The speed with which the mobile office has become an integral part of the modern workplace is remarkable. By 2023, the global mobile workforce is estimated to reach 1.88 billion – 43% of the global workforce. Clearly, mobile security is something that SMBs have had to be quick to adapt to, but balancing the increased data risks with the cost of implementing security measures is a significant concern to those operating on a tight budget.
The number of cybersecurity threats facing small businesses continues to grow, but budgets and resources do not. And the issue is not just financial. Many SMBs are time-poor and not in a position to fight a continually evolving threat.
Thankfully, there are a number of cost-effective measures that small businesses can establish to ensure that device management is both effective and enforceable. This is not to say that no investment of time or money will be required, but these measures can help to significantly improve security without dramatic increase in investment.
Along with strong passwords, the mantra of security experts for years has been to keep comprehensive backups of your data. While it is not always followed, it is more important than ever for SMBs. With staff working remotely becoming more common, the risk of mobile devices being lost or stolen increases, and with it the risk of losing data that has not been backed up.
One of the most common forms of attack in recent years has been ransomware, such as WannaCry, which had many high-profile victims including the UK’s National Health Service and European travel networks.
Once executed, ransomware attacks collect the user’s data and restrict their access, typically through encryption. The user is then informed by an onscreen message that, as the name suggests, to recover the data a fee will have to be paid. While this is bad news for larger companies, the prospect of having to pay a fee could be incredibly damaging to the finances of small businesses, especially with no guarantee that the data will be returned.
Thankfully, this type of attack does not have to be as damaging as it first appears. Simply by keeping regular backups on another network or through a cloud platform, which provides access to the data and secure storage, the consequences of a ransomware attack can be reduced to formatting the device in question and recovering the data from the backup. Turning what could have been a disaster into an inconvenience.
Bring your own Device Policy
Before allowing staff to access the company’s network or accounts remotely, a bring your own device (BYOD) policy should be in place. This should be clear on the responsibilities of the staff when it comes to enacting security measures and best practices and needs to be agreed to as a condition of remote working.
By creating a policy, employees will have the freedom to work remotely on the understanding that security software is both installed and kept up to date on their personal devices. All mobile workers should also be provided with training updates on a regular basis so that any changes in endpoint security best practises are clearly communicated.
With a BYOD policy there is always the issue of trust. Employees need to be confident that staff will adhere to the security requirements and take suitable precautions to avoid the loss or theft of devices. Similarly, the reasons for the policies have to be as transparent as possible to ensure that staff do not feel their privacy is being impeded by having security or tracking software installed on their personal devices. For it to be successful, a BYOD requires staff and employers to pull in the same direction when it comes to security threats.
In a 2018 study, Hiscox estimated that an SMB in the UK is hacked every 19 seconds, with an average annual clear up cost of £25,700. This demonstrates that whether companies feel they are too small to be attacked is irrelevant. Many breaches are not the result of a directly targeted attack, but wider-reaching, speculative attempts to exploit outdated operating systems and unpatched software vulnerabilities. With such persistent attempts to identify a weakness, there is a good chance that no matter how well protected your company is, some form of human error could eventually occur and result in a breach.
BYOD policies, backups and improved best practices can minimise the risks of utilising an increased number of endpoints, but all SMBs should have plans in place should the worst happen and not rely on the hope that being a small business is enough to be overlooked. This line of thinking is becoming increasingly common. A KPMG survey revealed that in the current environment, 40% of UK CEOs believe the prospect of a cyber attack is ‘when’ rather than ‘if’.
By producing a clear response strategy, the speed with which an attack can be identified and stopped can be significantly reduced, minimising the damage caused by downtime to finances and relationships with clients – something that could be vital to businesses with little flexibility in terms of finances and resources.
On the surface, it might seem that the risks associated with mobile workforce mean that opportunities for remote working should be kept to a minimum. However, flexibility in where and when work is completed is being increasingly viewed as essential for the modern workforce. According to Avast Business’ Mobile Workforce Report, half of workers would prefer the option to work remotely over a pay rise.
To ensure the benefits of mobile working are balanced against minimised risk, company policy needs to adapt to both allow greater flexibility, but also to ensure that the responsibility for data security is shared among everyone who is accessing the network.