monitoring functions. This allows sensitive information in e-mails and attachments to be classified and encrypted using a security tag.

Data Loss Prevention (DLP) also applies to this area. DLP software classifies confidential and business-critical data and identifies violations of company guidelines or legal regulations such as the GDPR. It can be used as an active measure to prevent breaches. For example, if it detects an attachment that is not intended for distribution outside the organization, it will block the email and log the incident.

In the end, however, the employee and their awareness and understanding of security measures are the most critical aspects. If tools and processes are seen as a meaningless obstacle, their effect is at least limited, if not eliminated. To prevent this, it is important to design a policy which is as least restrictive as possible. However, because security always comes at the expense of convenience, it is important to communicate the two measures continuously and clearly. Security is important in order to protect the company, its business and ultimately job security.