Monday, 11 March 2019

Are You Doing Enough on Mobile Device Security?

Each year, organisations invest millions in firewalls, anti-virus software, training and patching programmes. But how much is directed at mobile devices?

We all want to do our best to keep our corporate data and systems safe. Each year, organisations invest millions in firewalls, anti-virus software, training and patching programmes. But how much of this is directed at mobile devices?

Today, most of us are walking around with a computer in a bag or our pocket; that computer is as powerful as desktop computers were 20 years. That ‘computer’ has access to our office systems and, therefore, our corporate data.

This includes the documents, intellectual property and information which the device stores or to which it has access, plus the stored credentials and profiles which could potentially unlock other areas of your corporate network.

How secure are your mobile devices?

In this article, Grant McGregor consultants consider the bare minimum you should be doing to protect and secure the mobile devices you and your users are carrying wherever you go.

What Is Your Definition of Acceptable Risk?

Perhaps the best place to start when considering what you should be doing to secure your company mobile devices is your own corporate data centre.

What are you doing to secure your corporate data in your data centre? And if you’re securing your data there, why wouldn’t you secure the access to it from your mobile devices in an equivalent way?

In an ideal situation, you should extend the security principles of your data centre outwards as far as possible.

Of course, you can’t replicate all the security of your data centre on your phone. For example, you can’t lock it behind access-controlled doors or ensure it has two different power sources or two different communications providers serving it.

However, you may be surprised at the principles and number of systems that can be extended to secure your corporate mobile devices.

At a bare minimum you should:

- Keep and maintain clear records of phone data, e.g. device serial numbers, MAC addresses, etc.

- Protect your devices with remote device location and remote wipe

- Ensure strong passwords are used

- Ensure OS upgrades are up-to-date

- Enable on-device encryption

- Educate users about potential risks

Tackling User Behaviour

Over the last fifteen years, telecoms managers have had to manage a move from homogeneous fleets of mobile devices where, for example, each employee was provided with a Blackberry. Instead, today’s workers usually use their own preferred handset, platform and network provider – making the task of managing these heterogeneous landscapes much more difficult.

Different platforms pose different levels of risk. For example, iOS locks down the apps a user is able to install on their phone far more strongly than does Android.

As a result, user education is as an important line of defence in mobile device management as it is in your office environment.

- Educate users about the need to use strong 6-digit passcodes/ biometric passwords to access the device. (Cyber Essentials recommends 8 or more!)

- Educate users about the need to ensure OS upgrades are installed as soon as possible in order to ensure devices are best protected from known vulnerabilities in the OS.

- Avoid saving passwords on the device.

- Training will raise users’ awareness of suspicious behaviour, e.g. being asked to install anything on their smartphone, suspicious emails that require them to visit a website and enter credentials, etc.

Lock Down the Network

In the same way that you lock down traffic across your network, it is possible to lock down the networks staff use to connect via their mobile devices. There is a sliding scale here, and your choice of action should reflect your perception of risk.

- Ensure Bluetooth settings are turned off.

- Educate users about the need to avoid publicly-accessible Wi-Fi.

- Turn Wi-Fi settings off and force users to use your mobile carriers’ networks (which are less susceptible to spoofing or “man in the middle” attacks – but be aware there is a considerable cost implication to this).

- Use a VPN connection for specific apps, content or connections (although a compromised device may still pose a risk).

- Force all traffic via a full tunnel VPN (although this has implications for the phone’s battery life, the user’s privacy, and your own infrastructure considerations about bandwidth, data flows and server maintenance).

Invest in a Mobile Device Security Solution

The traditional way to manage mobile devices is through a dedicated mobile device management (MDM) solution. An MDM or Enterprise Mobility Management (EMM) solution offers additional tools for centralised management of your users’ mobile devices.

This can include:

- Ability to prompt users to upgrade their OS.

- Network threat detection.

- Malware security, including whitelisting and blacklisting of applications.

- Create security policies that can be applied or adapted based on the device location, or the application or network being used – flexibly adapting security settings on the go.

- Install root or jailbreak detection software.

- Create rules for alerts and even, where high risk is identified, device wiping.

- Automated mobile device threat analytics and intelligence.

- Management and administration tools and reporting.

Deciding on the actions, necessary tools and policies needed to manage your own user’s mobile devices will depend very much on the potential threat and risk appetite of your organisation.

 

If you would like advice about developing policies or finding solutions appropriate for your own organisation, speak with one of our consultants. Our team is always happy to guide you through this difficult subject.

For more information, help or advice, contact the Grant McGregor team on 0808 164 4142 or find out about our MDM Solution here.