Information security experts are fond of the certain language they use to explore and explain the security threats that companies and organizations routinely face. One particularly interesting notion from this lexicon is that of an "attack surface," which identifies a potential point of attack on one's information or financial assets, intellectual property or ability to conduct business.
Because any successful attack brings with it a chance of financial loss, legal or regulatory infractions, or damage to reputation, best practices for dealing with attack surfaces mean limiting exposure to unwanted or uninvited access, hardening them against attack and imposing what's often called "defense in depth." This requires building multiple layers of protection around valuable stuff; if one layer gets breached, the bad guys aren't automatically handed the keys to the treasure vault.
All this makes security for mobile devices both important and vexing. The more that employees and contractors use mobile devices to access organizational systems, applications and data, the more important it is to protect such access. Furthermore, it's essential to prevent the mobile devices that are supposed to boost productivity and add to the bottom line from opening unauthorized means of access to information and other assets; this turns them into a danger and a possible drain on revenue instead.
Given that mobile devices are inherently moving targets used outside the organization's perimeter - and thus also outside its firewalls, threat management, spam and content filtering, and other tools used to keep evildoers at bay - it's vital to apply a battery of best practices to use of mobile devices to keep exposure to risk and loss to a minimum. As any security expert will tell you, though, there's a fine line between enough security to keep things safe and protected and a smothering blanket of security that gets between people and the jobs they must do.
Although it's challenging and comes with some costs, the following list of mobile security best practices can help protect mobile devices and their users from unwanted exposure or unauthorized disclosure of company or organization IP, trade secrets or competitive advantages. Some of these practices aim at securing the mobile devices themselves, while others aim to protect the data and applications with which mobile users need to interact. All will help reduce risk of loss or harm to your company or organization.
1. Mobile Devices Need Antimalware Software
A quick look at new malware threats discovered in the wild shows that mobile operating systems such as iOS and (especially) Android are increasingly becoming targets for malware, just as Windows, MacOS, and Linux have been for years. Anybody who wants to use a mobile device to access the Internet should install and update antimalware software for his or her smartphone or tablet. This goes double for anyone who wants to use such a device for work.
2. Secure Mobile Communications
Most experts recommend that all mobile device communications be encrypted as a matter of course, simply because wireless communications are so easy to intercept and snoop on. Those same experts go one step further to recommend that any communications between a mobile device and a company or cloud-based system or service require use of a VPN for access to be allowed to occur. VPNs not only include strong encryption, they also provide opportunities for logging, management and strong authentication of users who wish to use a mobile device to access applications, services or remote desktops or systems.
3. Require Strong Authentication, Use Password Controls
Many modern mobile devices include local security options such as built-in biometrics - fingerprint scanners, facial recognition, voiceprint recognition and so forth - but even older devices will work with small, portable security tokens (or one-time passwords issued through a variety of means such as email and automated phone systems). Beyond a simple account and password, mobile devices should be used with multiple forms of authentication to make sure that possession of a mobile device doesn't automatically grant access to important information and systems.
Likewise, users should be instructed to enable and use passwords to access their mobile devices. Companies or organizations should consider whether the danger of loss and exposure means that some number of failed login attempts should cause the device to wipe its internal storage clean. (Most modern systems include an ability to remotely wipe a smartphone or tablet, but mobile device management systems can bring that capability to older devices as well.)
4. Control Third-party Software
Companies or organizations that issue mobile devices to employees should establish policies to limit or block the use of third-party software. This is the best way to prevent possible compromise and security breaches resulting from intentional or drive-by installation of rogue software, replete with backdoors and "black gateways" to siphon information into the wrong hands.
For BYOD management, the safest course is to require such users to log into a remote virtual work environment. Then, the only information that goes to the mobile device is the screen output from work applications and systems; data therefore doesn't persist once the remote session ends. Since remote access invariably occurs through VPN connections, communications are secure as well - and companies can (and should) implement security policies that prevent download of files to mobile devices.
[ How-to: 6 Tips to Help CIOs Manage Shadow IT ][ Study: Most Mobile Apps Put Your Security and Privacy at Risk ]
5. Create Separate, Secured Mobile Gateways
It's important to understand what kinds of uses, systems and applications mobile users really need to access. Directing mobile traffic through special gateways with customized firewalls and security controls in place - such as protocol and content filtering and data loss prevention tools - keeps mobile workers focused on what they can and should be doing away from the office. This also adds protection to other, more valuable assets they don't need to access on a mobile device anyway.
6. Choose (or Require) Secure Mobile Devices, Help Users Lock Them Down
Mobile devices should be configured to avoid unsecured wireless networks, and Bluetooth should be hidden from discovery. In fact, when not in active use for headsets and headphones, Bluetooth should be disabled altogether. Prepare a recommended configuration for personal mobile devices used for work - and implement such configurations before the intended users get to work on their devices.
[ Counterpoint: For BYOD Best Practices, Secure Data, Not Devices ]
7. Perform Regular Mobile Security Audits, Penetration Testing
At least once a year, companies and organizations should hire a reputable security testing firm to audit their mobile security and conduct penetration testing on the mobile devices they use. Such firms can also help with remediation and mitigation of any issues they discover, as will sometimes be the case. Hire the pros to do unto your mobile devices what the bad guys will try to do unto you sooner or later, though, and you'll be able to protect yourself from the kinds of threats they can present.
[ Analysis: Why the BYOD Mobile Security Threat Is Real ]
Security, Mobile or Otherwise, Is a State of Mind
While mobile security may have its own special issues and challenges, it's all part of the security infrastructure you must put in place to protect your employees, your assets and, ultimately, your reputation and business mission. By taking appropriate steps to safeguard against loss and mitigate risks, your employees and contractors will be able to take advantage of the incredible benefits that mobile devices can bring to the workplace.
Just remember the old adage about an ounce of prevention. That way, you're not saddled with costs or slapped with legal liabilities or penalties for failing to exercise proper prudence, compliance and best practices.
Ed Tittel is a full-time freelance writer and consultant who specializes in Web markup languages, information security and Windows OSes. He is the creator of the Exam Cram Series and has contributed to more than 100 books on many computing topics.
Read more about mobile security in CIO's Mobile security Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.