While we often take for granted how quickly new technology finds its way into our personal and professional lives, it can still be hard to believe just how many companies now allow mobile personal devices to be brought to work to access corporate networks–so many, in fact, that it is rapidly becoming the norm. Many companies do so with the intention of bolstering employee productivity, with an eye toward cutting costs at the same. What no mobile enterprise can afford to be without, however, is a comprehensive security solution at the organizational level.
The wait-and-see approach is something that no mobile enterprise can afford to take. An outright ban on the use of mobile devices often results in some employees finding their own workarounds, which can be highly counterproductive in the end. Fortunately, there are a number of ways to manage the security risks that surround the use of mobile devices for work.
Mobile Device Management Software
If an organization doesn’t know which devices are on its network, and there is no way to analyze the traffic that uses it, what control does an organization really have over its IT infrastructure?
Those are some of the issues that mobile device management (MDM) software seeks to address. Not surprisingly, the number of MDM packages has grown in recent years as the devices themselves have become more prevalent. According to IT security researcher Gartner, Inc., there are more than 100 companies with offerings in the MDM market.
MDM software can allow policies to be set for a range of mobile device hardware and software platforms. Such software enforces strong passwords and application downloading and patching, can enforce time-outs and screen locks, and can identify when “jailbreaks” occur. MDM software can provide for auditing and remote wiping and locking for lost and/or stolen devices–a very real threat considering the size of most mobile devices.
Some MDM packages go a step further and provide data monitoring capabilities for managed devices that allow IT security to detect when the devices move from a given geographic point–and provide the means to lock or wipe them.
BTTOD (Buy Them Their Own Devices)
Rather than address employee-owned devices on an individual basis, some organizations are taking control by purchasing mobile devices for their employees to use for work. Depending on the number of employees, the initial cash outlay might be steep, but companies that take this approach view it as a way to control the software used on these devices, saving money in the long run. This move also nicely sidesteps the issue of requiring employees to run company-approved software on their own personal devices.
The widespread use of mobile apps and the security issues they bring with them has led some organizations to manage their own app stores. This allows employees to access company-approved applications while preventing unapproved apps from finding their way onto mobile devices.
For their part, employees may be more open to these approaches than what might be thought. According to a Forrester Workforce Employee Survey of enterprise users, almost half (45%) of respondents said they would like to have a choice of mobile phone or smartphone, while less than a quarter (23%) said they would be willing to contribute to the cost of the device in exchange for having a choice. However, nearly a third (32%) of the 322 people surveyed said they “don’t care” about the choice of having their own work mobile phone or smartphone.
Teaching employees about the threats that exist with mobile devices and the value of using passwords to secure physical access to devices, as well as using encryption to protect the data that is stored on them, is an absolute must. That is whether or not corporate-wide policies and tools already exist to enforce their use.
Develop a Mobile Device Policy
However you do it, having a usage policy is critical to having a measure of control over your IT mobile device infrastructure. The following are some fundamental points to consider.
- Focus on employee education regarding the risks surrounding lost and/or stolen, as well infected mobile devices.
- Install and regularly update anti-malware protection software.
- Have the ability to remotely lock, wipe, and locate features on company- and/or employee-owned devices.
- Employees who travel should use VPNs whenever connecting to company assets from mobile devices. This is particularly applicable whenever Wi-Fi connections are used.
- Authenticate and identify. Multifactor authentication should be used to access high-value services on a corporate network, since even strong passwords aren’t immune if keylogging software and man-in-the-middle attacks are there, lurking.
There is no “one size fits all” answer for managing mobile device security. Each organization must understand its unique business needs, any regulatory compliance standards to which they must adhere, and their risk tolerance level before implementing device management software solutions and/or usage policies. This will require a concerted effort by IT and other business units but it is worth that effort when the alternatives may be a breach of confidential information that can cost your organization millions in fines, legal fees, and loss of goodwill.