Mobile Device Security Best Practices
How To Protect Portable Technology
In the era of mobility, enterprises must be cognizant about the potential threats on the horizon. Nearly every employee has at least one mobile device that they use for work. Likewise, these devices represent one of the biggest attack vectors in the enterprise.
Enterprise Mobility Exchange wanted to explore this topic in more detail. Use this helpful guide to learn about the history, current state, and future considerations for securing mobile devices.
What Is Mobile Device Security?
Mobile device security refers to the measures taken to protect sensitive data stored on portable devices. It is also the ability to prevent unauthorized users from using mobile devices to access the enterprise network. Examples of devices that require this type of protection include smartphones, laptops, tablets, wearables, and other portable devices.
CIOs and CTOs are focused on all of the potential threats to devices, which include malicious mobile apps, phishing scams, data leakage, spyware, and unsecure WiFi networks. On top of that, enterprises have to account for the possibility of the either the employee losing the mobile device or the device being stolen. Common methods of security typically include internal policies, educating employees, and software.
History of Mobile Device Security
Less than two decades ago, the ability to provide employees with access to networks and data was drastically different, with Ethernet cables connected to desktop computers as the primary gateway. Over the years, there has been an influx of new technologies that have changed this method. The rise of mobile technology on the consumer side initiated the rise of the mobile worker. In fact, most employees now expect to use a mobile device for work.
With the changing networking environment over the years, IT departments needed to adapt to the growing security threats in mobility. The first computer virus that infected smartphones, Cabir, emerged in 2004. By the time iPhones and other modern smartphones emerged, a whole new generation of security vulnerabilities soon followed. Now, with the rise of Internet of Things (IoT) devices in the enterprise, IT departments have a lot of endpoints to secure.
By the 2010s, new software solutions were created in the enterprise to protect against these threats, most notably Mobile Device Management (MDM), Enterprise Mobility Management (EMM), Mobile Application Management (MAM), and Unified Endpoint Management (UEM). With mobile usage now surpassing desktop usage, hackers are focused on attacking mobile devices.
Industry Experts Explain Mobile Device Security
To understand more about the current state of mobile security, here are a few quotes from thought leaders in the industry:
“Now more than ever, mobile devices have a target on their back,” said Mike Feibus, principal analyst with FeibusTech. “It’s ironic, but the more mobile devices are used as a multi-factor option to secure PCs, the more desirable they become to hackers. And as everyone knows, where there’s a will, there’s a way.”
“The threat vectors are becoming more sophisticated,” said Brian Jacome, director of product innovation for the Royal Bank of Canada (RBC). “What people would personally target on a desktop, they are now targeting more on mobile devices. Between things like malware and hardware-based attacks, it just seems that there are more vulnerabilities that are exposed in mobile endpoints than there were in the past. I think within the mobile ecosystem over the last two to three years, the number of major vulnerabilities and malware threats have almost doubled or tripled.”
“When it comes to enterprise mobility, security teams mitigate exposure, such as malware and man-in-the-middle attacks,” said Dr. Rebecca Wynn, the head of information security for Matrix Medical Network. “Even harder to manage and protect data is from the use of private, public apps, and company branded apps which can leak employee and customer data in ways enterprise security doesn’t have visibility.”
“Because the devices have been made to be so easy to use and interact with, some folks aren't necessarily trained well on how to safely interact with applications and corporate data,” said Eric Klein, director of enterprise mobility and connected devices at VDC Research. “Certain users will be very careful in how they interact with business apps on their phones. Meanwhile, lots of users still walk around with phones that don't have password protection on, so that makes the problem even worse.”
Mobile Device Security Trends
As the world of mobility changes, enterprises are also adapting. Here are some of the latest security trends in enterprise mobility:
Using Cyber Liability Insurance
One of the biggest security trends in the enterprise is with cyber liability insurance. This type of insurance covers the losses that result in a data breach. In other words, in case a mobile device is hacked and the data gets compromised, all potential financial losses will be covered.
Given the fact that mobile devices have a target on their back and are now the primary threat vector, enterprises need to ensure that their cyber liability insurance policies cover the mobile devices. It is imperative have this policy in order to protect against potential data breaches and leaks.
When a cyber attacks occurs on a mobile device, an enterprise needs to act fast. If data is breached, all affected users must be notified. The cost of this tremendous communication burden can add up, and the company’s brand could be at risk. With the average cost of a corporate data breach nearly $4 million, it is worth exploring to have an insurance policy that covers data on enterprise devices.
Avoiding Public WiFi
Public WiFi represents one of the biggest attacks vectors for all types of mobile devices. The problem is that when workers connect to public WiFi networks, the assumption is that they are safe to use. The truth is that a hacker can easily breach the device, access the network, and steal data. Some hackers are specifically targeting unsuspected users who access a public WiFi network that looks safe, but is really vulnerable to attacks. There have been cases where hackers created fake WiFi networks that seem innocent (calling them names like ‘Coffee Shop’) but, it is really just a way to trap users.
