IT administrators faced with the influx of mobile devices in the enterprise need to step up and define mobile security policies governing how employees can use these ubiquitous tools in the first place.
Employees are increasingly bringing their own mobile devices into the office, using them to check their corporate email, read documents, and access work-related applications. The mobile device dilemma isn’t limited to smartphones and tablets. Mobile security policies also have to address company-issue laptops. For example, you may have more employees than ever working remotely, or out in the field, and they need their work-issued laptops to be able to access the corporate network from whatever network they happen to be on. If any of those devices fall into the wrong hands, your corporate data, such as customer records, contracts, and even financial records, could be exposed.
Welcome to mobile security in the workplace, where IT has to protect both company-issued and employee-owned equipment, as well as all the corporate data and applications being accessed via these devices. Here are four tips for IT administrators to follow as you craft your company’s mobile security policies.
1. Mobile security policies must clearly identify what is supported
It doesn’t make sense to be overly restrictive (such as forcing everyone to standardize on one platform). Likewise, you have to be careful not to spread your IT organization too thing by trying to support every single mobile platform out there.
It’s also perfectly reasonable to demand a certain level of cooperation from your users. Many companies flat-out refuse to support rooted or jail-broken devices because of the mobile security risks they pose. Administrators can also refuse to support devices that don’t meet minimum mobile security standards, such as having an antivirus installed on a personal laptop or a passcode lock on the smartphone to prevent unauthorized access.
2. Mobile security requires clearly defined user risk profiles
Organizations have to figure out what the limits are when it comes to data access. Some organizations may choose to give employees access to data, but never let it be actually downloaded to the user device.
Some employees, based on their job title, may never be allowed to access certain applications from mobile devices. User risk profiles help clarify what levels of access different groups are allowed to have, and what attributes about the group require that level of control.
3. Mobile security involves defining your users’ responsibilities
Employees need policies clearly outlining their responsibilities, which may include promptly reporting lost and stolen devices, installing the minimum required security software, and complying with all policies. Being allowed to access the corporate network may mean agreeing to allow IT the power to remotely wipe all data from the device if it is ever lost, for example.
4. Don’t overlook physical mobile security
Loss, or theft, is a serious event. Smartphones and tablets should have a passcode and an idle timeout to lock the device so that unauthorized individuals can’t gain access to the data. Laptops should be secured with a strong password. Encrypting the entire drive is another smart step. This way, a stolen laptop, smartphone, or tablet, becomes less of a disaster.
There are plenty of resources for administrators looking for guidance. The National Institute of Standards and Technology last year updated its guidelines for securing mobile devices. ”Guidelines for Managing and Securing Mobile Devices in the Enterprise” (SP 800-124) recommends using a centralized mobile device management tool to secure all mobile devices, regardless of who owns them. The SANS Institute also offers various templates and sample policies on mobile device security covering employee responsibilities, encryption, and storage devices.
While creating strong security policies are important, they remain ineffective if IT doesn’t apply existing policies to mobile devices or enforce all policies. For example, if your general security policy requires users to have a 15-character password to log on to the corporate network, that has to apply to mobile devices as well. Most importantly, administrators have to create, and regularly update, an inventory of all mobile devices in the enterprise. Understanding what devices are on the network, and how many of them there are, is a critical first step towards identifying which users aren’t meeting mobile security policy requirements.
About the Author
Fahmida Y. Rashid is a contributor to EnterpriseEfficiency.com, a UBM Tech community.Tags: BYOD,IT Security,Technology