Protecting confidential enterprise information from disclosure is a top priority for IT managers. Until recently, employee private data wasn’t even a concern because corporate servers and applications didn’t have any — users weren’t stashing their vacation photos on the enterprise document servers or mixing their work and personal text messages.
But now they are.
With the rise of smartphones as omnipresent work tools, things have suddenly changed, and IT managers are now managing devices that may have more personal than enterprise data on them.
Keeping the “personal” side of a smartphone secure is not just a question of ethics and privacy; those actions will also help keep everything on the device — enterprise and personal — more secure.
Here are some steps IT managers can take to configure staff smartphones for maximum protection of employee data and privacy.
1. Start with basic security settings and enforce with mobile device management (MDM)
Smartphones are easy to lose and are attractive targets for theft. So, securing against these events should be Step One both for employee privacy and enterprise self-protection. Even in the most relaxed bring-your-own-device (BYOD) program, protecting against loss and theft means there are some basic smartphone security options that every device should have at all times:
- Setting long passcodes and requiring biometric authentication
- Enabling automatic installation of security and application software updates
- Restricting application choices to trusted stores
If the smartphone has an official enterprise MDM agent installed, then controlling these settings is easy and obvious. If not, the remote device management features that are built-in when the user links to corporate or cloud-based Exchange email servers can be used to control these most basic settings. Effectively, once the smartphone is linked to corporate email, you have basic MDM control over the device.
Getting these three settings on every employee’s smartphone will do more than anything else to keep personal data private. A fourth setting, enabling encryption, is worth mentioning — but since all modern smartphones already do this by default, IT managers’ main concern should be ensuring that encryption is not disabled by the user.
Enterprises that have a single smartphone platform may have additional options available. For example, if you’ve gone 100 percent Samsung, you can use the cloud-based Knox Configure to predefine security settings for all devices applied from the moment they’re powered on.
2. Secure data in motion
IT managers know they need to protect corporate data in motion by enabling end-to-end encryption between enterprise servers and enterprise smartphone applications. But they have almost no control over user applications that sit on the same devices, which deserve the same protections. The risks are particularly high when staff choose public Wi-Fi networks to save battery, data usage or speed communications, as there’s generally zero privacy assurance associated with these types of networks.
To build security on top of public Wi-Fi, IT managers can offer corporate VPN services that provide always-on protection by encrypting and tunneling all traffic — corporate and internet — back to an enterprise VPN server. This not only provides strong data encryption and privacy of all data and metadata but also gives the IT manager the opportunity to apply content filtering to the stream, block malicious websites and intercept known malware and viruses.
If backhauling both business and personal traffic to an enterprise data center or cloud point-of-presence isn’t a good option, IT managers can turn to any of the many cloud-based VPN services that are available to encrypt and anonymize traffic. A corporate subscription to one of these third-party services is a small operational expense that can provide an array of security services to staff smartphones.
Another option is to discourage all public Wi-Fi usage from the start. For example, if you’re negotiating with a carrier for a voice and data plan for all staff, go for one with an extremely high data cap — or none at all — so users aren’t tempted to jump on every public Wi-Fi network they find in order to save bits. At the same time, if you have MDM installed, you can use smartphone settings to keep data on carrier networks and off public Wi-Fi, such as requiring the user to launch Settings to pick a Wi-Fi network, rather than having a list of networks pop up every time the smartphone gets in range of an access point.
Whatever you do, back it all up with a strong user education campaign on the dangers of public Wi-Fi networks. Carrier data networks are not entirely trustworthy either, but they present a much lower risk to personal data. Make sure that users understand that even encrypted applications running over encrypted Wi-Fi networks can’t be trusted not to leak private and personal information.
3. Good backups and remote wipe go hand in hand
Remote wipe is a powerful tool that end users and help desks can use when a smartphone is lost, and this will be accessible to corporate IT staff as part of the MDM or email linkage of the device. At the same time, though, you have to ensure that personal and enterprise data are always backed up. Employees will hesitate to report a lost device or to wipe it themselves if they think that they’ll lose a lot of important personal data. Remote wipe usually comes with other features, including remote lock and “find my device.”
Samsung Cloud offers free cloud-based backup services that provide continuous protection for personal data. (Google and Apple offer similar services for Android and iOS users as well.) If users are concerned about storing their personal data in the public cloud or sharing so much location information, there are also third-party cloud-based backup services for mobile devices that offer a higher degree of privacy and confidentiality.
Whatever approach is right for your end users, use a mix of enforced settings, corporate services and user education to ensure that these features are enabled.
4. Provide user education on best practices and privacy
End users will happily read a one-page list of things they should and shouldn’t do with their personal smartphones, so having a few handouts or online documents available is a great way to get across key messages that may be obvious to IT managers — but not so obvious to end users.
The key is to provide a solid rationale explaining why something is important — not just a laundry list of rules to abide by. For example, a few sentences explaining the dangers of a rooted or jailbroken smartphone, or why users might want to take advantage of mobile antivirus, will go a long way toward keeping devices secure.
Build a successful BYOD plan for your business
Get our comprehensive guide and template for developing a BYOD policy tailored to your organization. Download Now
Employees will also be aware of more complicated privacy-related topics, such as location sharing, user tracking through cookies, and spyware. Education in personal privacy will be appreciated by employees, even if it’s only peripheral to their work use of the smartphone. Knowing that the company is concerned about their privacy interests will help increase trust and can be used to combat misinformation or disinformation about privacy and the risks associated with smartphone and general internet use. All of this helps employees become more security- and privacy-aware.
5. Use technology to create clear privacy boundaries
Android Enterprise’s Work Profile is an excellent tool for protecting enterprise data — but it also provides privacy guarantees to employees by ensuring that their smartphone data outside of the Work Profile is shielded even from corporate IT. When devices are managed using an enterprise MDM, use Work Profile to deliver the message that privacy is valued and as high a priority as protecting enterprise data.
In cases where Work Profile isn’t possible, you can recommend tools such as Secure Folder that provide reduced privacy and security functionality but in a consumer-friendly and end-user-controlled setting.
Helping staff keep their own data private means combining some basic settings, changing some basic behaviors, deploying some technology, and educating users about things they can and should do. Combine each of these approaches for the best results.
Is your company covered against the latest threats? Take our mobile security assessment to find out — and discover the device security and management solutions included in Samsung’s Knox Suite, so you can stay ahead of the curve.