Article by: Mato Petrusic, Head of EMEA at iPass
Mobile working is increasingly becoming the norm for many enterprises, with Strategy Analytics predicting that there will be 1.75 billion mobile workers by 2020. At the same time, mobile security threats are on the rise: according to the McAfee Mobile Threat Report Q1 2018, 16 million users were hit with mobile malware in the third quarter of 2017, nearly double the number it recorded the year before.
Today’s professionals rarely stay in one fixed location; they could be at an airport departure lounge one day and working at a café between meetings the next. Wherever they are, mobile workers can likely find free or on-demand Wi-Fi to access the corporate systems and data they need in order to do their job. For all the benefits this increased Wi-Fi access brings, it has also resulted in a significantly higher business risk. For example, there has been a surge in network spoofing in recent years. Network spoofing involves hackers setting up a fake network in a public place and waiting for users to connect. Once they have done so, the hacker can watch the victim’s traffic and siphon off sensitive information such as bank logins, personal information or credit card numbers. It’s also possible for cybercriminals to spy on the traffic flowing over unsecured networks that are set up in public locations.
Free public Wi-Fi and its usage continues to pose the biggest mobile security threat to enterprises. Especially as today’s ‘Wi-Fi first’ mobile workers often turn to unsecured hotspots as their first connectivity port of call to maintain productivity on-the-go. Unfortunately, this can be extremely detrimental to a business, with a recent global survey from iPass showing that more than half of CIOs suspect that their mobile workers had been hacked or caused a mobile security issue over the last year. That number jumped significantly in Germany, with just over seven in every 10 CIOs concerned that they had been exposed to a mobile security issue during the previous 12 months.
The problem is, the most vulnerable Wi-Fi locations are those that are also vital to the mobile worker. Nearly two-thirds of the CIOs blamed public Wi-Fi in cafés and coffee shops. This problem was particularly acute in the UK, where 81% had seen cafés and coffee shops contribute to Wi-Fi related security issues. Airports and hotels were also cited as vulnerable locations, perhaps unsurprisingly given that they are also very high turnover public locations, where the level of security at each hotspot can vary.
Mobile workers’ use of networks that carry high risk of being compromised by cybercriminals is undoubtedly a huge issue, but the iPass survey also found that BYOD, or Bring-Your-Own-Device, policies were on CIOs’ radar as a contributing factor. The concept of bring your own device (BYOD) is now commonplace, but despite the large number of people working remotely, studies have shown that very few of these workers have been supplied with a mobile device from their employer. This leaves enterprises open to security risks, as they do not have as much control over the security settings or capabilities of devices that are being used, meaning they are often left in the dark where the security of their remote workers is concerned.
Overall, more than four in 10 CIOs in the iPass survey said that BYOD had significantly increased mobile security risks and a further five in every 10 said that they thought the threat had been somewhat increased due to BYOD. Enterprises really are in a Catch-22 situation when it comes to BYOD, because while it can increase employee productivity and job satisfaction, there is a trade-off with potential security risks. Overall, 92% of CIOs are very or somewhat concerned their growing mobile workforce presents an increasing number of mobile security challenges. This is becoming something of a perfect storm: a rapidly growing mobile workforce looking to stay connected with free public Wi-Fi, coupled with ever more sophisticated hackers.
There are millions of Wi-Fi hotspots globally, all with varying security credentials – how can enterprises ensure connections used by their mobile workers are secure? At a time when data protection is paramount, enterprises need to strike the delicate balance between keeping their data and systems secure, without hampering the crucial productivity of their mobile workforce.
Many CIOs are failing to acknowledge the importance of this balance, preferring to protect their business against public Wi-Fi security issues at all costs. The recent iPass survey showed that these CIOs have taken a somewhat radical stance: outright banning their remote workers from using public Wi-Fi hotspots. Overall, just over two thirds of CIOs had enacted some kind of Wi-Fi hotspot ban, with a further 16% expecting to do so in the future. While this measure can help IT decision makers feel as though they have cut the risk of data breaches, this is not necessarily the case. A blanket ban only protects against one specific connectivity issue. While making the decision to limit use of public Wi-Fi hotspots may help in the short-term, it does not promote understanding of the wider security threat and can make mobile workers feel as though their mobility and connectivity access is being limited – leading to a rise in job dissatisfaction.
