Mobile Computing.com

Best mobile device security policy for loss or theft

By Kevin Beaver

Mobile devices running up-to-date OSes and apps aren't terribly susceptible to traditional malware or newer threats such as cryptojacking, but fully updated devices won't protect users from the threat of device theft and loss.

IT professionals must prepare for users with a stolen or lost work phone or tablet with internal communication and the proper mobile device security policy.

Why is a lost or stolen mobile device security policy so important?

The first step to develop a reasonable response procedure for a stolen or lost work phone is to acknowledge what's at stake. Today's business smartphones and sometimes even tablets store a huge amount of information and access, so IT must address lost or stolen devices as serious threats.

IT must properly configure its fleet of mobile devices with the necessary protections, password requirements and encryption. If these policies aren't in place for corporate-issued and BYOD devices, a mobile device in the wrong hands could have disastrous consequences.

Without the proper protections, a lost or stolen mobile device grants full access to components such as:

• work email accounts;
• files stored locally and in the cloud;
• multifactor authentication controls;
• web browsing history; and
• password stores.

What can IT do to minimize the damage of a stolen or lost work phone?

At a minimum, IT should enable the following mobile device security policy controls for a stolen work phone with a mobile device management (MDM) or enterprise mobility management (EMM) tool:

• require PINs or passcodes to be at least five characters long;
• automatically lock devices after five or more failed device unlock attempts;
• hardware-level and file-level encryption;
• mobile device tracking; and
• remote device wipes in the event of theft.

These device controls are widely offered in a number of EMM and MDM tools such as Idaptive's Next-Gen Access tool, IBM's MaaS360, VMware AirWatch and many others.

Another way IT can reduce the damage of a lost work phone is to ensure that users are on board with a mobile device security policy and established best practices. Users must know the exact steps to follow once the loss or theft occurs, such as how to report a lost device and how to help locate it. IT professionals may have listed or documented these steps in a manual, but they must communicate the process to users as well.

Finally, IT must evaluate existing controls and processes for lost mobile devices. IT professionals can run tests for these policies on a one-off basis every year via a survey or in a one-on-one meeting, or they can integrate it with ongoing vulnerability and penetration testing and incident response initiatives.

Most organizations have at least Office 365, but MDM and EMM controls are ideal for deploying a mobile device security policy because they are more robust. With these tools or platforms in place, IT must work with management regarding logistics such as internal policies, external contracts and compliance requirements. IT professionals should present the gravity of a lost work phone to convince executives to allocate the proper resources toward this issue.