Secure Mobile Device Deployments
As we all know, mobile devices have become not an integral part of the workplace, but even in society. Therefore, the safe deployment of these devices is of paramount importance not just for individuals, but businesses and corporations, government agencies, as well as other entities.
Mobile devices have indeed become an integral part of any corporate network, as many employees these days now login from their Smartphone to access shared files and other types of resources.
In fact, mobile devices have become the prime target for the Cyber attacker today. Thus, an understanding of the risks and threats that are out there and how to combat them in a proactive fashion is a must.
In some industries, such as that of healthcare, employees use their Smartphone to access confidential patient information. Thus, the need to understand the federal laws surrounding the protection of this data is very important, especially that of HIPAA.
How to Secure Mobile Devices in Your Environment
You must formulate and implement a Mobile Device Security Policy:
This should be a part of the overall Security Policy of any business or corporation, and should include the following elements:
- The specific types of resources that can be accessed via a mobile device;
- The degree to which mobile devices can be used to remotely access these resources;
- How Mobile Device Management software should be installed and configured not only in the devices themselves, but also on the servers that are synched up with them.
- How firmware and software upgrades/patches should be installed on the mobile devices, and the frequency for checking these upgrades on the wireless vendor’s websites.
Create a Cyber threat model landscape for your specific Mobile Device environment:
By designing such a model, your organization will have a much better understanding of the threat landscape from a visual perspective, especially when quantitative weights are assigned to each kind of associated threat. Thus, you will not only be able to ascertain the security requirements for your mobile devices in an expedient fashion, but also the controls that are needed in order to safeguard them from employee misuse (in fact, employee negligence is deemed to be the weakest link in the proverbial security chain).
- Always test your mobile security policy and threat landscape before implementing it:
- Before you actually start to implement and enforce your policies, it is always important to evaluate them first in a test environment to see how they will work in a real-world environment. Some technical examples of what needs to be tested includes the following:
The connectivity of the wireless devices that will be issued to each employee;
- Checking the safety of the functionalities of the mobile apps that will be installed and used on the wireless devices;
- Checking out the performance of each wireless device (obviously, a wireless that does not live up to the performance metrics that have been set forth could prove to be a security vulnerability at a subsequent point in time);
- Making sure that the wireless devices that you will be acquiring and issuing to your employees are very difficult to jailbreak or be rooted;
- Making sure that the wireless device does not accidentally revert to the vendor settings; but rather to the default settings that you have set forth in your mobile device security policy.
Secure each and every mobile device before they are issued to your employees:
Once you, the IT staff, as well as the CIO are satisfied with the results with the test results from the procedures conducted in the test environment, then the next step is to make sure that the wireless devices that you will be distributing to your employees have all the security functionalities installed onto them. Obviously, this will vary from business to business, and in the specific manner in which the employees will be using them. But, in general:
- Make sure that the initial password you establish is hard to guess, but easy enough for your employee to remember. This can be a lot trickier to do than it sounds, thus you may want to consider using a mobile based Password Manager in this regard. Make sure that Two-Factor Authentication (also known as “2FA”) is installed. The first layer of security will obviously be the password, but the second layer could be a challenge/response question.
- Check the website of each wireless vendor from whom your organization will be procuring the wireless devices for the latest firmware and software upgrades/patches. Make sure they are installed and configured once again, on each and every wireless device before they are issued to your employees.
Always enforce your mobile device security policies:
Once you have initially deployed all the wireless devices to your employees, the next step is to make sure that the policies you have set forth are constantly being enforced and that your employees are abiding by them. One of the best ways to do this is to, at random time periods, is to conduct a manual audit of these devices, to make sure that there is no misuse by the employees. Remember that in this regard, you have every right legally to conduct such audits because these are wireless devices that owned and facilitated by the organization that you work for. Another key issue at stake here is Bring Your Own Device, or “BYOD” for short. For example, they can be no gray area whatsoever in this regard. If you want your employees to strictly use company issued wireless devices, then you must state so, and forbid your employees from using their own Smartphone to conduct work related activities. But on the other hand, if you are OK with employees in using their personal Smartphones, then you must set forth establish very clear guidelines in the manner in which they can be used for conducting every day job functions. Remember, BYOD brings along with it key security vulnerabilities, and you may not be easily able to conduct random security audits on them because these wireless devices are personally owned by your employees.
Other kinds of activities that should be included here include the following:
- Conducting various Pen Testing exercises in order to unearth any unknown anomalies and security vulnerabilities;
- Keeping an accurate inventory list of all the wireless devices that have been issued and returned (and in the case of the latter, deleting all permissions after an employee is no longer with the organization);
- Checking for firmware and software upgrades/patches at least once a week;
Making sure that there are no rogue, or unauthorized mobile apps installed on company issued wireless devices.
Overall, this blog has examined some key steps that an SMB can take in order to protect their mobile environment. It is important to note that the advances made to mobile technology are occurring quite rapidly, therefore, you have to keep abreast of what is happening in terms of best practices in order to continue to foster a secure environment.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.
Want to learn more?