4 Rules of Thumb for Better Mobile Device Security

Security threats are everywhere, lurking in alley ways and around corners and even in your favorite coffee shop. Yet mobility is in demand, and people will use their smartphones and other mobile devices because it’s convenient, even if company policy suggests against it.

This is a big deal for IT and security professionals and CIOs, which is why it took a while for IT to recognize the need to address mobile device security rather than simply deny mobile device use. With data breaches, ransomware attacks, hacks and information leaks happening on an almost daily basis, businesses must find ways to protect their valuable applications and data from loss or misuse while at the same time enabling mobile device use.

The following 4 rules of thumb are not comprehensive but are four essential rules of thumb to help guide business owners in addressing mobility management and security within their organizations.

Rule 1: Make sure there are clear mobile device use policies and support them with ongoing administration and strict enforcement.

I can’t say enough about having good security and mobile device policies and keeping them modernized, relevant, and actually enforcing them. Too many businesses say they have a “security and use” policy in place, yet it is outdated and doesn’t reflect the actual tools or processes currently in use.  Even more frequently a business will develop a policy just to say it has one, but won’t actually train workers or enforce compliance.

Rule 2: Require and enforce strong passwords, manage access in real time, and force password changes with some frequency.

It is essential that all user access to applications or data be controlled at minimum by password-protected logins to the device and corporate resources coupled with periodic forced password changes. Users often prefer to not require passwords or other authentication for device access, but corporate policy should not only require them but also enforce their use.  Also, user access should be managed in real time, meaning that any aspect relating to access should be disabled or revoked immediately upon employee termination or reassignment. Too often these forgotten chores are relegated to after-the-fact IT administration, which allows users to access resources beyond their rightful boundaries.

Rule 3:  Do something to contain the applications and data on the device.

Whether the approach is with containers, cloud hosting, server-based computing or something else, it is really important to try to “contain” the applications and data accessed from the mobile device. Risk is created when users sync data directly to the device’s storage or install applications directly on the device to access corporate data. Password and other security measures prevent unauthorized access, but allowing applications, credentials or data to be stored directly on the mobile device allows those things to interact with other things on the device.  Containers, hosting and server-based computing models keep the applications and data within secured spaces, often not even storing essential items on the device but only accessing them via the device. This allows the business to provide users with the access and functionality they need to do their jobs, but also reduces the vulnerability of applications and information assets.

Rule 4: Keep device software up to date and download fewer apps.

Updating mobile device operating system versions and release levels is important to make sure the device has the most current security patches and threat protection.   Some mobile OSes even have capabilities which can help keep personal and work apps separated.  Limiting the number of apps users can download to their devices should also be considered. Users may randomly download and install applications to their devices with little regard for the quality or security of the app, and often accept terms of use without really reading them. Consumer apps from app stores may pose risks to data and the device, so IT should check regularly for problematic apps if the device is used to access the corporate network, applications or data.

Mobile and wireless are in demand

Just about every business has people who use their phones and tablets for some business use, and every one of those mobile devices and the apps running on them could open the door for a hacker, ransomware, data theft or compromise. While there are many benefits to be gained by enabling remote and mobile devices in the business workflow, unrestricted access only creates risk.

Keeping mobile devices secure for business use takes multiple approaches, as there is no single method or solution that works for every situation. Our 4 rules provide a basic foundation for business mobility management, offering a starting point for developing a more thorough and detailed plan.

Make sense?

J

Centralize and Secure Business Applications and Data

laptop drawingThe portable computer is an essential business tool for day’s mobile workforce, having the power and portability to meet the demands of executives and professionals working away from the office.  While executives and mobile professionals get the applications and data they need to keep productivity high, carrying business data on devices outside the network introduces significant business risk.

There are studies which estimate that as much as 80% of the data a small business owns (data like customer files, contracts, product information and financial data) is copied to or stored on portable computers.  When valuable business data is lost or stolen, the business can be exposed to a variety of problems – loss of revenue being just one. Losing track of business data can create legal issues, too. Customer privacy may be compromised, sensitive information could be exposed, or confidential plans might be made public if a business doesn’t take the right steps to secure its data.

It isn’t just the possibility of loss or theft which increases risk when data is copied to portable computers – the increased vulnerability of the information sits with the likelihood that the user will access unsecured networks, launch non-corporate applications, access private email accounts and perform other non-business related tasks with the computer because they have more access than with a fully secured corporate in-office desktop.  User behavior is often what puts corporate data and assets at risk, regardless of the policies that might define correct and acceptable procedures. It is very easy for workers to unknowingly lose and leak data, and when the data is present on the portable computer it gets even easier.

A 2014 study commissioned by Cisco Systems found that employees around the world continue to engage in “risky” behaviors that put business and personal information at risk:

  • The majority (70%) of surveyed IT pros believe that as many as half of their data loss incidents are due to authorized program installations
  • 44% of employees share work devices with others without supervision
  • 39% of IT professionals have dealt with employees trying to access unauthorized parts of the company’s network
  • Almost half of the employees admitted to copying data between work and personal computers when working from home
  • 18% (up to 25% in some regions) of employees shared passwords with their co-workers

Companies must not only protect their data for their financial well-being, but must recognize their legal obligation to protect much of the information, as well.  The risk extends beyond the walls of the enterprise, to vendors and customers and consumers whose information may be stored in the company data. Additionally, portable computers exposed to malware and virus attacks are likely to pass the bad code to other systems they come in contact with, introducing not just risk for the recipient but liability for the infected laptop owner.

Where mobile computing brings huge advantages to today’s business, owners would do well to consider the benefits of enabling mobility through the use of server-based and hosted computing models. Rather than installing software and copying data to PCs and mobile devices, workers should be able to access a central system where the applications actually run. IT management is more efficient and security is easier to enforce when applications and resources are contained exclusively within the corporate boundary, even if they are accessible from without.

Virtual desktop and remote application solutions offer features that address a variety of potential risk factors as well as enabling improved management and security of IT assets.  Centralizing and securing applications and data resources at the server allows businesses to deliver the mobility and functionality users need while enabling the information security and management the business demands. This is a foundation upon which remote desktop and remote application technologies were built, allowing users to have the real-time access to applications and data with full functionality and desktop modality, but without the requirement to install, manage and secure applications and data on the individual devices.

Make Sense?

J