designsoliman - Fotolia


Six must-haves for IT's mobile security checklist

Enterprises are constantly bombarded by mobile security threats, and it's up to IT pros to thwart them. There are six key items that belong on IT's mobile security checklist.

IT professionals must remain vigilant against threats to enterprise data, making a mobile security checklist a necessary weapon for any organization's arsenal.

Let's face it -- there is no such thing as absolute security, and there likely never will be, simply because allowing even restricted access to any resource means that someone might compromise this access. Hackers can be bright but misguided, but professional information thieves are like any other spies on a critical mission, with the goal of stealing information or disrupting an organization's operations, often with devastating results.

Since it's impossible to guarantee absolute security, the mission for IT administrators is to make any compromise to enterprise mobile security so difficult that all but a handful of hackers with access to nation-state-level resources will simply give up. The basics of good security practices are the same, regardless of organizational mission, size or the specific infrastructure and tools.

Here is a mobile security checklist of what IT needs to put today's mobile-centric organizations on the minimally-vulnerable list:

Policies, education and reinforcement

The mobile security landscape, from threats to strategies to tools, is constantly changing.

Any mobile security checklist should start with a security policy that makes it clear which information is sensitive, who can have access to it and under what circumstances, and what to do in the event of a breach. Admins must make sure everyone understands the policy and the tools, systems and procedures IT has put in place. Formal education and training is a good idea in many cases, but so are regular reminders and reinforcement.


IT must encrypt sensitive data that's in transit across a network or in residence on a server or a mobile device. Do not rely on carrier assurances that their traffic is encrypted, and enforce the use of the organization's own VPN. IT must also encrypt data sitting on a storage device; in the event the data is stolen, good encryption can frustrate all but those nation-state-level actors, and maybe even them as well.


Authentication is the proving of identity, usually with a username-password combination. Two-factor authentication requires something users have, such as a smartphone, plus something they know. IT can use authentication to generate per-user and per-session encryption keys, confounding anyone attempting to eavesdrop on network traffic. Contemporary identity-management tools provide uniformity in concert with other essential IT elements, such as directory services.

Management and control

The plethora of enterprise mobility management tools available has become a primary mobile security implementation vehicle for IT, particularly with respect to mobile application and content management. The secure container model extends well past mobile users and devices alone, applying to the entire organization. Management consoles, analytics and regular monitoring are also essential. Finally, an antimalware program can also be part of overall mobile device management, although some IT professionals may be skeptical of the efficacy and effectiveness of these products. Server-side malware checking is increasingly desirable, regardless.

Test your Android data security know-how

Android is a popular mobile OS among consumers, but its well-known security gaps make many businesses pause. Test your knowledge of Android's data security.

Physical security

It's vital to restrict access to sensitive facilities and equipment of any form, and IT processing, storage and networking equipment is no exception. It's easy to lock up organizational equipment close to the core, but admins should review cloud services vendors and their policies and capabilities. Ether switches and Wi-Fi access points (APs) are often exposed, so console alarms and logs are therefore essential for monitoring these vulnerabilities. Carefully explore any alerts related to even momentary AP outages, physically lock down all APs and switches and regularly inspect equipment for any signs of tampering. Video surveillance -- the use of Wi-Fi is an increasingly-popular option for that -- also proves useful in many environments.

Fault tolerance/disaster recovery

Extending the basics of physical security, it's important to think in terms of overall integrity. Suppose the worst happens -- fire, flood, power outage or other natural or even man-made disaster -- rendering a critical IT facility cold and dark. The duplication of facilities has been the preferred route historically, but the advent of the cloud introduces a new possibility -- configuring standby facilities in the cloud -- often employing redundant service providers -- and even disaster recovery as a service. And, of course, many IT shops look forward to having essentially all IT processing and storage capacity in the cloud going forward, with fault-tolerance and scalability available on-demand and transparently. Finally, many cloud service providers already have security as a service offerings, so it just gets easier over time to leverage cloud-centric best practices, and at the best possible price.

As always, it's vital to stay up to date regarding all aspects of security. The work is never done, and the mobile security landscape, from threats to strategies to tools, is constantly changing. Larger organizations should have a security team on the job every day, examining operational vulnerabilities and addressing any trouble spots, and making good use of that mobile security checklist.

Next Steps

IT's top three mobile security concerns

What is the top mobile security threat?

How to counter mobile app security woes

Dig Deeper on Enterprise mobile security