Mobile Device Security: What Senior Managers Should Know
Next-generation mobile devices like iPads and Android phones can do wonders for mobile workers and drive productivity and innovation in business. However, new devices bring increased cost of administration, risk of data loss and reputation damage if they aren’t managed correctly. This article provides clear, practical guidance on how you can make sure mobile devices are a benefit rather than a risk for your organization.
The regulatory environment
Compliance standards have mainly focused on the traditional PC, but regulators are paying more attention to mobile devices. All kinds of devices which hold sensitive data are now in the spotlight. It’s therefore essential to address the security and operational issues relating to mobile devices now, rather than risk fines and sanctions due to data loss.
Remember, regulators won’t care whether you’ve lost sensitive data on a laptop or a mobile device. There may be no difference in the eyes of the law, but security controls for laptops are quite different from those applied to other mobile devices.
The security risks
There is a perception that malware and highly-complex cyber attacks are the biggest problems on these platforms. Although threats like malware will undoubtedly increase (after all, many of us are using our mobiles as a replacement for our laptops for much of the day), right now the biggest threat is data loss.
Most data breaches on mobile devices are typically due to basic security failure—weak (or no) passwords, failure to encrypt data, falling victim to phishing or other social engineering, and failure to update the device (making it vulnerable to simple attacks). Getting the basics under control and making sure you can purge devices when they go missing should be the highest priority, both to minimize actual risk of data loss and to satisfy regulators.
The impact of consumerization
There is a risk as consumerization (the use of personal devices for work purposes) kicks in that IT teams will end up having to manage five times the number of platforms at five times the cost. Most IT budgets can’t tolerate this. But for most organizations, blocking new and trendy mobile devices is not an option either. Make sure any security controls or processes you adopt provide wide platform support to avoid an explosion in IT costs and to future-proof your investment as devices are updated.
Think short term
In IT we are used to thinking on a three-year landscape to maximize return and minimize cost. Unfortunately, in this case a three-year strategy could be a really bad idea.
The mobile security market is moving very quickly. Mobile devices are being updated on practically a quarter-to-quarter basis versus the conventional slow-moving PC. IT teams should implement a shorter term strategy for mobile devices and then iterate it, rather than attempting to plan for three years in one go.
Three mobile security priorities
Mobile devices are here to stay. So make sure your data, your systems and your users stay safe. Here are three top priorities for every organization.
1. Enforce an acceptable use policy
Make sure your organization has clear guidance in your acceptable use policy on what devices you allow and what users are required to do to use them for work. The user can be the ultimate weak link with a consumer device. To protect your data and theirs, make sure they think before they click.
2. Implement strong device security
Make sure you have technology in place that enforces your policies on password complexity, encryption, and patch status. And be sure it can locate or erase devices if they’re lost or stolen. There are more tools available than people realize. Consider management tools offered by security vendors. And follow configuration guides offered by device vendors to enforce best practices. Many of these devices have more security features than you might think.
3. Demonstrate regulatory compliance
Be sure that your management tool produces compliance reports you can show regulators in the event of a lost device. Your security policy framework and associated processes should include mobile devices, so you can demonstrate basic control.
Most importantly, keep your eye on the mobile marketplace and emerging technology. Things are moving fast. Don’t get caught napping.
You can embrace these devices rather than block them if you have the right structures in place.