We've all been on a train where we’ve realised the person next to us is curiously glancing at the work our laptop. Many of us log regularly onto public wi-fi in a coffee shop or at a hotel without thought of using a VPN, or cart a laptop halfway across the world by plane, train, and automobile. And working from home we’re probably all guilty of not following quite the same security protocol from our sofa as we’d be subject to in the office.

We think nothing of this behaviour, acted out every day in our global, mobile, on-the-go world… But we should think again, because a significant number of company security breaches are not the result of a major in-house hacking, but of employees’ devices being compromised while out and about.

As home and mobile working becomes far more the norm, it’s time we took the risks seriously. It is vital that any cyber security-conscious organisation has watertight policies and procedures around home and mobile working in place as a key part of its risk management regime.

A laptop is stolen somewhere in the world every 53 seconds.

That’s not to mention the 70 million smartphones misplaced each year . Swiped in plain sight or accidentally left behind on public transport, at a conference, in a café or even pinched from your business premises.

The confidential data held on mobile devices is often easily accessed on the hard drive with no encryption. Vital user credentials like passwords can also be copied to access and compromise wider company systems. 56% of organisations who have had a laptop lost or stolen say that the theft resulted in a data breach . Not great odds to dice with.

Wandering eyes or slack standards.

You don’t even have to physically lose a remote device to compromise security. Mobile workers in an open, public space can be overlooked, revealing sensitive information or passwords; using public wi-fi without a VPN is Christmas-come-early for a hacker; while a device left unattended is easily tampered with and malicious software installed.

As for home workers, security procedures even your most trusted staff would follow unquestioningly in the office can fall by the wayside when working from home. They might download unverified software onto corporate devices, or simply fail to make critical software updates on your machines.

So what can be done to manage these risks?

Short of banning home working and any device leaving the office (hardly a realistic option), the UK National Cyber Security Centre offers the following advice:

• 1. Assess the risks and create a practical mobile working policy: Weigh up the risks to your corporate network from mobile devices, and consider an increased level of monitoring on all remote connections. Write a clear policy agreed to by all employees, up to and including Board members. Cover everything from how you authorise employees to work off-site and device provisioning and support, to the type of information that may be accessed or stored on devices, and the minimum procedural security controls.


• 2. Educate users and maintain awareness: Educate any employee taking their work mobile: discuss how to look after and securely operate devices outside the office, including secure storage and management of user credentials, incident reporting, secure connections to send sensitive data, and environmental awareness (the risks of being overlooked etc.)


• 3. Apply the secure baseline build: Develop and apply a secure baseline build and configuration for all types of mobile device used by your organisation.


• 4. Protect data in rest and in transit: Minimise the amount of information stored on a mobile device - only allow that which is needed to fulfil the specific business activity delivered outside the office. Encrypt the data even when at rest if you can. And crucially, encrypt information being sent back to the office over any internet connection.


• 5. Review the corporate incident management plans:Prepare for the worst with flexible incident management plans to deal with security incidents that could occur, including the loss or compromise of a device. Ideally you want the capability to remotely disable a device that has been lost, or at least deny it access to the corporate network.

There are also various pieces of physical kit you can supply to limit the risks of mobile device theft, from cable locks to USB port blockers.

Take a belt and braces approach, and keep the risks remote.