As mobile devices become more ubiquitous across the enterprise, IT should address security as a part of the ongoing process of mobile management.
Mobile device security threats are everywhere -- on physical devices, on the cloud and practically everywhere in between. From theft and loss to malware to man-in-the-middle attacks over open wireless, the attack surface of mobile is significant. That's why it's important to implement the following best practices to prevent mobile device security threats.
Mobile threat defense 101
IT should ensure that all end users run current OSes on their mobile devices. Their devices should not only run the most recent security patches, but they should also use modern security features such as full-system encryption, stronger password or PIN requirements, and biometric authentication. IT must update mobile apps on a periodic basis via end users or, ideally, through automated systems such as mobile device management (MDM) or unified endpoint management (UEM). IT should also properly vet mobile apps for security flaws from the beginning of the development process. IT should log and monitor every security event.
IT can implement companywide file sharing and document collaboration that discourages usage of consumer-based apps that may not provide the necessary visibility and control to prevent mobile device security threats. Organizations should set security standards, policies and plans that incorporate mobile devices, especially for devices that access corporate email, files and VPN connections. This is a common challenge, especially given the presence of BYOD in many organizations. IT should incorporate mobile device security threats into the organization's incident response capabilities. This crucial step can make or break the business if a mobile device is lost, stolen or hacked.
IT shouldn't stop with the traditional mobile device security threats; sometimes mobile devices themselves are the actual threat -- or the end users. All it takes is for an employee to make one misinformed decision, such as downloading rouge apps, to expose the environment to mobile device security threats. To prevent this, organizations should educate end users about the best practices of mobile security. Paperwork is good to have, but only when organizations properly communicate and set the expectations for end users.
IT must also back up mobile security intentions with technical controls such as MDM and UEM to minimize mobile device security threats. IT should use security features on MDM and UEM platforms such as remote wiping, passwords and geolocation controls. In addition, IT should oversee and validate apps through MDM and UEM, as well as conduct ongoing monitoring and alerting for mobile security events. IT should treat mobile devices as part of -- or at least an extension of -- the existing network, to bring them under the umbrella of the organization's overall security program. This helps to ensure that IT cohesively implements and enforces security standards, policies and procedures across the enterprise.
One last tool in a mobile threat defense arsenal is to test for mobile security flaws. IT should never assume that all is well just because the organization implements technologies such as MDM and UEM. IT must incorporate mobile devices into the scope of vulnerability and penetration tests and ongoing security audits.