Mobile Device Security is a Moving Target
As businesses mobilize their workforces and processes the volume and variety of sensitive data passing through and sitting on mobile devices increases dramatically. Even though the business owner or IT manager may recognize the importance of mobile data and device security, doing something useful about it is altogether another issue. New considerations enter into the picture frequently, turning mobile security into a moving target. Protecting the business – the organization, its employees and its customers – requires adopting mobile security strategies that cover a broad range of issues.
First of all, is there any means of monitoring the activities of the connected or mobile devices? Knowing which devices are interacting with your information would seem to be an essential part of business information security, yet smartphones and tablet devices often fall under the proverbial radar of IT or business management. Actually, business management is likely among the base of users with the very mobile devices in question.
Are there ways to limit what information is accessible via these mobile devices, and is that data encrypted? Consider also that data is sometimes at rest (like when it is just sitting on a hard drive) and sometimes in transit (like being uploaded/downloaded/transmitted over the wire). In either state, the data should be encrypted in order to be more secure.
Is there a standard set of apps or services that users can enable, or is it pretty much personal choice? Too often a user will innocently install a malicious app on their device, exposing the business to a variety of potential threats. Creating strict policies around app selection and use is a really good idea, and finding a way to actually enforce them is even better.
The big issue is separation of work and personal apps and content. Especially in small businesses where personal devices are the norm (well, not just in small business… Hey Hillary!) it is quite a challenge to create any useful separation between personal and business use. The mobile device is often adopted as a personal choice of the user – who elects to invest their personal mobile device in their work – so exacting any real level of control in how the device is used is tough. The security of the information is only as good as the security of the device, meaning that it is usually up to the device owner to decide if a password or pin is required. Unfortunately and for the sake of convenience, there is often little or no real security on the device meaning there is no real security around the information on the device in the event that it becomes lost, stolen or compromised.
There are a lot of things that the business can do in order to improve the security of their business data in a mobile device environment. Here are a few of the basics:
- Have defined procedures for what happens when a device is lost or stolen; make sure they’re followed
- Have a way to do a remote wipe of the device
- Make sure all devices lock after a period of inactivity, and that they have password or pin protection
- Have a mobile device use policy, and make sure all employees understand why it matters and agree to it.