For many, gone are the days of the traditional workplace. We no longer spend the entire day chained to the desk and the computer terminal. Our laptops, phones and tablets have changed how we work. At least part of the time, 61% of workers perform their business from outside the office and use 3 or more devices for their work tasks, according to a Citrix Mobile Analytics Report.
The proliferation of mobile devices has brought businesses many benefits like increased collaboration, enhanced communication and improved productivity, but they have also introduced potential security risks to precious company resources. In response, many organizations are developing Mobile Device Management (MDM) plans and policies to address IT security issues. Here are some key areas to consider.
Security Basics for Mobile Devices
While it’s not possible to be 100 percent secure with any device, including mobile ones, there are some security basics that should be included in an MDM plan for better protection.
- Mobile devices can be easily lost or stolen. 2.1 million Americans had phones stolen in 2014, according to Consumer Reports National Research Center; another 3.1 million smartphones were lost. In case of theft or loss, a strong password policy is crucial to deterring unauthorized access to company data.
- Malware is becoming more prevalent on mobile devices. According to Kaspersky Lab, the volume of malware targeting mobile devices grew more than three times in 2015 compared to 2014. Many organizations are requiring up-to-date malware protection on any device with access to their data or network.
- Encryption and data wiping are final lines of defense for mobile devices. If a mobile device cannot be recovered or may have been compromised, businesses should have the ability to wipe the device remotely, removing any sensitive, company-related data.
Allowable Devices and Applications
A mobile device management policy should outline the types of devices allowed to access company data. Since devices, models, and operating systems change, companies need to revisit their approved list frequently. It can be challenging for IT to implement, update security measures, and provide support for every possible device, so ground rules should be set for what is acceptable.
Some companies maintain control of mobile security by supplying mobile devices to users, but this can be expensive, especially with the need for upgrades. Others have employees supply their own personal devices, like smartphones, as part of a Bring Your Own Device (BYOD) model in the workplace. Whatever your approach, having controls on how these devices access company data is key.
Software and apps on mobile devices also pose a potential risk. The average large enterprise has more than 2,000 unsafe apps installed on employee devices, according to Veracode analytics. While that number would obviously be smaller for a small business, it’s still a risk to be mitigated. A Gartner study found that more than 75% of mobile applications failed basic security tests in 2015. Some of those determined to be unsecured are apps that require a user to enter sensitive data before downloading them. While some mobile devices work with “closed” systems that prevent users from loading apps that haven’t been tested, other operating systems are wide open. Both environments are susceptible to malware. Your policy should list the applications that are not acceptable to have on mobile devices with access to your company data.
Examine how your mobile device management plan will be viewed legally to ensure that you abide by all applicable laws. The laws regarding privacy and data ownership – among other topics – vary by region and industry. For example, the Health Insurance Portability and Accountability Act (HIPAA) carries steep fines for disclosure of personal information, so tight control over data accessed from mobile devices is essential.
Education and Training
If employees have been using mobile devices for some time without restrictions, they may balk when an MDM policy is rolled out. It’s wise to spend time educating them on current and emerging issues in the mobile landscape so they have a deeper understanding of why the policy (and their diligence) is needed.
Employees need training on how to respond when they have an issue. Teach them potential signs of mobile malware and what to do if they suspect infection. Cover what should be done if a device is lost or stolen. If an employee’s device is not on the approved list, it should be clear what restrictions there are on access privileges and how much support they can expect from IT. Lastly, offer help finding a data backup solution to which they can subscribe, so their personal content (like photos) isn’t lost if the phone had to be remotely wiped.
Take the time up front to assess your business, staff, processes, and environment to properly define your mobile device management policy, and then enforce it consistently. Some companies choose to invest in an MDM application which can provide greater oversight and control over mobile devices. MDM tools offer options like application management, file synchronization and sharing, data security, support, and even policy management.
If your company hasn’t developed an mobile device management plan yet, rest assured, you’re not alone. Many are still trying to tackle the IT security threat which is a very real, growing issue. 59% of organizations were projected to start some kind of BYOD initiative in 2015, according to a report by the CyberEdge Group. The same report listed mobile devices as #1 on their list of weakest security links in IT. So, it’s time to start planning – carefully.
Note: This article, written by Safety Net’s Principal Kevin Bozung, was featured in Traverse City Business News (TCBN)’s August 2016 issue.
Cybersecurity for Michigan SMBs
March 13, 2023 in Blog, Security
Proper e-Waste Disposal
March 6, 2023 in Blog, Useful Tips