Safeguarding the Public Sector against the Threat of Device Loss

Recent data has revealed that two-fifths of those who work away from the office said their device had been lost or stolen in a public place[1], putting corporate and customer data at risk. The study also found that only around half of employees were aware that their organization had a remote working policy in place, with a quarter admitting they have broken it.

When looking at the public sector, this significant figure of losses could put data - such as citizens’ health records – at risk of getting into the wrong hands. Organizations should therefore be prepared to ensure this information is safeguarded, especially when accessible remotely. 

Organizations must enforce these safeguards, while facing greater scrutiny than ever before: not just from auditors, regulators, partners, but even the general public. With the government changing its policy for public sector bodies to allow staff members to ‘bring your own device’ (BYOD) last year, this task becomes even more difficult. Sensitive public data might now be downloaded to personal devices – as well as those issued by organizations - presenting significant security risks to organizations.

CESG, the national technical authority for information assurance within the UK, has issued detailed new guidance on how the public sector should approach the delicate issue of BYOD for its workforce. The documentation gives advice on how to create a policy that restricts the data that can be stored on devices without creating the sort of barriers that unwittingly encourage staff to try risky workarounds. But is this enough?

Now that the guidance is in place, employees can be as productive as possible - and without stifling innovation and efficiency. Organizations should empower them.

Given the strategic role of mobility in the body, and the complex matrix of user and IT requirements to be addressed, it’s crucial to clearly define the organizational structure, roles and processes around mobility.

This means ensuring that technology enables IT to securely deliver all apps - Windows, web, SaaS and mobile - as well as data and services from any device, over any network, to allow staff to operate in the same manner they would in the office, whether they’re at home or on the go.

Here are five ways public bodies can boost productivity while protecting themselves from these risks.

Be Clear About Roles and Ownership

Who in the organization will own enterprise mobility? Mobility continues to be addressed through an ad hoc approach, often by a committee overseeing IT functions from infrastructure and networking to apps. Given the strategic role of mobility in the body, and the complex matrix of user and IT requirements to be addressed, it’s crucial to clearly define the organizational structure, roles and processes around mobility. People should understand who is responsible for mobility and how they will manage it holistically across different IT functions.

Mobile Device Management (MDM) is Critical

MDM enables organizations to manage and control mobile devices used to access resources. Before a device - corporate-owned or personally-owned – accesses the public sector network, it must be verified that it hasn’t been ‘jail broken’ or otherwise compromised. Encryption, remote lock and wipe, mobile virtual private network (VPN), app blacklists and the ability to selectively disable native device capabilities all enable this.

Avoid the ‘Quadruple Bypass’

The quadruple bypass represents the worst-case scenario for enterprise mobility: a BYOD user on a consumer-grade device using sensitive public data and going directly to the cloud for sharing, storage or editing. This approach completely bypasses the control and visibility of IT - and it’s alarmingly common in today’s organizations. There are good reasons for this, of course. Cloud apps can help people save time and get their work done more easily, and they can also drive value for the organization. The problem comes when cloud apps are used in the wrong way with sensitive data, compromising security and compliance.

Prepare for the Internet of Things

Organizations shouldn’t just write policies for today – they must keep in mind what enterprise mobility will look like in the coming years. Wearable technologies like smart watches continue to change the way people use mobility. The public sector should be prepared for employees exploring how they could be used for work. These consumer items will reach the office. It’s just a matter of time.

Protect Sensitive Data Above All Else

Finally, in many cases, IT doesn’t always know where the most sensitive data resides, and so ends up treating all data with the same top level of protection - an inefficient and costly approach to security. Mobility provides an opportunity for the public sector to protect data more selectively based on a classification model that meets their organizational and security needs – keeping sensitive data confidential, without unnecessary controls for publicly available information.

Providing adequate mobility at work is critical for the public sector to perform its duties but it must protect its data while doing so.  This is an opportunity for the public sector to empower a more dynamic and flexible workforce, while safeguarding its data and – crucially - keeping costs down. 

[1] Read more:

About the Author

Chris Mayers is Chief Security Architect with Citrix Systems, Inc. He has worked in the software industry for nearly 40 years, and has been with Citrix since 1998. Previously he was a consultant with Digitivity/APM, specializing in security in distributed systems.  He is a member of the Institute of Information Security Professionals.

What’s Hot on Infosecurity Magazine?