Start by realizing that employee-owned mobile devices, in the wrong hands, could provide anytime, anywhere access to corporate secrets. Accordingly, they must be secured, and your business secured against their potential misuse.
Here's where to start.
1. Create Strong Security Policies.
While it might sound basic, having mobile device security policies in place is a necessary first step. "Establish the appropriate controls, aligned with your corporate policies, and that make sense for [your] type of organization," said Tony DeLaGrange, a senior security consultant at Secure Ideas and instructor for the SANS Institute, via phone. For example, an organization in a highly regulated industry may specify that all data stored on employees' mobile devices, as well as any removable media used with those devices, be encrypted. Businesses in other industries, however, may think that approach is overkill.
[Managing devices is crucial, but it doesn't have to be costly. Read Centrify Sets Mobile Device Management Free.]
2. Apply Existing Security Policies To Mobile Devices.
When crafting mobile device security policies, carry through existing policies. For example, if you require that passwords for accessing the corporate network have 15 characters, mixing uppercase, lowercase, and at least one symbol, then the same should be true for any mobile device that's allowed to connect to the corporate LAN. "If I've got the same accessibility in a small device, then you need to think about it in the same manner," said DeLaGrange. Also weigh whether Bluetooth file-sharing will be allowed for mobile devices, and if jailbroken devices should be blocked from accessing the network altogether.
3. Enforce Security Policies.
The next step is to enforce your organization's policies, typically by using mobile device management (MDM) tools. Regardless of the approach selected, without enforcement, employees will see your mobile security policies as optional, especially you have a bring your own device (BYOD) to work policy.
4. Inventory Mobile Devices.
Keep an inventory of all mobile devices that are being used to connect to the corporate network. "Is that a security requirement? Well, understanding what we have is important," said DeLaGrange. For example, if only iPhones and Androids are supported under your BYOD program, but some employees are trying to use BlackBerrys, then maybe it's time to reconsider your policies, or else verify that the devices are being appropriately blocked.
5. Proactively Wipe Devices.
When fashioning mobile device security policies, beyond requiring devices to be locked with passwords, consider spelling out how and when devices should be automatically wiped. For example, devices can be set to delete all of their contents after 10 failed login attempts, and security tools can be used to wipe any device that hasn't connected to the corporate network in a specified period of time, such as 30 days, or after an employee reports it as being lost or stolen.
6. Weigh App Whitelisting.
One technique for preventing mobile devices from being exploited is to restrict exactly which apps employees can install on their devices. "If a company allows installation of any app whatsoever, in the iPhone arena it could still be bad. In the Android arena, oh my God, you're just inviting a malicious application into your organization," said DeLaGrange. "So a lot of companies look toward whitelisting, and from a security perspective, that's really great. But from an end-user perspective, it's not so good." Notably, if the in-house process for getting new apps approved requires weeks or months of waiting, employees will rebel.
7. Beware New Breach Notification Laws.
Almost every state now has data breach notification laws on the books, which require that any exposure of sensitive data involving state residents be publicly disclosed. Such rules are also growing more stringent, and may soon have mobile device repercussions. "There are two states--Nevada and Massachusetts--that have laws that, I won't say clearly spell out, but at least have indications that you need to encrypt data," said DeLaGrange. Does your business have customers in either of those states? If so, security managers, he said, "need to determine--with help from their IT staff and legal staff--is this going to require that we encrypt all customer data on our devices?"
Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)