Mobile device security: Tips for securing portable devices at your organization
October 06, 2015
Gone are the days where “going to work” meant sitting behind a desk for an 8-hour period. In fact, today, the atypical workplace—whether at-home or on-the-road at a hotel, in a cab or on a train—is the norm.
And the glorious tools making this increased mobility possible? Mobile devices, of course. But this portability comes with a price: Mobile devices are more susceptible to attacks, viruses, and malware, not to mention there’s the possibility of device loss as well as loss of data in transit. Fortunately, there are simple steps that organizations can take to mitigate their security risk and reap the rewards that mobile devices provide:
1. Provide employees with comprehensive security policies and procedures—and make sure they are realistic.
A clear and concise security policy that establishes the roles and requirements of employees is absolutely essential for helping to achieve a secure mobile workforce. The policy should specifically outline security measures and procedures for handling sensitive data, including storage and disposal. When faced with limited capability due to tight security protocols, even well-intentioned employees may try to find ways to “bend” the security rules—including abandoning the corporate-issued device altogether in favor of their own device. It’s a difficult task, but organizations must strike a balance between convenience and security, and policies and practices must reflect the organizational goals in this regard. At the same time, they must address fundamental issues, including device ownership, data ownership, destruction of data, and rules of behavior.
2. Consider whether employees will be allowed to use personal devices or will be restricted to using company-issued devices.
Even in the age of BYOD, there are still many organizations who issue company smartphones (and certainly laptops or other devices for remote work). Yet, those employees may still have options to access company data via their own devices. Whether the equipment is company-issued or employee-owned, employees must be provided with explicit instructions for the care and usage of any devices that contain client or company data or information (i.e., never leave laptops unattended in public, never download and install programs without company approval). With all devices, certain minimum security measures must be in place, such as firewalls, anti-virus and spyware programs, and encryption software.
3. Make sure your employees are receiving adequate training.
Out of the office and distracted by other duties, security becomes lax. To make security a priority with employees, it’s important to provide a training program that focuses on real-life scenarios and defines exactly what employees can/cannot do with client or company data. In the case of laptop and network use, ensure that employees fully understand how to access data securely. Remote workers should be trained periodically in techniques to spot suspicious activity, including signs that a computer has been infected with malware. Proof of employee training is also important to help limit organizational liability in the event of a breach.
4. Inventory devices and develop an audit plan to periodically assess risk.
Even if the company’s IT department has remote management capability, it’s important to verify firsthand that all equipment is accounted for, in good condition and working properly. For the day-to-day management of mobile device use and security, consider: enforcing policies, managing vendor contracts, ensuring timely software and encryption updates, evaluating the flow and storage of sensitive data, etc. Risk assessments should be performed periodically, depending upon the size of the organization and the number of devices managed.
By Kroll Editorial Team