Five best practices for securing mobile devices and everything they touch
In the span of just one year from 2012 to 2013, smartphone thefts in the U.S. nearly doubled to 3.1 million, and another 1.4 million were lost, according to Consumer Reports. For businesses and other organizations, every one of those losses and thefts could enable multiple security breaches. That’s because confidential data stored on the phone isn’t the only asset that’s vulnerable. As a trusted device, that phone also has access to corporate networks and the data stored on them.
More than half of North American and European companies are developing a bring-your-own-device (BYOD) policy, Forrester Research says. These policies implicate security risks because, for example, employees are reluctant to give their IT departments the power to remotely erase their smartphone or tablet when it’s lost, stolen, or the employee separates from the company. Part of employees’ fear is that the device will be wiped by mistake, costing them irreplaceable personal data such as photos.
The good news is that there are at least five proven ways to mitigate security risks:
Develop practical policies and strategies
Although security breaches involving mobile devices keep making headlines, many organizations still have yet to develop a plan for minimizing their vulnerabilities. Sometimes the reason is inexperience or lack of internal expertise. But more often than not, it’s fear that the policies will be expensive or difficult to implement. Both reasons are understandable, but ignore reality, and attacks on and through mobile devices are as nearly as certain as death and taxes.
It’s smart to educate employees about why the security policies and mechanisms are being implemented. That in itself will help reduce the chances that employees will try to circumvent them. In the case of BYOD, employees also will appreciate how those policies and mechanisms help protect their personal information as a byproduct of securing corporate data.
Use passwords, PINs and other widely available security mechanisms, such as the fingerprint identification that many smartphones now have
These are the first line of defense and not taking advantage of them is like leaving doors unlocked and then complaining when the car is stolen or the house is robbed. Businesses can use enterprise mobility management (EMM) platforms to enforce their usage on both employee-owned and company-issue phones and tablets.
One common reason why these mechanisms aren’t as widely used as they should be is that they’re perceived as a hassle. Employees often will disable them because they dislike having to enter a PIN or pattern every time they want to check email or make a call. Businesses have a few options for avoiding those problems. If the phones are company-issue, they could choose models with fingerprint recognition, which many people find faster and more convenient than manual-entry security mechanisms. Nothing is fool-proof, but first-line defense should not be optional.
This is the second line of defense, rendering personal and corporate data useless for the person who steals or finds the device. In some verticals, such as financial services or health care, encryption may be the only way to comply with laws regarding patient privacy or transaction archives. These laws aren’t limited to servers; they extend to mobile devices, too.
Although encryption typically is applied to data, it can and should be used for calls. Look for MDM solutions that support AES encryption for calls both as they occur and their archived recordings.
Implement remote wipe and lock
In BYOD environments, look for EMM solutions that support "personas", which are separate compartments on the device for employee and corporate data. This architecture enables the IT department to erase only the company persona, this allaying employee fears that their data could be wiped if their device is mistakenly reported as lost or stolen.
Personas have several additional benefits. For example, they enable IT departments to weed out personal messages and calls so they don’t clog up the corporate archive. This selectivity helps increase employee participation in BYOD programs by eliminating fears about employer eavesdropping. And it is really beneficial in the EU, because employer oversight limitations (privacy protections) typically do not permit employers to constantly monitor an employee. With dual personas, this oversight is mitigated.
Control what can be stored and where
When an email attachment is opened, it’s often automatically stored on the device or in the cloud. Look for EMM solutions that can turn off those automated processes or require a password to access those attachments from storage.
In most organizations, smartphones and tablets are now as common as desk phones and desktops, and in some cases, they’ve already displaced those devices. That prevalence is a major reason why hackers are increasingly targeting mobile devices—and why businesses can’t afford not to secure them.
K Royal is the Vice President, Assistant General Counsel and serves as the Privacy Officer for CellTrust. An attorney and compliance professional with 20 years of experience in the legal and health-related fields, she brings a thorough perspective in global program implementation. Skilled in privacy law, breach management, compliance and program development, Ms. Royal was recently honored as the ACC’s 2015 Robert I. Townsend, Jr. Member of the Year.