Mobile working has changed how organizations conduct business, from the development labs and the factory floor of the global supply chain all the way to the end customer. Mobile working and its facilitators—cloud computing, Internet of Things, and IT consumerization—have unleashed new waves of innovation that have resulted in new products and services, an empowered workforce, a streamlined global supply chain, and an engaged customer base.
But these and other mobile-centric developments have done something else: They’ve significantly expanded cybersecurity threat vectors and, in some cases, opened up vulnerabilities that are threatening to undermine our aspirations for agility, efficiency, and productivity.
By now, you’ve undoubtedly picked up on the fact that I’m talking about “mobile working” rather than the more common “mobility” term. That’s because I believe mobility has become synonymous with devices, and getting work done when away from a traditional fixed-point setting like an office, is about much more than mobile devices.
So, as important as devices are in the overall process of mobile working, we must look at this trend as an ecosystem of devices, applications, workflows, and services.
Unfortunately, mobile working brings with it a host of new security threats that too many of our organizations have yet to confront, let alone overcome. It should surprise no C-level executive or board member to learn that Wi-Fi networks at the airport, sporting arena, or your local coffee shop are easy and frequent targets for cyber criminals. And unless we commit to integrated security functionalities in our products, services, and workflows from the start, we will fail to achieve many of our most essential business goals.
Let me be clear about what I’m saying.
- Security is not an IT issue. It’s a business issue, and it demands the support and leadership of business executives, IT and security professionals, board members, and end-user stakeholders.
- The financial cost of designing security into products, services, and workflows is far, far outweighed by both its long-term economic benefits and the resultant costs of remediating problems after the fact.
- Native security breeds confidence by all users, which in turn promotes productivity and delivers economic value.
What Secure Mobile Working Can Do for Productivity
It’s important to understand and embrace the notion that you can’t have productivity in mobile work without security—specifically, security integrated from the very beginning of product development or business-process creation.
The ability to work anywhere at any time, to access data and applications from home or on the road, is central to worker productivity. We’re now firmly entrenched in the era of non-traditional work hours, driven by such factors as a desire to juggle work and personal commitments, the realities of the global economy, and a need for many so-called knowledge workers to react instantaneously to a germ of an idea, to a spark of brilliance.
To do that, we must have native security in our devices, applications, and business processes. And if our organizations don’t enact steps to bake in security from the start, the regulators will come knocking on our doors. The new Global Data Protection Regulation demands that we automatically do the things we should have been doing all along, in terms of protecting and managing personal information.
Why You Can’t Have Digital Transformation Without the Right Security for Mobile Work
If there’s any term being bandied about by business executives more than “digital transformation,” then I haven’t heard it. By now, every business leader and board member has embraced the notion of using technology to further business goals, especially in retasking our bright, creative employees away from rote, repeatable activities that can easily be done by technology.
To further the goals of digital transformation, organizations should focus on three areas:
- More use of cloud platforms to accelerate the delivery of IT services for business aims.
- Customized, personalized computing built around mobile platforms to drive greater employee engagement.
- Improved productivity through the paradigm shift that is mobile working.
And to accomplish all of that, organizations must acknowledge that traditional security controls and procedures were not built in anticipation of digital transformation and all its components.
Too many organizations still cling to the concepts of strong physical boundaries that promote routing back through the physical network, rather than extending the perimeter to the cloud. By embracing the cloud as a tenet of mobile working, organizations optimize security risk management by leveraging the investments, knowledge, and ability to experiment—safely—of cloud service providers.
Done properly, digital transformation is more easily attained when security issues are anticipated and integrated in advance, rather than after a security problem arises. And it’s important to keep in mind that organizations are only going to embrace digital transformation if their customers truly trust it. For this reason, the cybersecurity office should be considered an essential part of any digital transformation team; too often, they are left to the end of the process.
Improving the Mobile User Experience With Security—Without Compromising Your Defenses
There are questions that board members and executives can ask to understand what can be done to strike the right balance between airtight security and mobile working within their own organization:
- How easy is it for a user to access applications, services, and data? You should find that by making user access simple and intuitive you improve your security posture. More than likely, your CISO has deployed multifactor authentication (MFA) to reduce the risk of identity theft and ensure proper access to data.
- What reasonable controls do we have in place to detect unusual and unusually high data movement? This pattern could indicate that users are working outside of security controls. What type of data is it affecting and does that increase our risk exposure?
- How do we enable collaboration while protecting information? This is particularly important—given the widespread use of third-party relationships in daily business activities—in order to ensure that only the right people can access sensitive data.
- Are we able to detect and respond to threats across the full enterprise ecosystem? Devices, identities, cloud services, data, and more all must be protected in order to enable operational efficiencies and productivity, without introducing unacceptable levels of risk.
- What security outcomes do we need to see? Do we need to adjust our existing controls to enable productivity and mobile working, but still maintain our risk management levels?
In short, good security and a positive user experience are not mutually exclusive—not unless you make them so. Please don’t.
Siân John is Chief Security Advisor for the UK in the Enterprise Cybersecurity Group at Microsoft. She previously held a number of senior roles at the Houses of Parliament, and was made a Member of the Most Excellent Order of the British Empire (MBE) for Services to Cyber Security in the New Year’s Honours List for 2018. This article was adapted from Navigating the Digital Age, Second Edition.