7 Ways To Toughen Enterprise Mobile Device Security - InformationWeek
01:32 PM

7 Ways To Toughen Enterprise Mobile Device Security

Smartphones extend the network perimeter like never before, but also give potential attackers new entry routes. Consider these get-tough strategies.

What's the best way to secure mobile devices used in the enterprise?

Start by realizing that employee-owned mobile devices, in the wrong hands, could provide anytime, anywhere access to corporate secrets. Accordingly, they must be secured, and your business secured against their potential misuse.

Here's where to start.

1. Create Strong Security Policies.
While it might sound basic, having mobile device security policies in place is a necessary first step. "Establish the appropriate controls, aligned with your corporate policies, and that make sense for [your] type of organization," said Tony DeLaGrange, a senior security consultant at Secure Ideas and instructor for the SANS Institute, via phone. For example, an organization in a highly regulated industry may specify that all data stored on employees' mobile devices, as well as any removable media used with those devices, be encrypted. Businesses in other industries, however, may think that approach is overkill.

[Managing devices is crucial, but it doesn't have to be costly. Read Centrify Sets Mobile Device Management Free.]

2. Apply Existing Security Policies To Mobile Devices.
When crafting mobile device security policies, carry through existing policies. For example, if you require that passwords for accessing the corporate network have 15 characters, mixing uppercase, lowercase, and at least one symbol, then the same should be true for any mobile device that's allowed to connect to the corporate LAN. "If I've got the same accessibility in a small device, then you need to think about it in the same manner," said DeLaGrange. Also weigh whether Bluetooth file-sharing will be allowed for mobile devices, and if jailbroken devices should be blocked from accessing the network altogether.

3. Enforce Security Policies.
The next step is to enforce your organization's policies, typically by using mobile device management (MDM) tools. Regardless of the approach selected, without enforcement, employees will see your mobile security policies as optional, especially you have a bring your own device (BYOD) to work policy.

4. Inventory Mobile Devices.
Keep an inventory of all mobile devices that are being used to connect to the corporate network. "Is that a security requirement? Well, understanding what we have is important," said DeLaGrange. For example, if only iPhones and Androids are supported under your BYOD program, but some employees are trying to use BlackBerrys, then maybe it's time to reconsider your policies, or else verify that the devices are being appropriately blocked.

5. Proactively Wipe Devices.
When fashioning mobile device security policies, beyond requiring devices to be locked with passwords, consider spelling out how and when devices should be automatically wiped. For example, devices can be set to delete all of their contents after 10 failed login attempts, and security tools can be used to wipe any device that hasn't connected to the corporate network in a specified period of time, such as 30 days, or after an employee reports it as being lost or stolen.

6. Weigh App Whitelisting.
One technique for preventing mobile devices from being exploited is to restrict exactly which apps employees can install on their devices. "If a company allows installation of any app whatsoever, in the iPhone arena it could still be bad. In the Android arena, oh my God, you're just inviting a malicious application into your organization," said DeLaGrange. "So a lot of companies look toward whitelisting, and from a security perspective, that's really great. But from an end-user perspective, it's not so good." Notably, if the in-house process for getting new apps approved requires weeks or months of waiting, employees will rebel.

7. Beware New Breach Notification Laws.
Almost every state now has data breach notification laws on the books, which require that any exposure of sensitive data involving state residents be publicly disclosed. Such rules are also growing more stringent, and may soon have mobile device repercussions. "There are two states--Nevada and Massachusetts--that have laws that, I won't say clearly spell out, but at least have indications that you need to encrypt data," said DeLaGrange. Does your business have customers in either of those states? If so, security managers, he said, "need to determine--with help from their IT staff and legal staff--is this going to require that we encrypt all customer data on our devices?"

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/25/2014 | 9:08:06 AM
re: 7 Ways To Toughen Enterprise Mobile Device Security
Before integrating smartphones and/or tablets into corporate IT, companies should develop a concept for their mobile business. Afterwards it will be much easier to choose a convenient enterprise mobility solution. With the right management tool, you can manage and monitor devices, users, apps and policies. If you want to get to know more about mobile security, check out Cortado Corporate Server's mobile secuity topic page.
Richard Rosen
Richard Rosen,
User Rank: Apprentice
2/22/2012 | 4:56:55 PM
re: 7 Ways To Toughen Enterprise Mobile Device Security
In regard to encryption becoming mandated, that alone will not ensure compliance with regulations requiring breach notification in my opinion. To avoid this unpleasantness (I'm being mild) data wiping with confirmation would be required.

And there's a practical reason, not just to meet compliance. Here's an example: a bank did the right thing encrypting data on its laptops (applies to smartphones also). So when one was stolen, no concern, right? But what happened is the employee used a sticky note for the encryption password for the usual reasons: too complicated to remember, changed too often, etc. With data wiping in place, as soon as the device is reported stolen, erase the data and no reporting requirement and no loss of data that could harm a company.

I suggest including monitoring activity on laptops and smartphones. This helps deal with either intentional or inadvertent loss of sensitive information. Also provides accountability in terms of productivity as well as quality control of communications.

[email protected]
User Rank: Apprentice
2/22/2012 | 2:51:42 PM
re: 7 Ways To Toughen Enterprise Mobile Device Security
Want to learn more about how to better prepare for and fend off security risks associated with mobile devices? Check out SANSG«÷ inaugural Mobile Device Security Summit, March 12-15 in Nashville, TN. Tony is co-chair of this event.
User Rank: Apprentice
2/21/2012 | 6:58:03 PM
re: 7 Ways To Toughen Enterprise Mobile Device Security
Want to learn more about how to better prepare for and fend off security risks associated with mobile devices?

SANS is hosting its inaugural Mobile Device Security Summit, March 12-15 in Nashville, TN. Tony is a summit co-chair. http://www.sans.org/info/98386
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Register for InformationWeek Newsletters
White Papers
Current Issue
Cybersecurity Strategies for the Digital Era
At its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll