Mobile security continues to be one of the biggest concerns for most CIOs. Fear of data breaches and system hacking kept mobile devices out of the enterprise mainstream for a long period of time. The days of IT denying mobile work devices have passed, but mobile devices still pose a very real security risk.
The range and variety of mobile products make it more difficult for IT departments to have blanket security, which is possible with a unified product set, like Windows PCs. It's important for companies to maximize mobile security, particularly in a regulated industry such as finance or healthcare.
Here are seven mobile security tips to keep your company safe from costly mobile device data breaches.
First, organizations must write and enforce a policy that lets users know exactly the way to purchase, enable and connect a device to the corporate assets to which they are best suited. Admins must communicate the policy to all users. Keep it brief -- no more than a few pages -- but spell out what the risks may be if employees don't properly follow the policy. The policy should include everything from having an insecure device, all the way to causing data breaches and possible termination for flagrant disregard for enterprise security.
Next, make sure that, at a minimum, all users have a password-protected login -- not just to the corporate network, but also to their own devices. Unless this mobile security tip is enforced, a majority of your employees will not create password-protected logins for their own devices. Passwords must be enforced through the use of proper tools.
IT must also ensure that any apps users download to their mobile devices are firewalled for connections -- via a VPN -- and are contained in a vaulted segment of the device. In the past, vaulting through a containerized approach required specialty software that either stood alone, such as Mocana, or relied on specialized enterprise mobility management (EMM) suites, such as BlackBerry/Good, Citrix, MobileIron and VMware/AirWatch.
The latest versions of mobile OSes, such as iOS and Android for Work, have inherent capabilities to create containerized app segmentation and keep personal and work apps separate. Companies should strongly encourage users to obtain devices enabled with these capabilities, especially if employees choose an Android device that is not as enterprise-safe as it should be in its consumer version.
In a regulated industry with high requirements for mobile security and compliance, users should only have the highest level of secured devices available. Examples include Android devices with added, hardware-enabled security similar to BlackBerry DTEK or Samsung Knox, which have hardened their security mechanisms and received government certifications.
Pop quiz: Do you know the best mobile security techniques?
Do you know the significance of changing from a four-digit passcode to a six-digit one? Test all your IT knowledge with this mobile security quiz.
IT could also use a container platform from one of the major EMM vendors to create a vaulted capability on users' devices. This is not as complete a method as using an enhanced hardware device, but does offer a significantly higher level of security than consumer-level devices.
IT should try to minimize the number of public apps that users download to their devices, since available apps in consumer app stores pose a risk of compromising the user's data and device. Enterprises, with user permission, should regularly check the device for any problematic apps when it logs onto the corporate network. Many EMM suites can provide this feature if it is enabled.
IT must manage and verify even high-security devices before granting users access to corporate apps. Most of the major EMM suites have significant capabilities to keep corporate mobile devices secure, and companies should have such tools deployed.
Many EMM options now include PCs as part of their unified endpoint management capabilities to make the tools more inclusive.
Microsoft Intune went in the opposite direction by offering protections to mobile devices that were previously only available to Windows devices.
IT must update any and all corporate security systems -- especially mobile security -- as conditions warrant. Admins should be reviewing and updating mobile security policies on at least a semiannual basis. Otherwise, the company won't be able to keep up with the latest in security additions or minimize exposure to emerging threats.
There is no bulletproof way to keep all mobile devices secure, but the seven mobile security tips above are a starting point. It is important for organizations to make sure they have the proper policies and tools in place to keep threats to a minimum. Without these precautions, the enterprise risk level is too steep.
How to handle and stop mobile data loss
Handbook on managing enterprise mobility
Test your knowledge on mobile security techniques