The trend is to educate workers about these dangers. All employees should be aware that WiFi networks pose a significant threat, and should be avoided when accessing enterprise apps. The problem is that some employees ignore this advice and go on the public WiFi. To combat this issue, a growing trend in the enterprise is to program the devices in a way that prohibits employees from accessing public WiFi.
The Emergence Of IoT Device Security
Similar to cellular devices, IoT devices are also vulnerable to the same threats. IT departments recognize this issue, and are addressing it by protecting IoT devices the same way that traditional mobile devices would need it. After all, any endpoint in an enterprise needs to have the best protection.
The difference is that the recent trend is to take extra steps to protect IoT devices. Some enterprises are actively removing these devices from the main network and placing them in their own isolated network, such as a virtual LAN. By segregating these devices onto a separate firewalled network, there could be fewer security incidents. In addition, some enterprises are enacting extra precautions by disabling certain functions with IoT devices. For example, if a wireless printer (which is a considered an IoT device) has faxing capabilities that it never uses, a company might shut that function down for security reasons. These steps make sense for IoT, but not for mobile devices, which usually require full network access.
One security protocol that both IoT and traditional mobile devices share is encryption, which is a big trend in the industry. Many organizations are leveraging encryption to protect data.
Mobile Device Security Strategies
To understand more about security methods for mobility, here are of the best practices to follow:
For the longest time, having a strong password was the key to securing mobile devices. After all, over 80% of all company data breaches are the result of weak passwords. However, even if an enterprise has strong password policy, breaches can still occur. A two-factor authentication for passwords, which is considered to be a major security protocol, can be breached.
The best alternative for passwords on mobile devices is biometrics. Biometric authentication is when a computer uses measurable biological characteristics, such as face, fingerprint, voice, and iris recognition for identification and providing access.
In addition to enhanced security, there are many benefits to leveraging biometrics. First, it provides more accountability for enterprises, including an active log of users that access the network. It is also easier for workers to access their devices because unlike passwords, you can’t forget your face.
Block Potentially Dangerous Apps
It is common for employees to download apps that are not approved by IT. Some of these could be used for work, and others might be downloaded for personal reasons. Either way, those apps that were not approved or designed by the enterprise could be harmful. The employee doesn’t realize that some apps are malicious and were designed by hackers. Malicious apps are of the fastest growing threats to mobile devices. In one year, Google caught over 700,000 malicious apps in the Play Store. When an employee inadvertently downloads one, it provides unauthorized access to the company network and critical data.
To combat this rising threat, enterprises have two options. First, all employees should be instructed about the dangers of downloading unapproved apps. This is a good initial step, but some organizations are now banning employees from downloading certain apps on the phone.
Remote Lock And Data Wipe
One of the most important ways to limit mobile device threats is to enforce a strict remote lock and data wipe policy. With this strategy, an organization can ensure that enterprise networks and data receive an extra layer of protection. Under this policy, whenever an enterprise mobile device is believed to be stolen or lost, then the enterprise now has the ability to either remotely lock the device or erase any data on it.
Many IT experts view remote lock and data wipe as one of the most basic security methods. However, there is a bit of controversy to this method. Some employees are concerned that their businesses can delete personal data on the mobile device. To prevent this from happening, enterprises can provision two different environments on a single device —one for the enterprise and one for personal usage. If the enterprise data gets wiped by IT, then the personal data will still be there.
Questions To Ask Before Initiating Mobile Device Security
1. Do you have enough resources budgeted for securing mobile devices?
Given the high cost of a corporate data breach, it is imperative that enterprises invest enough resources into the security of mobile devices. By investing in the top solutions, an enterprise can avoid the financial consequences of a data breach. Too often, some organizations are lacking in this area.
2. What software do you use to protect devices?
Every year, you should conduct a review about which software you are using for mobile security, and if that software meets those needs. Whether it is an EMM, MDM, or UEM solution, the review should look at capabilities and compare them with other vendors in the market.
3. Do you have visibility into mobile devices?
Although it is critical to set up internal device policies that prohibit unauthorized access, those policies are meaningless without the technological capabilities to ensure that employees are following them. This requires real-time insights to see if users are breaking those policies, and to catch potential threats.
4. Are employees educated about the threats?
Breaches often occur because an enterprise user unknowingly downloads a harmful app or leaves their device in public where it can be stolen. IT teams should educate all business users about the role that they should play in protecting devices and enterprise data.
What Will The Future Of Mobile Device Security Look Like?
In the future, there will likely be more sophisticated mobile attacks in the enterprise. Although there could be new government regulations to combat the threats, it is not a good idea to wait for the law to catch up with technology. Current methods of security, such as encryption, might not be sufficient enough to handle future waves of malware that can immediately steal data. To combat this growing threat, enterprises must continually audit current solutions and consider new security measures, such as separating data and releasing security patches at a faster pace.
Meanwhile, enterprises should learn about every security solution at their disposal. To learn about the best ways to protect devices, read our exclusive report, “11 Best Ways To Improve Mobile Device Security.”