Mobile workers will always require on-the-go connectivity to complete important tasks, but may not have consistent access to secure networks, meaning they seek out any available connection. Whether they are using a personal or a corporate-issued device, employees will find a work-around in order to get connected, or for devices that might only have a Wi-Fi connection, may not be able to work at all. The outright ban on public Wi-Fi usage is akin to cutting off your nose to spite your face. Businesses need to have a modern mobile working strategy in place to enable the mobile workforce to stay connected without putting the company at risk of a security breach.
So how do businesses go about striking this balance between mobility and security? One way is to encourage employees to use VPNs when they work remotely. A VPN service protects the proverbial ‘last mile,’ where a user’s data is most vulnerable to security risks. It masks and encrypts data, which protects users from unwittingly exposing personal information and company critical material to malicious actors. Protecting users regardless of location or device, the benefits of VPN use are clear. VPNs can help to overcome the issue of using Wi-Fi hotspots in vulnerable public locations by extending a private network over the unsecured Internet connections offered in cafés, hotels or wherever the user might be.
In general, more broad awareness of security issues for mobile workers has meant that the usage of VPNs is steadily increasing. In 2016, iPass found that just 26% of enterprises were confident mobile workers were using a VPN when they went online, but that figure has risen to 46% in 2018. Though VPN services are being offered to mobile workers more widely, less than half of CIOs are fully confident that mobile workers use a VPN every time they go online. This undoubtedly calls into question the protection that VPNs actually deliver, despite broad awareness of security issues rising among mobile workers.
One of the issues holding back widespread use of VPNs is, thankfully, rectifiable. Businesses looking to increase the numbers of mobile workers using VPNs when they go online need to properly educate staff on the potential damage not using them can cause the business. This practice will make sure that both the implementation and use of VPNs is as seamless for the end-user as possible. The decision by some companies to ban the use of public Wi-Fi hotspots is an extremely short-sighted one and does not address the wider business implications. Most employees do not want to feel restricted by IT policies, and outright banning public Wi-Fi hotspots can reduce employee mobility and damage employer-employee relations.
Unfortunately, there is no single solution to respond to these challenges. A multi-pronged approach is the most effective way to secure company data without causing issues for the growing number of mobile professionals. Rather than blocking Wi-Fi access at popular remote working venues such as cafés, airports and hotels, enterprises need to educate their workforces on the various threats to their business from open Wi-Fi networks. At the end of the day, mobile workers will always seek out connectivity to get work done, irrespective of the security risks involved. Indeed, according to McAfee’s 2017 Travel Survey, less than half of travellers took the time to ensure their Wi-Fi connection was safe, even though the majority of them knew how to do so. With the right education and incentives, users can be empowered to consistently and confidently identify risky networks and understand why it is so important to use the VPN provided to them. Learning these best practices positions both the individual mobile worker and the larger enterprise to avoid the security risks of using questionable Wi-Fi in the first place.
From a technology standpoint, businesses need to make the process of staying safe online when working remotely as simple and easy as possible. For example, there are currently several barriers preventing mobile workers from connecting to VPNs, including the fact that they might not want personal data to run over the corporate network or that connecting to VPNs can take extra time. In this respect, it falls to IT teams to ensure that staff can be quickly educated on connecting to VPNs speedily and that the VPN provides employees with the most seamless experience possible.
Businesses need to shift their mindset when it comes to protecting the mobile workforce and treat it in the same way they would any other business-critical asset. This involves developing an appropriate data and identity security strategy that eliminates user need to use alternative, less manageable, less secure and potentially less productive methods of handling corporate data.
In today’s digital information economy, banning the use of Wi-Fi is simply not a practical means to protect mobile workers, user identities and corporate data. Wireless connectivity is both essential to employee productivity and a cost-effective means to keep mobile workers productive both at home and abroad. Companies should combine employee education and secure connectivity technologies to ensure their workforce can remain productive and operate in a secure way that does not impact the business, regardless of physical location.