10 Steps to Cyber Security - Step 10

10 Steps to Cyber Security: Step 10 - Home and Mobile working


Step 10 – Home and Mobile Working

As employees may be able to access their work remotely, via mobile phones or remote access to systems and service providers, it is vital to ensure that the appropriate polices are put into place to eliminate any risks.

What is the risk?

Employees can access data outside the corporate infrastructure via the internet. This is done by using mobile working and remote access to access transit storage of information or operation of systems. With mobile phones being portable and easily accessible, there is a chance that a member of the public could read what’s on your screen or that the device might get lost or stolen.

Organisations that do use mobile working practices might be vulnerable to the following risks:

  • Loss or theft or the device – if the mobile device is lost or stolen, it may offer access to sensitive information or systems to an authorised user.
  • Being overlooked – working outside of the work premises is useful however you do not know who is watching your screen, for example, whilst working in a public space such as a train. This could potentially compromise user credentials or sensitive information.
  • Loss of credentials – if an unauthorised user gain access to a stolen device, the user credentials that are stored on that device (username and password), could be used to compromise services or information stored on that device.

How can the risk be managed?

The mobile device and remote access risks could be managed by:

  • Assessing the risk and creating a mobile working policy – assess all risks that could occur with all types of mobile devices and remote access. This will include, the type of information and services accessible off site, which employees are able to access information and services off site and what information and services they can store on their devices. There should be a higher level of monitoring on all remote connection and the systems they access.
  • Educate users and maintain awareness – all users should be fully trained to use the devices under the security and privacy policy. This should include directions on:
    • Secure storage and management of credentials,
    • Environment awareness (screen watching),
    • Incident reporting.
  • Protect data at rest – ensure the minimum amount of data is actually stored on the device. The only data that should be stored, should be that which helps the user outside of the office environment. Consider encrypting data if the device supports it.
  • Protect data in transit – all information exchange across the internet should be encrypted.
  • Review the corporate management plans – the incident management plan should be flexible enough to deal with all risks, such as loss of device. The incident management team should be able to deal with any technical issues that arise, able to remotely disable any devices or able to deny them access to the corporate network.


  For more information please email [email protected]

Related News

Member Log-In

Welcome to the SBRC Members Lounge, login details will be issued to members in due course.

Forgot password?