Information security

INF040

Mobile and remote working

Mobile and remote working is now the norm, yet many people are unaware of the threats that they face.

Taking work home, working in the field, working from hotels or conference venues, visiting client offices, and working while on public transport are just a few ways that people work remotely, using portable computers and mobile devices.

Mobile working increases the risks of compromise. It can result in the loss of sensitive, high-value, corporate or personal information, affecting your information’s confidentiality, integrity and availability. The types of risks are:

  • Loss or theft: Portable devices are easy to lose or steal, and sensitive information stored on the device can be exposed.
  • Confidentiality: When devices are used in public spaces, information can be overheard or overseen, leading to loss of confidentiality.
  • Electronic interception: Devices used over wireless and public networks are vulnerable to electronic interception. Malicious software can disable security features and activate inbuilt microphones and cameras, giving attackers to access private or privileged content and conversations.
  • Tracking: Built in GPS receivers and transmitters may allow tracking of the precise location of the user.
  • Malicious software (malware): Just like any home or office computer, portable devices are susceptible to malware, which can be passed on to connected networks and other computing equipment.
  • External storage devices: USB devices, portable storage devices, CDs, and DVDs are an easy way to distribute malware and data exfiltration.

These risks may be increased when privileged users have remote access to your systems. For example, systems are at greater risk when a system administrator has access to remotely manage systems from home or a mobile device.

Also consider how to secure and manage use of personal devices in bring-your-own-device (BYOD) scenarios. Today, more people are using their personal devices for corporate purposes or their corporate devices for personal purposes, increasing the risks of compromise. User education is crucial to managing your organisation’s risks.

Before approving your people for mobile or remote working, you should conduct a mobile work risk assessment.

Checklist for mobile computing and communications/remote working

Reduce risks when using mobile devices using these procedures.

Before deployment or travel

  • Ensure that mobile devices have been updated with security and application updates.
  • Enable mobile device security features.
  • Change PINs and passwords. Always use complex passwords containing upper and lower case letters, numbers and symbols.
  • Reduce the risk of information exposure by removing any information that is not required for the deployment or period of travel.
  • Back up information stored on the device. If the device becomes compromised, you may not be able to recover information from it.
  • Be aware of the emergency security procedures for the mobile device.

Device handling

  • Maintain physical control of mobile devices at all times. Do not leave mobile devices unattended in places where they may be stolen or tampered with.
  • Avoid taking mobile devices into situations where sensitive or private conversation is likely. Where this cannot be avoided, turn off the device and, where possible, remove the battery.
  • If you have to give someone else the mobile device or it is lost (for example, if you have to hand it over for secure storage outside a meeting), check with your Information and Communications Technology (ICT) security people for guidance before you use it again.

Secure usage

  • Ideally, use only corporate devices with all relevant security measures enabled for storing, processing, and communicating sensitive or private information.
  • Only use personal mobile devices for official business when a risk assessment process, enabling policy, and suitable security controls are all in place.
  • Be vigilant at all times. When using a mobile device, make sure that others cannot overhear your conversation or see your screen.
  • If the risk of tracking is a concern, disable any GPS capability. For extra security, turn off the mobile device and, where possible, remove the battery.
  • Disable any features or capabilities that are not required. For example, disable wireless, Bluetooth, and location services if you do not need them. Consider doing this before having confidential conversations.
  • Always confirm the integrity of any new storage media with ICT security staff before you connect it to a mobile device. Have storage media scanned regularly for threats.

Email usage

  • Never use private email accounts to store or communicate official information.
  • Never forward email from corporate email systems to personal email accounts. For example, Gmail.
  • Where you need additional security, ensure that email connections are encrypted.
  • To reduce the risk of downloading hidden malware, disable image loading in all email applications.

Internet usage

  • Activate the privacy mode in the internet browser.
  • Set an internet browser to prompt before installing cookies.
  • Turn off auto-fill to prevent the browser from storing usernames and passwords.
  • Never join or connect to wireless networks where the integrity is unknown. Make sure wireless settings require manual confirmation before connecting to a wireless network.

After deployment or travel

  • Change all mobile device passwords when the deployment or travel is over.

Supporting documents and information

The New Zealand Information Security Manual (NZISM) provides details of the mandatory and recommended controls for the protection of official information. You can also contact the National Cyber Security Centre (NCSC) for guidance.


 

Page last modified: 23/03/2023