Do This Now: Define Your Mobile Security Policy
Individual employees tend to use their personal mobile devices for business use, resulting in a potential security nightmare. If you don’t have a mobile security policy in place, you need one ASAP.
Mobile devices bring new challenges to workplace security. The wide range of smartphones, tablets and other mobile devices makes it difficult to create an all-encompassing security policy — but not impossible.
You have two possible solutions for mobile security. One is to hire mobile device management (MDM) services to produce a standard mobile platform, an expensive proposition.
Bring Your Own Device (BYOD) systems save businesses money: Employees purchase their own devices and use them for business purposes. With Android, Apple and, eventually, Windows RT devices all working on one system, a BYOD system needs a carefully worded security policy to protect data.
KISS the BYOD, but Don't Kiss it Goodbye
KISS stands for Keep It Simple, Stupid, and that tried-and-true saying applies to most employee policies. Darrin Reynolds, vice president of information security at New York City-based Diversified Agency Services, suggests writing mobile policies in crayon. He’s joking, of course, but beneath the humor is a firm belief that simple, clear instructions are best when it comes to BYOD policies.
Reynolds suggests five basic BYOD rules. Every mobile device used to send, receive or store corporate data must meet the following conditions:
- The device allows you to have a Personal Identification Number.
- The device supports code locks.
- The device has an automatic lockout feature.
- The device supports encryption.
- The device supports remote data wipes.
Reynolds’s suggestions are simple, easy to understand and enforceable — employees must prove that their device supports these requirements before it is allowed access to the network.
Reynolds cautions that employees should always report lost or stolen devices to the IT department before calling carriers to terminate services. Once services are terminated, the company loses all opportunity to remotely wipe data.
Apps and BYOD Mobile Security
Device theft is probably the single most serious challenge faced by mobile security, but don’t underestimate unsafe applications. Almost all malware found on smartphones and tablets come from Trojans — malware hidden inside harmless-looking applications.
To protect against malware, employees should only use vetted applications from safe sources such as the Apple store. Security policies should make it clear what types of application are acceptable, which are unsafe, and how to tell the difference. Emphasize that IT departments and help desks are available to assist users in selecting safe apps.
Update, Update and Update Some More
If all mobile devices ran on centrally managed software, IT departments could control updates and security-patch installation. In a BYOD system, the responsibility for updating devices falls squarely on the employee.
Installing updates and patches protects your device and your data, and as such it is as important for private devices as it is for corporate devices. Employees should learn how to accept updates as part of their mobile security training.
Define Acceptable Mobile Computing Use
If an employee uses a personal device for corporate purposes, he or she needs to accept some restrictions on acceptable use. In addition to explaining how the user may use the device, the security policy needs to clearly state any banned activities. After all, the mobile is an extension of your office, so usage should comply with your broader Internet policies.
A security policy for mobile devices doesn’t need to be complicated: indeed, to be successful the policy should be as simple and transparent as possible. Regular discussions of the policy and calls for employee suggestions help keep security issues fresh in users’ minds. Treat employees as participants in the process. After all, no one wants to be the individual who accidentally causes a data breach.