As smartphone and tablet use continues to expand in the business landscape, organizations have become more aware than ever of the threat of mobile security attacks. While different, what these companies all share is a sense of helplessness — that it’s only a matter of time before someone finds a way to infect their smartphones and tablets with malware or fall victim to phishing.
In some cases, that feeling of helplessness is real, particularly if you’re working for a smaller business that doesn’t have a formal security role or a dedicated team to assess and mitigate potential risks.
However, fending off potential security issues is especially important for these small and midsize firms. Given that their employees tend to juggle multiple responsibilities, they rely on mobile devices to go wherever they’re needed while staying connected to corporate data and applications.
Here are 10 ways your organization can remain proactive in its approach to mobile security and management.
1. Make upgrading a priority
According to Statista, in 2021 the average consumer smartphone in the U.S. will be replaced past 2.75 years — and past 2.64 years in 2022. This reflects how often consumers make the move to a new device.
That kind of cadence might be fine for people who are only using their devices for personal apps and content, but businesses need to approach upgrade decisions differently. Security researchers learn a lot about the changing tactics of malware authors, distributed denial of service (DDoS) attackers and ransomware campaigns in a three-year period. So do device manufacturers, who are building in protections that specifically address common attack vectors as networks evolve to 5G.
In BYOD environments, it’s critical to set minimum requirements for the devices that are allowed to access corporate systems and apps. Beyond three years from initial release, many devices stop receiving regular OS updates and security patches, making them more vulnerable to new exploits.
If you’re dealing with constrained IT resources, you have to determine the tradeoff between trying to figure out a mobile security strategy on your own and simply making use of what is already market-ready and available to businesses.
2. Make MDM a mainstay
Companies have always made sure they could keep track of the equipment they’ve purchased, but there’s a difference between monitoring what happens on an oil rig that never moves and a fleet of smartphones that have been deployed to on-the-go employees.
While mobile device management (MDM) has been adopted by most enterprises, smaller firms have plenty of reasons to explore it as well. MDM tools can be helpful to companies that offer a bring your own device (BYOD) program but want to make sure employee devices don’t open them up to security threats.
While choosing an MDM solution will take some research, midsize firms can get a head start by making sure the devices they deploy or recommend to employees incorporate security capabilities from the chip up.
For more granular device management and monitoring, IT can use a tool like Knox Asset Intelligence (KAI). KAI is a cloud-based data analytics tool that provides IT teams with visibility into device-specific operation and performance data as soon as a device is deployed. Small and midsize businesses can utilize this service to monitor and gain better insights into the performance and usage of every mobile device across their fleet. This includes connectivity and GPS-based location tracking, device health, battery usage and app stability.
3. Allowlisting and blocklisting
Many security threats penetrate companies due to user errors which are often just honest mistakes. Employees might not realize by downloading an app, for instance, that they are effectively leaving the door open to have corporate data stolen from their smartphone.
Allowlisting and blocklisting apps via MDM helps protect employees — and their employers — from these kinds of risks by making it clear which apps and sites are safe.
Blocklists give IT departments peace of mind by blocking access to certain apps and sending notifications when an attempt is made. Allowlists, on the other hand, may be more effective for highlighting the mobile tools employees should be prioritizing over games and social media.
4. Two-factor authentication and biometrics
Weak and easily forgotten passwords can make it simple for rogue third parties to gain access to mobile devices. Two-factor authentication is a straightforward way for small and midsized businesses to begin developing a layered mobile security strategy.
While tokens have sometimes been used as part of two-factor authentication, fingerprints and other biometric identifiers are quickly gaining ground. In fact, 70 percent of businesses will use biometrics for workforce access by 2022, according to market research firm Gartner. Biometrics can be used in tandem with the data separation technologies discussed below.
5. Get comfortable with customization
When new hires are brought on board, they usually aren’t given keys to every filing cabinet, the company’s banking credentials or other proprietary data that require a certain level of seniority or privilege. In the same way, it doesn’t make sense to grant every employee unfettered access to all manner of corporate apps and data.
IT managers can get around this with tools that let them customize mobile devices before they are handed out to their workforce. A good example is Samsung’s Knox Configure, which enables businesses to create a myriad of simple-use scenarios, from customizing boot-up screens to creating dedicated-use devices with only work-related apps.
6. Separate work and play
Even if they don’t have a dedicated desk with their own drawers, companies often offer employees a safe place of some kind where they can place personal items and secure them until they’re needed at the end of the day. Strong mobile security involves taking a very similar approach to the way data and apps are partitioned on the device.
Containerization, for example, allows smartphones to create separate workspaces of business apps and content that can be centrally protected and managed. Administrators don’t need access to an employee’s personal apps or data and can therefore provide the optimum mix of flexibility and security. This lets IT departments lock down sensitive company information, while letting employees maintain confidence in their personal privacy.
7. Ease the updating process
Just as new security threats are constantly cropping up, companies are simultaneously developing fixes that can be applied to mobile devices. Unfortunately, that often puts the burden on a company’s IT resources (which can be scarce or spread thin in midsized firms) to apply all the right patches on a regular basis. According to IDG’s 2021 Security Priorities Study, unpatched third-party software and security lapses were the second leading causes of security breaches. This means patch management is still one of the top priorities for large enterprises to combat security threats, and it should be the case for smaller firms, too.
Technologies such as enterprise firmware over-the-air (E-FOTA) mean employees don’t have to wait while patches or other updates are being pushed to their devices. Instead, updates can be scheduled across the entire team, ensuring all updates are tested and compatible, and all devices are uniform.
8. Keep policies current
If employees fall victim to a phishing scheme and get locked out of their devices, or data loss occurs because settings were somehow tampered with, a company will probably be quick to outline an updated mobile security policy for everyone to follow.
Rather than wait until disaster strikes, however, the most successful organizations stay on top of security issues and get in front of them from a policy perspective. At least every six months, review your mobile security posture, from your ability to monitor device usage, points of vulnerability and the age of your smartphone fleet.
How to build an effective incident response plan
Get this free guide on how to respond to mobile security breaches — or thwart them altogether. Download Now
Then, look forward to new devices that might be integrated into your workforce as part of new hire onboarding or upgrades across a department. Make sure updated policies are well documented. Of course, make sure employees are held accountable for reviewing and adhering to the policy as well.
9. User training and security awareness
The IDG study showed that almost half of security leaders, or 44 percent, cited employee training as one of the key areas that resulted in security incidents in 2021 — even though half of them made security awareness training for employees a top priority in 2020.
Training and security awareness is never a once-and-done activity, but something that should be treated as an ongoing work in progress. The companies that do this successfully make sure the content is easy to understand and available through different channels depending on their preference. Examples could include tips in an employee newsletter, an instructional video on a company intranet or even push notifications sent to all employee smartphones.
10. Seek a scaleable path
A small company might not be small forever. Growth can come quickly via a strategic initiative to expand into a new market or territory, an M&A or some other tipping point. What won’t change is the need for your workforce to be equipped with the best tools available to do their jobs from wherever they are.
Of course, configuring and provisioning devices one by one is a nonstarter for IT departments, so think about how you can find an MDM tool or related application that will streamline this process as the organization evolves.
Fortunately, none of the Android mobile security tips outlined here have to be developed from scratch. The solutions included with Samsung Knox Suite were deliberately designed to help organizations from small firms to large enterprises with the ability to secure, manage and provision smartphones successfully.
Discover the device security and management solutions included in Samsung’s Knox Suite of mobility tools. And learn how to prepare your mobile device fleet against attack with incident response reports in this free white paper.