The recent proliferation of mobile devices within enterprises is high atop the list of data and employee security vulnerabilities. A recent PWC survey of organizations, found that 41 percent of businesses in the U.S. have experienced an information security incident resulting in financial loss and damage to their brand’s reputation. There are a number of issues impacting the security of mobile devices, including how easily they can get lost or stolen. Mobile devices are not as susceptible to malware as other types of hardware, but the threat is growing. According to a 2015 McAfee Labs Threats Report, there are now more than six million active malware types targeting mobile devices.
Many organizations are grappling with the issue of BYOD, yet not all have a policy for mobile security, let alone the use of personally owned devices. BYOD can create security issues owing to the lack of control the organization has over the device, so the risk of allowing the use of personally owned devices should be weighed against the perceived advantages in terms of employee security, productivity and satisfaction. If BYOD is allowed, it must be clearly defined in the policy, along with any restrictions that are set.
Developing an Employee Security Policy for Mobile Devices
Banning the use of mobile devices within a business is hardly a viable solution to the issue of mobile security, especially given the fact that so many employees bring their own devices into work, whether their use is sanctioned or not. It is far better to develop a mobile security policy and to make it as airtight as possible.
The first step to develop such a policy is to take an asset inventory: look at what types of devices, operating systems and applications are being used and need to be catered to. Solicit input from all business units to ensure that their needs and ways of doing business are considered. However, the organization may want to deny eligibility to certain types of devices, such as older models that lack important security features; these exclusions should be spelled out in the policy.
The organization should then look to identify what type of data is being stored on mobile devices and develop guidelines as to how business information should be handled specifying the type of data that can be stored, to reduce the risk of data loss. Another consideration at this point is whether or not to use device containerization technology to separate work from personal applications and data to boost employee security.
Security Measures to Include
To guard against security issues from lost or stolen devices, consider making certain safeguards (e.g., encryption for data stored on devices, a password or PIN for unlocking devices, and remote wipe or lock capabilities) policy requirements. Also consider the use of stronger authentication, especially for access to sensitive resources. Given the rise and reach of mobile malware, the policy should specify that users should only download apps from trusted app stores.
Secure connectivity is important, so the policy should require that only trusted Wi-Fi® networks be used and should clearly mandate the use of a VPN, if the organization decides this is necessary for keeping communications secure. To reduce the likelihood of web-based attacks, users should be required to keep browsers updated. Samsung works with Cisco, which guarantees a secure, high-performing connection to its users – even on mobile devices. As an added layer of protection, organizations may want to consider requiring users to register all personal devices they wish to use in a central Mobile Device Management (MDM) technology program.
Incident Response and Policy Enforcement
No matter how comprehensive the mobile security policy is, there is a possibility that incidents will still occur. The policy should therefore identify proactive and reactive measures in the event of a security incident, such as a malware infection or lost device. The central contact to report any incidents to should be clearly identified to ensure efficient incident response.
Policies are only effective if they are enforced. To ensure that all users are aware of their responsibilities, organizations need to build awareness of security issues and put protective measures in place. It is imperative that staff understand the consequences of policy violations, with the ensuing disciplinary actions spelled out in the policy.
The use of mobile devices at work continues to grow, and the tide cannot turn back. Any organization that does not put in place a policy for mobile device use is putting itself at increased risk of security incidents that can lead to serious data breaches. Mobile security can no longer be left to chance.
Does your business need to enhance its mobile security policy? Make Samsung Knox™ your trusted solution.