Managing the Risk from Mobile Devices
Between our smartphones, laptops, desktops, smart TVs, tablets, e-readers, and Internet of Things (IoT) devices, it can be challenging to keep everything working and up to date. And we don’t just see this in our homes and personal lives, of course. The ways employees complete their daily tasks has changed drastically too.
Organizations of all sizes have approached new technology in a variety of ways over the years, starting with employer-owned device programs. I remember when I got my first Blackberry (BrickBreaker was such an upgrade from Snake!), but the days are mostly gone when a company will give you a new device every 12 to 24 months and pay for your expensive data plan. Today most organizations have personal device policies, better known as Bring Your Own Device (BYOD) policies.
Giving employees flexibility in how they complete their work allows both the employee and the organization to realize increased efficiencies, with lower costs. However, with the ever-changing threat landscape and daily breaches, it’s vital to ensure that any device with access to personally identifiable or confidential information is kept as secure as possible, no matter who owns it.
Understanding the Risk
You may be wondering how serious threats could be on a device that allows you to video chat with grandchildren, answer a few emails, and while away time on social media and games. The threat landscape for mobile devices is just as significant as other devices within your organization, and management of these devices should be considered with the same type of urgency as any other endpoint.
Mobile devices can easily be lost or stolen. Sometimes they are passed down to new users (or kids) as devices are replaced. Any data or user access credentials stored on the device could be compromised as a result.
In addition to physical threats, mobile devices can also experience threats through the transmission of data. Unsecured wireless access, public Wi-Fi or Bluetooth connections can result in data being intercepted without detection.
Lastly, remote threats can cause ongoing issues as a result of compromised data. Devices can easily become outdated or misconfigured. Vulnerabilities within operating systems or specific applications can be exploited by malware installed after clicking on malicious links in emails or websites, or simply by visiting websites (known as a drive-by download).
How to Reduce Your Organization’s Risk
Better management and security controls for mobile devices should be part of the cybersecurity strategy at every organization. Obviously, employees should not be using devices for work with complete freedom; however, it’s hard for organizations to completely restrict devices when employees have a legitimate need.
Consider the following steps to address mobile device security issues in a way that balances security and productivity:
- Accept and understand the inherent threats for mobile devices and how they can be mitigated. Smartphones and tablets can be just as critical as workstations and laptops, and you should dedicate adequate resources to protecting them.
- Establish a Mobile Device Acceptable Use Policy to define standards, procedures, and restrictions for end users with mobile devices that access business data.
- Maintain an accurate device inventory regardless of ownership and require appropriate controls for these devices, such as:
• Password and inactivity timeout settings
• Update and patch requirements for operating systems and applications
• Anti-malware and encryption installation where supported
• Data storage, device syncing and retention rules
• Device tracking and remote wipe capabilities
- Consider using mobile device management (MDM) software for easy management of numerous devices. This allows you to monitor, manage, and secure organization- and employee-owned smartphones, tablets, laptops, and other devices employees use for business purposes. MDM software can enforce the controls above and further implement security restrictions such as data loss prevention controls and containerization of business data.
- Establish procedures for data removal. Consider procedures for lost devices and standards for the removal of business data from the device prior to the employee leaving or prior to the device being sold, repaired by a third party, transferred to another individual, or discarded.
Establishing and implementing a plan can help your organization properly secure mobile devices from data loss or unauthorized access. With an MDM system, every single device within your network can have appropriate security measures deployed to them on an ongoing basis.
Today’s employees are increasingly mobile and want flexible work environments that allow them to complete tasks wherever they are. As roles change and adjust, being outside of the office doesn’t have to come at the cost of communication and productivity.
Thomas has over a decade of experience in the information technology sector. As Cyber Services Advisor at CapinTech, he performs information security assessments for numerous nonprofit organizations, provides guidance relating to data privacy and data security regulations, and serves as an advisor on internal and external service and software strategies.