Protecting confidential enterprise information from disclosure is a top priority for IT managers. Until recently, employee private data wasn’t even a concern, because corporate servers and applications didn’t have any — users weren’t stashing their vacation photos on the enterprise document servers or their personal financial data in the corporate financial system.
However, with the rise of smartphones as official or semi-official work tools, things have suddenly changed, and IT managers are now managing devices that may have more personal than enterprise data on them.
Keeping the “personal” side of a smartphone secure is not just ethical; that security will also help keep everything on the device — enterprise and personal — more secure.
Here are some steps IT managers can take to configure staff smartphones for maximum protection.
1. Start with basic security settings and enforce with Mobile Device Management (MDM)
Even in the most relaxed bring-your-own-device (BYOD) program, there are some basic smartphone security options that every device should have at all times:
- Setting passcodes longer than four digits
- Enabling automatic installation of security and application software updates
- Restricting application choices to trusted stores
If the smartphone has an official enterprise MDM agent installed, then controlling these settings is easy. If not, the remote device management features that are built-in when the user links to corporate Exchange email servers or cloud-based Exchange can be used to kick on these most basic settings.
Getting these three basic settings on every staff smartphone will do more than anything else to keep personal data private. A fourth setting, enabling encryption, is worth mentioning — but since all modern smartphones already do this by default, IT managers shouldn’t have to worry about it.
Enterprises that have a single smartphone platform may have additional options available. For example, if you’ve gone 100 percent Samsung, you can use the cloud-based Knox Configure to predefine security settings for all devices which are applied from the moment they’re powered on.
2. Secure data in motion
IT managers know they need to protect corporate data in motion by enabling end-to-end encryption between enterprise servers and enterprise smartphone applications. But they have almost no control over user applications that sit on the same devices, which deserve the same protections. The risks are particularly high when staff choose public Wi-Fi networks to save battery, data usage or speed communications, as there’s generally zero privacy assurance associated with these types of networks.
To build security on top of public Wi-Fi, IT managers can offer corporate VPN services that provide always-on protection by encrypting and tunneling all traffic — corporate and Internet — back to an enterprise VPN server. This not only provides strong data encryption and privacy of all data and metadata, but also gives the IT manager the opportunity to apply content filtering to the stream, block malicious websites and intercept known malware and viruses.
If backhauling both business and personal traffic to an enterprise data center or cloud point-of-presence isn’t a good option, IT managers can turn to any of the many cloud-based VPN services that are available to encrypt and anonymize traffic. A corporate subscription to one of these third-party services is a small operational expense that can provide an array of security services to staff smartphones.
Another option is to discourage all public Wi-Fi usage from the start. For example, if you’re negotiating with a carrier for a voice and data plan for all staff, go for one with an extremely high data cap — or none at all — so users aren’t tempted to jump on every public Wi-Fi network they find in order to save bits. At the same time, you can use smartphone settings to keep data on carrier networks and off public Wi-Fi, such as requiring the user to launch Settings to pick a Wi-Fi network, rather than having a list of networks pop up every time the smartphone gets in range of an access point.
Whatever you do, back it all up with a strong user education campaign on the dangers of public Wi-Fi networks. Carrier data networks are not entirely trustworthy either, but they present a much lower risk to personal data. Make sure that users understand that even encrypted applications running over encrypted Wi-Fi networks can’t be trusted not to leak private and personal information.
3. Good backups and remote wipe go hand-in-hand
Remote wipe is a powerful tool that end users and help desks can use when a smartphone is lost, and this should be enabled on all smartphones. At the same time, though, you have to ensure that personal and enterprise data are always backed up. Staff will hesitate to report a lost device or to wipe it themselves if they think that they’ll lose a lot of important personal data. Remote wipe usually comes with other features, including remote lock and “find my device.”
Google offers free cloud-based backup services that provide continuous protection for personal data. If users are concerned about storing their personal data in the public cloud or sharing so much location information, there are also third-party cloud-based backup services for mobile devices that offer a higher degree of privacy and confidentiality.
Whatever approach is right for your end users, use a mix of enforced settings, corporate services and user education to ensure that these features are enabled.
4. Provide user education on why common practices — like jailbreaking or rooting phones — is dangerous
End users will happily read a one-page list of things they should and shouldn’t do with their personal smartphones, so having a few handouts or online documents available is a great way to get across key messages that may be obvious to IT managers — but not so obvious to end users.
The key is to provide solid rationale explaining why something is important — not just a laundry list of rules to abide by. For example, a few sentences explaining the dangers of a rooted or jailbroken smartphone, or why users might want to take advantage of mobile anti-virus, will go a long way toward keeping devices secure.
Users will also appreciate help from their enterprise IT department in understanding complicated privacy-related topics, such as location sharing and user tracking through cookies, which can help them become more security- and privacy-aware users.
Helping staff keep their own data private means combining some basic settings, changing some basic behaviors, and educating users about things they can do. Combine these three approaches for the best results.
Is your company covered against the latest threats? Take our mobile security assessment to find out — and to learn more about how you can stay ahead of the curve.