Governance

GOV043

Assessing the risks of mobile working

Consider the risks to your people, information, and assets from mobile working.

Your people might carry out mobile working using portable devices such as laptops, notebook computers, tablets, and smartphones. They may use hard copy documents, through this is becoming rare.

Some example scenarios for mobile working are:

  • fieldwork
  • occasional work from home without a remote-work agreement
  • temporary work from a client's facilities
  • ongoing work from a client's premises where your organisation can’t assure security arrangements
  • work done while in transit.

Pay close attention to the environment in which your people are expected to operate, as it may have a significant impact on security requirements.

Mobile working environments can range from airport lounges, to another organisation's office, to a remote location.

Work out if security zone requirements apply

Security zone requirements might apply to some locations. These requirements help to protect official or valuable information and resources. Most mobile working locations are ‘Zone 1: Public Access Areas’ with limited security in place.

If you are working in a secured office space it is most likely to be considered a ‘Zone 2: Work area’.

However, if you require ‘Zone 3: Restricted Work Area’, ‘Zone 4: Security Area’ or ‘Zone 5: High Security Area’ levels of protection, it might be hard to ensure the physical security measures meet your security requirements. Instead, rely on administrative and ICT security controls to protect your information and assets.

Consider the specific risks with mobile working

Consider the following risks and impacts for mobile working, and use the following checklist to help you assess the risks.

Checklist for mobile and remote working

Intimidating or violent behaviour from customers or strangers

When working away from the office, particularly when alone, your people are at increased risk from the people they interact with. For example, your people could be the target of verbal abuse or physical attacks from customers or strangers.

Tracking through GPS or device transmitters

Built-in GPS receivers and transmitters in devices may allow your people’s precise locations to be tracked, putting them and your information at risk.

Loss or theft of sensitive information

Hard copies of papers and portable devices are easy to lose or steal. In either case, your organisation’s sensitive information would be exposed. Your reputation or operations could be badly affected, or personal privacy could be breached. 

Security or privacy breaches that compromise confidentiality

If your people read papers and use devices in public spaces, sensitive information could be overheard or overseen, resulting in compromised confidentiality, loss of intellectual property, or a breach of personal privacy.

Electronic interception resulting in malicious or covert acts

Devices used over wireless and public networks are vulnerable to electronic interception. Malicious software can disable security features and activate inbuilt microphones and cameras to record sights and sounds, enabling attackers to access private or privileged content and conversations.

USB devices, portable storage devices, CDs, and DVDs are easy targets for malicious activity, such as distributing malware and carrying out data exfiltration (data theft).

Malicious software corrupts networks or equipment

Just like any home or office computer, portable devices are susceptible to malware, which can be passed on to connected networks and other computing equipment. Your services and operations would be significantly disrupted.

Jurisdictional risks

If you are working outside New Zealand, some jurisdictions have legislation that may allow local authorities to access your information and systems.  You need to consider whether that is an acceptable risk given the nature of the information you are storing or transmitting.

Page last modified: 4/05/2022