Many enterprises are now embracing mobile devices such as cell phones and tablets. The rapid adoption of these devices has enabled greater mobility to the workforce. However, it has brought up a myriad of security concerns that need to be addressed in practice and policy.
The degree you can control security on the mobile devices used by your employees depends greatly on the vendor that you will select. Without mitigating these risks, many enterprises and small businesses open their internal networks up to risks.
What are the best practices to aid an enterprise regardless of size to mitigate these circumstances?
Enforcing a well thought out security protocol is one aspect of securing information for mobile devices. So how do you create such a policy? A simple question to ask yourself is, “What kind of mobile devices will your employees be using?” Choose your devices carefully, as not all devices are created equal. The iPhone and iPad for example, are geared towards the general consumer, which do not have as robust security features as other devices. A BlackBerry is designed for enterprise users and allows for more IT security controls. Android based tablets and phones do allow for a certain degree of security but do not always integrate as well into a corporate network. Perhaps, the most compatibility offered by any mobile device can be found with Windows Mobile as features found on a corporate domain can be integrated to its mobile counterpart. The degree you can control security on the mobile devices used by your employees depends greatly on the vendor that you will select.
The first and one of the easiest steps you can take, is to require authentication. The first step towards making a device secure is to enable a password. Apple’s devices use a four-digit passcode, Androids mostly use a pattern feature that requires you to drag a finger across the surface of the device, BlackBerry uses a PIN code and Windows uses a password much like a home PC. Biometrics arguably offer the most security but have yet to be widely incorporated into hand-held devices. Everyone should be required to set up a secure and original password. Anyone can lose a mobile device. A simple password can make it more difficult for an unscrupulous finder to access the device.
Losing a mobile device, unfortunately, is not unlikely. Part of the policy that should be implemented is a lost phone hotline. This way the employee can immediately call the IT staff and report that their device has been lost and could be compromised. It is important to set up a direct line and publicize the procedure for IT notification in an event like this. Some devices can display a telephone number on the locked screen if a lost mobile device is found. It is also important to utilize log on failure procedures. These can range from anywhere to a total device lock-out to wiping all data from the device. So don’t forget your password!
Allow your IT staff the ability to remotely access and disable mobile devices in the event of loss or theft. Hacking a device or network remotely is an involved process and requires a very high level of operating system and hardware knowledge. However, if someone has physical access to a device that contains sensitive information, the knowledge to break into the device can be as easy as watching a YouTube video. By utilizing remote wipe capabilities, you can be assured that the sensitive information saved to the tablet pertaining to your new prototype that the executive forgot on the airplane can be safely wiped from that tablet. Fortunately, for those devices that do not inherently possess such features, third party software developers are lending their expertise to rectify these problems. Webroot, for example, now offers an application for mobile devices much like their PC virus protection software. It offers stronger security features than what is built into the device and even allows the device to be located remotely using the GPS feature of the device.
The reason that smartphones and tablets are such great devices is also the same reason why they are dangerous. They are essentially miniature computing platforms that can accept any type of third-party applications. Limit the installation of unsigned third-party applications to prevent hackers from requisitioning control of the mobile device. Currently, viruses are very uncommon on platforms other than Windows. Your phone and tablet are not susceptible to the same problems that plague your PC. However, security still needs to be taken into account. Downloading an unknown third party application could potentially manipulate the device for the worse if it were to contain malicious code. If someone has the knowledge to create an application, they also have the knowledge to write a script that could potentially transmit the data almost anywhere.
Bluetooth technologies make it easy to talk “hands-free” as well as connect to various other devices. However, Bluetooth is another conduit that can be used by someone to gain entrance to the device. Think of Bluetooth in the same sense as a side door to a business. The doorway itself is not dangerous, but what if it is left unlocked when a shady character is looking for an entrance to exploit? In order to limit the exposure from Bluetooth technologies, users should disable Bluetooth when it is not actively transmitting information. Switching the Bluetooth device to hidden mode can be useful as well. A good practice is not to leave it on when you are stationary. Bluetooth only has so much range. Using a wireless headset while driving is far safer than simply utilizing the device to appear important as you order your latte at Starbucks. The only people that are able to take advantage of the technology are those that are nearby.
When accessing a public wifi hotspot, always choose the most secure network available. One should make practice to always set the network location to a “public network” if the device gives you the option. Simply avoid conducting sensitive business using the unsecured wifi hotspot at the local café. This is always the best preventative maintenance. Address these concerns and make them a part of your policy for mobile devices. There are always ways to work around software policies. Computer hackers would cease to exist and there would be no need for security software is this was not the case. You may not always be able to prevent everything but knowing who is accessing what information and from where is another element. For example, on a Windows platform, file auditing can allow you to see who is accessing information, when they are doing it and where there are doing it from. Make employees aware of this as well. We all behave better when we know we are being watched.