Small businesses may not have the resources to build information security teams and invest in a heavy-duty infosec program — but that doesn’t mean security should be devalued or that the business doesn’t need solutions. The secret is to use simple building blocks and try to put multiple security layers in place. Having a “defense in depth” approach provides backstops and multiple protections, even at the expense of some duplication. Because small businesses have fewer IT staff to make sure that everything is up-to-date, a little redundancy helps when things fall through the cracks occasionally.
Mobile devices, such as smartphones and tablets, are an important part of IT for most small businesses, since people are always on the go and want to keep in touch and up-to-date with minimum roadblocks. Keeping mobile devices — and the information on them — secure is simpler than it used to be, thanks to the wide availability of tools, such as cloud-based Mobile Device Management (MDM) services, that can keep settings in sync. Here are some tips for maintaining security on mobile devices using a multilayered approach.
Layer 1: People Protection
An important element of multi-layered security for your mobile workforce is user education. Even with the latest security software, your employees need to be educated about potential security threats through unvetted apps, unexpected file attachments, and more.
The best way to deliver education is to use multiple channels. Don’t just pick one avenue for education: Think about newsletters, direct memos, first-person stories from the boss, short classes and online training. Different people learn in different ways, and it’s important to help find the way that makes learning easier.
Such user education enables you to develop a direct dialogue with your employees to trade best practices. It also offers the opportunity for some one-on-one face time with employees, which can help give better insights into how your employees conduct business on the devices you deploy.
Mobile security education shouldn’t stop at educating users about their new devices, either. You should also look for ways to conduct follow-up security education and outreach for your users.
Layer 2: Device Software Protection
A second layer focuses on the devices themselves. Smartphones are easier to secure than Windows-based laptops and desktops, but you still have to set them up properly and keep them updated. Whether your company’s mobile devices are corporate-owned or provides a choose your own device (CYOD) option, it’s essential to use MDM tools — either cloud-based or on-premises — to create uniform configurations and consistent settings. Most MDM tools are multiple-platform, allowing you to manage different types of mobile devices with a single set of policies.
A benefit of using MDM is that it allows you to send out dynamic updates to configure over-the-air. That means that any changes in policy or configuration don’t require a house call, but are automatically downloaded by mobile devices whenever they have data service.
Here are some of the top features to pursue in your MDM tool for protecting devices:
- Biometrics for authentication such as fingerprint or iris scanners, backed up by a secure (that means longer than 4 digits) passcode to physically lock down the device.
- Enabled automatic installation of operating system and application security patches, and aggressively install new operating system versions.
- Remote data wipe to protect your company’s data in the event of a stolen or lost device.
- Application store lock-down, requiring all applications to be loaded from official trusted app stores. For Android devices, make sure that Google Play Protect is enabled to add another layer of application security checking.
You can also stack hardware protection on top of software protection. For example, enterprise-class phones from vendors like Samsung include hardware-based security, such as components that can prevent rooting or jailbreaking on a device or provide hardware support for dividing smartphones into work/home secured partitions.
Layer 3: Infrastructure and Application Protections
A third layer of protection shields your company data and networks from attackers. One of the biggest attack vectors is password theft, usually through malware via phishing, so moving to a two-factor authentication system for any critical application is a huge step forward. If you’re using cloud-based applications, that’s often as easy to implement as a check-box on a GUI. But however you accomplish it, two-factor authentication is the number one way to protect applications (and the valuable data they hold) from unauthorized or malicious users.
Along with two-factor authentication, review applications and network infrastructure to be sure that:
- Anti-malware tools are running and regularly updated, even on server platforms (such as Linux) that aren’t often infected. Why? Because malware stored on a server can instantly activate if the file is downloaded to a vulnerable platform.
- Software updates are being regularly applied to all applications and to their servers, especially if they touch the Internet.
- Monitoring tools and nightly log analyzers are running to alert you quickly to unusual behavior or system outages. These can be a sign of security problems; for example, suddenly running out of disk space on a system.
Focusing on the right mix of security features can make all the difference. That’s why you need a multi-layered approach that accounts for a multitude of attack vectors, including infrastructure, human and device to keep your business safe.
Learn how Samsung’s small business solutions can help you scale your growing business every step of the way.