John Knopf, VP of product management at NetMotion Wireless
John Knopf, VP of product management at NetMotion Wireless

More and more of our work is done on the move. In enterprises, 63 percent of employees no longer have a desk and 43 per cent of staff work from home or outside the office several days a week. Add to this the vast numbers working on large-scale campuses like airports or universities, or as field service workers like roadside mechanics. 

Employees rely heavily on Wi-Fi and mobile internet to get work done, access critical information and communicate with HQ. However, in relying on mobile devices and networks as they move outside of the company fortress, they are often exposing their devices, data and employers to huge risks. 

Whether its 'Evil Twin' Wi-Fi attacks or out of data operating applications – the risks to mobile employees are myriad. But the mobility map of the world is not all ‘here-be-dragons'. Secure, persistent and reliable mobile connections deliver huge benefits and are vital for businesses of all stripes.

So what are some risks and how can we mitigate them?

Insecure Wi-Fi

Public connections offered in hotels and shops or citywide Wi-Fi are typically open networks that do not require authentication. As a result they are vulnerable to hackers intercepting communications and then relaying them on. One method to do so are ‘Evil twin' Wi-Fi attacks. This is where hackers set up a fake network to mirror the real one. Users unwittingly connect to the fake, and then a hacker can steal account names and passwords, redirect victims to malware sites, or intercept files.

In order to protect themselves, users essentially need to assume all Wi-Fi networks that are not managed by their own organisation are insecure. A virtual private network (VPN) connection is a must when connecting through an unsecured connection. Unfortunately many VPN solutions need to be disabled in order to activate the hotspot. It is critical to use a mobile VPN that doesn't require you to drop your guard. This way organisations can save on data costs and employees gain more convenient access, all without compromising security, as the VPN tunnel is preserved throughout the entire session.

Ensuring that sharing (i.e. the ability for other devices on the same network to discover and access your computer) is turned off is a critical first step. Encrypting the information on your device and in transit is the next, and will afford a greater level of protection from potentially malicious networks or attacks. A VPN tunnel that secures network access and all data transmissions using strong, standards-based authentication and encryption will make tight security easy to manage and maintain. 

Out of date applications and operating systems

Unless applications and operating systems are kept well up to date, devices can be at risk of newly exposed security flaws and zero-days. The ability to push security updates to your entire mobile fleet is vital to ensure that all applications and devices are kept in tiptop shape. The ability to access, update and monitor devices from a centrally controlled hub is critical, ensuring the organisation stays in control of applications, devices and data.

Naturally employees may want a degree of flexibility over when their lifeline to the business is bogged down with updates. The ability to push priority updates, but allow flexibility in when, and over what network, less important updates can happen is a real bonus.

Weak authentication

Depending on the kind of information an employee has access to, or the environment they work in, organisations may want to dictate different levels of security. Enforcing periodic user re-authentication, to validate the identity of the person using the device can be a powerful preventative measure. Single, two-factor or even three-factor authentication may be required – but it's critical that security doesn't become a burden to the user. That's when human fallibility rears its ugly head. Passwords may be written down, or the same password used for multiple accounts, completely undermining the authentication process.

Authentication of the device using X.509v3 certificates confirms that the device is an authorised corporate asset. This protects corporate resources being accessed by legitimate users logging on from untrusted devices. It also adds an extra authentication factor with a degree of flexibility. You may want to enable an individual to use only a subset of devices, or limit them to a specific, personally assigned device. The ability to authenticate the device without an active user session is key for preserving security.

Contributed by John Knopf, VP of product management at NetMotion Wireless.