If people in your organization conduct business on smartphones and tablets, training mobile employees on device security is important.
Every mobile device has the potential to compromise sensitive data and facilitate
Mobile device management tools can help control and secure smartphones and tablets at the IT level. But the fact is some of the most effective security measures you can take are available only at the device security level. Training mobile employees in the following mobile device security strategies and empowering them to preserve corporate data and the integrity of their devices can help with protecting data.
Protecting data and devices
Mobile device theft is on the rise. Devices are stolen out of people’s pockets and grabbed out of their hands, so it’s important that users give thought to when and where they access their devices. Users should never lend their devices to untrusted people, who can introduce malware and activate unwanted services. A good rule of thumb to share with users is, “maintain the same control over your devices as you would over your credit cards.”
Users should record or register serial numbers and enable passcode and time-out protections in case their devices get lost or stolen. They should set the device to lock automatically after it’s been inactive for a predetermined amount of time, and require a passcode after that period of inactivity or whenever the user turns on the device. Users should always enable the strongest passcode possible and follow the same password-protection guidelines as they would for any network resource. Relying on simple numeric codes or words does not provide enough device security.
Whenever possible, users should implement auto-erase and remote-wipe protections. Some devices can be set to erase all personal data if someone enters 10 incorrect passcodes in a row. If a device gets lost or stolen, the user can remotely erase all data on the device. Make sure users back up their devices so they can recover important data in case of an auto-erase or remote wipe-- mobile devices should never serve as the sole storage mechanism for data.
In addition, users should encrypt any sensitive data they store on their devices. How and what users can encrypt varies greatly from device to device, so IT should work with device owners to determine what’s available. Mobile devices should not store any sensitive data that users cannot encrypt.
Finally, users should set up tracking when available so they can locate the device if it is lost or stolen. Some devices have this feature natively, and third-party apps can provide this functionality on other devices.
Even when users take all these precautions, make sure users know to report any missing device to their organization as soon as possible.
App security and antivirus
One of the most important facets of training mobile employees is encouraging them to not jailbreak devices. Jailbreaking lets users override devices’ application protections to download non-approved, non-supported apps, which can make devices more vulnerable to malware and attacks. In fact, users need to be careful when installing any third-party apps -- especially those from less-controlled sources, such as Google’s Android Market.
IT should provide users with a list of pre-approved apps, and users should take extra caution when installing apps that aren’t on that list. Employees should consider how many people have downloaded the app, the app’s user rating and other online scuttlebutt. Remind users to update apps regularly, because these fixes often address new security concerns.
It’s also important that users implement virus protection, spam detection and other malware protection on all devices (that is, when such software is available; there’s not much out there yet to protect iOS devices).
Improving device security with strong network connections
When it comes to mobile device security and protecting data, one last area to stress to end users is network connectivity and online behavior. When users aren’t using apps and services, they should disable those features to reduce their device’s attack surface. This is especially important for Wi-Fi, Bluetooth and infrared services. Unsecured wireless networks make devices more vulnerable to attack and can put an organization’s entire network at risk. And if users need to use Bluetooth, they should use alphanumeric passwords for pairing, pair only with known devices and make sure their device’s Bluetooth display name -- which is publicly viewable -- doesn’t reveal their identity.
Finally, users must take care in how they browse the Web, because a device’s browser is just as susceptible to malware as a desktop PC’s. Users’ Web browsers should have pop-ups and cookies disabled. And ideally, mobile devices should connect to enterprise resources only through a corporate firewall that inspects incoming packets.
This was first published in January 2012