7 Ways To Toughen Enterprise Mobile Device Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


7 Ways To Toughen Enterprise Mobile Device Security

Smartphones extend the network perimeter like never before, but also give potential attackers new entry routes. Consider these get-tough strategies.

What's the best way to secure mobile devices used in the enterprise?

Start by realizing that employee-owned mobile devices, in the wrong hands, could provide anytime, anywhere access to corporate secrets. Accordingly, they must be secured, and your business secured against their potential misuse.

Here's where to start.

1. Create Strong Security Policies.
While it might sound basic, having mobile device security policies in place is a necessary first step. "Establish the appropriate controls, aligned with your corporate policies, and that make sense for [your] type of organization," said Tony DeLaGrange, a senior security consultant at Secure Ideas and instructor for the SANS Institute, via phone. For example, an organization in a highly regulated industry may specify that all data stored on employees' mobile devices, as well as any removable media used with those devices, be encrypted. Businesses in other industries, however, may think that approach is overkill.

[Managing devices is crucial, but it doesn't have to be costly. Read Centrify Sets Mobile Device Management Free.]

2. Apply Existing Security Policies To Mobile Devices.
When crafting mobile device security policies, carry through existing policies. For example, if you require that passwords for accessing the corporate network have 15 characters, mixing uppercase, lowercase, and at least one symbol, then the same should be true for any mobile device that's allowed to connect to the corporate LAN. "If I've got the same accessibility in a small device, then you need to think about it in the same manner," said DeLaGrange. Also weigh whether Bluetooth file-sharing will be allowed for mobile devices, and if jailbroken devices should be blocked from accessing the network altogether.

3. Enforce Security Policies.
The next step is to enforce your organization's policies, typically by using mobile device management (MDM) tools. Regardless of the approach selected, without enforcement, employees will see your mobile security policies as optional, especially you have a bring your own device (BYOD) to work policy.

4. Inventory Mobile Devices.
Keep an inventory of all mobile devices that are being used to connect to the corporate network. "Is that a security requirement? Well, understanding what we have is important," said DeLaGrange. For example, if only iPhones and Androids are supported under your BYOD program, but some employees are trying to use BlackBerrys, then maybe it's time to reconsider your policies, or else verify that the devices are being appropriately blocked.

5. Proactively Wipe Devices.
When fashioning mobile device security policies, beyond requiring devices to be locked with passwords, consider spelling out how and when devices should be automatically wiped. For example, devices can be set to delete all of their contents after 10 failed login attempts, and security tools can be used to wipe any device that hasn't connected to the corporate network in a specified period of time, such as 30 days, or after an employee reports it as being lost or stolen.

6. Weigh App Whitelisting.
One technique for preventing mobile devices from being exploited is to restrict exactly which apps employees can install on their devices. "If a company allows installation of any app whatsoever, in the iPhone arena it could still be bad. In the Android arena, oh my God, you're just inviting a malicious application into your organization," said DeLaGrange. "So a lot of companies look toward whitelisting, and from a security perspective, that's really great. But from an end-user perspective, it's not so good." Notably, if the in-house process for getting new apps approved requires weeks or months of waiting, employees will rebel.

7. Beware New Breach Notification Laws.
Almost every state now has data breach notification laws on the books, which require that any exposure of sensitive data involving state residents be publicly disclosed. Such rules are also growing more stringent, and may soon have mobile device repercussions. "There are two states--Nevada and Massachusetts--that have laws that, I won't say clearly spell out, but at least have indications that you need to encrypt data," said DeLaGrange. Does your business have customers in either of those states? If so, security managers, he said, "need to determine--with help from their IT staff and legal staff--is this going to require that we encrypt all customer data on our devices?"

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
2/21/2012 | 6:58:03 PM
re: 7 Ways To Toughen Enterprise Mobile Device Security
Want to learn more about how to better prepare for and fend off security risks associated with mobile devices?

SANS is hosting its inaugural Mobile Device Security Summit, March 12-15 in Nashville, TN. Tony is a summit co-chair. http://www.sans.org/info/98386
User Rank: Apprentice
2/22/2012 | 2:51:42 PM
re: 7 Ways To Toughen Enterprise Mobile Device Security
Want to learn more about how to better prepare for and fend off security risks associated with mobile devices? Check out SANSG«÷ inaugural Mobile Device Security Summit, March 12-15 in Nashville, TN. Tony is co-chair of this event.
Richard Rosen
Richard Rosen,
User Rank: Apprentice
2/22/2012 | 4:56:55 PM
re: 7 Ways To Toughen Enterprise Mobile Device Security
In regard to encryption becoming mandated, that alone will not ensure compliance with regulations requiring breach notification in my opinion. To avoid this unpleasantness (I'm being mild) data wiping with confirmation would be required.

And there's a practical reason, not just to meet compliance. Here's an example: a bank did the right thing encrypting data on its laptops (applies to smartphones also). So when one was stolen, no concern, right? But what happened is the employee used a sticky note for the encryption password for the usual reasons: too complicated to remember, changed too often, etc. With data wiping in place, as soon as the device is reported stolen, erase the data and no reporting requirement and no loss of data that could harm a company.

I suggest including monitoring activity on laptops and smartphones. This helps deal with either intentional or inadvertent loss of sensitive information. Also provides accountability in terms of productivity as well as quality control of communications.

[email protected]
User Rank: Apprentice
11/25/2014 | 9:08:06 AM
re: 7 Ways To Toughen Enterprise Mobile Device Security
Before integrating smartphones and/or tablets into corporate IT, companies should develop a concept for their mobile business. Afterwards it will be much easier to choose a convenient enterprise mobility solution. With the right management tool, you can manage and monitor devices, users, apps and policies. If you want to get to know more about mobile security, check out Cortado Corporate Server's mobile secuity topic page.
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll