Cybersecurity is a top of mind concern for CIOs, as the number of companies who fall victim to cyber attacks and data breaches increases every year. Attacks are becoming more common, sophisticated, and costly. Executives and IT professionals alike know the importance of enterprise security, yet companies’ security policies frequently fail to address one key area of vulnerability to organizations – employee mobile devices.
Enterprise mobility management can seem a daunting undertaking for companies, but its importance is undeniable. A recent survey by Tangoe showed that 65% of IT managers find cybersecurity to be the most challenging aspect of managing mobility within their organizations. Use of mobile devices is on the rise every year, both at home and in the office. According to Pew Research, 95% of Americans own a cellphone, and 77% of them own smartphones – and Lopez Research points out that approximately 60% of these mobile devices are now being used for work purposes. With more and more employees working from home and on-the-go, mobile devices have become an essential tool to remotely access company emails and information.
With these trends comes the need for increased governance around employee device usage, to ensure that company data is kept secure. Yet according to Ecoconsultancy Research, 48% of organizations do not currently have an established strategy around mobile security. This glaring omission greatly impacts enterprise security as a whole, as hackers are able to explore vulnerabilities in unsecured mobile devices to tap into company networks. Whether your organization has 100 or 10,000 devices, all it takes is one unsecured device for a hacker to penetrate your network. For enterprises with aging legacy systems, the risk is great as these systems were not built to allow personal devices to tie into them.
Mobile security is not an issue strictly limited to BYOD. Even if a mobile device is provided by the company, employees are more likely to use their phones than their laptops for personal reasons – such as accessing mobile applications like social media networks, dating apps, games, and more. With thousands of new applications being introduced into app stores each day, the opportunities for mobile vulnerabilities are limitless. Many apps ask for permission to access your contacts, photos, or social media profiles. Once an app has those privileges, your device’s data is exposed and ripe for the taking. For example, any application in which you enable your camera – such as Snapchat or even banking apps – now has access to your photos. If you have a picture of a company credit card or any other sensitive information on your camera roll, that application can now access this information. Without a proper security program and clearly defined best practices companies will be unable to control who truly has access to sensitive data.
Since companies won’t be able to stop employees from using these applications on their own devices, a strategy is needed to ensure the separation between personal and work use so that company data is not accessible. And the longer organizations wait to implement a mobile security policy, the more complex it will become to create and enforce one. So what can organizations do to allow employee mobile access to corporate resources, while also ensuring enterprise security?
The first step must be to establish a mobile policy that aligns with an enterprise’s corporate objectives. While this may start with the technology department, mobile security policy is not just an IT issue. It affects HR, finance, security, marketing, and all other groups within an enterprise. CIOs must work with all of these groups to gather their input and identify top priorities, and create a strategy that considers all needs.
Thus far, most companies’ strategies in this regard have been more reactive than proactive. They may have policies and procedures around responding to and recovering from mobile security breaches – but many don’t have preemptive strategies in place to prevent this from happening in the first place. It is important to create a mobile strategy that addresses the risks involved in using mobile devices for work, and creates best practices to manage these vulnerabilities from every angle.
Device Inventory Visibility
Organizations should begin by having a clear view of all employee devices, including devices that are provided by the company as well personal devices accessing the company network. This includes visibility into who owns which devices, where those devices are primarily used, which devices are accessing the network, whether they are registered and configured with an Enterprise Mobility Management (EMM) solution, to start. Once an organization has a complete picture of device inventory, devices can be more effectively monitored and managed.
Organizations should establish a policy regarding the proper use of company data and the security and procedures needed to protect it. This should cover everything from what types of data and content are allowed to be accessed via which devices, what permissions and security should be in place, as well as the encryption of the data itself. This leads into the next topic, which is the management of applications and data on employee mobile devices.
It is essential that companies have policies regarding the download and usage of mobile applications in the workplace, both for company devices and personal devices. An obvious concern is that users could download applications containing malware, thus compromising the data on their devices and potentially impacting the entire organization’s network. This is particularly important for global companies. For example, in China users cannot access the Android Play Store, so apps are routinely downloaded from nefarious third-party app stores that commonly come with malware and other hidden code that can leave an institution’s data at risk.
In addition to this risk, there is also the risk of employees downloading and accessing content and applications that are not appropriate for the workplace. Organizations should determine what applications should be “whitelisted” (considered appropriate and safe to access at the workplace) and which are “blacklisted” (not appropriate or safe). This may differ from company to company, depending on their personal assessment of the risk associated with certain applications, such as dating sites or social media.
A proper operating system (OS) security policy should be a part of any mobile strategy. The first line of protection for mobile devices is the maintenance and protection of the OS. Apple and Android release frequent OS updates, and these updates are the first line of defense against mobile security threats. Due to their closed ecosystem, it is inherently easier to maintain OS security in iOS devices. However, it is still imperative for companies to have a proper passcode policy in place for all BYO devices. Practices such as mobile authentication, containerization, and app-wrapping can ensure that sensitive information on devices remains protected.
Organizations would benefit from maintaining a “mobile-first” policy. This means that every new service, application, or offering that the company creates should be developed for mobile devices first. Thus, the security of that software will be a top concern as it would be imperative for launch success. As it currently stands, mobile is often an afterthought, and thus, so is the security around it.
Deploying an enterprise mobility management solution is the best way to ensure that the correct policies, procedures and capabilities are put in place to best combat the vulnerabilities posed by mobile devices. However, buying a solution is not the final step. Organizations must be proactive and monitor device usage and activity on an ongoing basis, to ensure that devices remain secure and compliant and that new devices are registered as they enter an organization.