The method that companies and their employees use to handle day-to-day operations has shifted dramatically in a short amount of time. In a world that is always on, employees are sometimes expected to be available even outside of typical business hours, which has fueled an increase in employees’ use of cell phones, tablets and other mobile devices for business use.
While mobile devices were once almost exclusively owned and managed by a business, employees are now bringing their own devices (phones and tablets) at an ever-increasing rate to connect to corporate resources. Most would view this as a win-win scenario for both the company and employee, but proper management of those devices is critical for it to truly be beneficial. A breach of company and/or customer data has proven itself to be quite costly for businesses, in addition to the reputational hit often sustained within a company’s industry.
While policies and procedures are a good starting point for bring-your-own-device management, there are many other additional security concerns to consider. For example, can the security on an iPhone be managed in a similar fashion as an Android-based device? What native security measures are deployed within these devices, and does it meet the company’s acceptable level of organizational risk? How should a business maintain a separation between an employee’s personal content and the company’s corporate content?
What is a Mobile Device Management Tool?
A good mobile device management (MDM) tool can help to bridge the gap between the convenience of employees utilizing their own devices and maintaining an acceptable level of security required by a company.
MDM tools are often cloud-based tools that function as an inventory system to track all mobile devices and serve as a hub to distribute security policies to the device. In the event a user attempts to bypass security restrictions (e.g., remove the password setting), the MDM tool automatically detects non-compliance and prevents access to any company resources. The functionality and availability of security policy restrictions will vary widely between different MDM tools. So how can you know what your company should expect from its MDM tool to effectively protect your business?
Below are a few considerations when either evaluating the functionality of an MDM solution or ensuring that your existing MDM solution and procedures are appropriately configured and effective.
1. Does your mobile device management tool account for differences among devices?
There are many different types of phones and tablets which all have varying levels of native security functionality. These differences must be understood and accounted for when designing device protection policies for MDM tools. For example, all of the information that resides on Apple devices is encrypted by default, whereas Android and Blackberry devices required additional configuration to encrypt the information.
2. Does your mobile device management tool have strong password requirements?
Passcodes or PINs are essential to ensuring the sensitive data on the device remains protected. This requirement may also be extended to biometric authentication (retina or fingerprint scans), which resides on most newer phones today and can provide a truer form of user identification than a PIN or passcode. A PIN or passcode, if enforced, should be no less than four digits (preferably six) and should disallow the use of consecutive digits or easy to guess passwords (e.g., 0000 or 1234).
3. What is the procedure when a device that contained company data is lost or stolen?
With most MDM solutions, remote wiping of the device can be easily performed. In addition, depending on configuration settings, a device can sometimes be tracked to help determine its location. When considering employee-owned devices, remote wiping and location tracking can be beneficial to the company, but it can also draw concerns from employees, especially when considering the balance between personal privacy and company property. If your company is remote wiping a device, does that also erase all information on the employee’s phone, which may include an individual’s photos, text messages and other personal data? Many MDM tools allow company data to be stored only within a container on the device, which is encrypted and allows remote wiping of only that container if a device is lost or stolen. It’s crucial for your company to have an agreement with employees as to what is acceptable by both parties.
4. Does your MDM alert your company to unrestricted access?
Jailbreaking and rooting of devices should also be disabled, and alerts should be created within the MDM policy to notify IT personnel if these acts are attempted. These methods of modifying a mobile device allow a user unrestricted access to the phone’s operating system, thus bypassing all security restrictions defined within the MDM tool.
5. Does your MDM consider device operating systems?
Device operating system restrictions should also be considered as a policy management item. Just as computer operating systems age over time and are no longer supported by the vendor, phone operating systems may go through a similar aging process. As vulnerabilities are discovered, device manufacturers release updates and patches to remediate them. Therefore, a company’s MDM policy should limit the versions of mobile operating systems to only those that are vendor supported to prevent malicious users from taking advantage of vulnerabilities that may exist on company-owned or employee-owned devices. In addition, some device manufacturers now allow users to test a beta version of an operating system. Beta testing versions are not meant for general public release and may contain many vulnerabilities that may make data on the device susceptible to compromise.
6. Does your MDM protect against app vulnerabilities?
Once thought to be limited only to computers and servers, malicious users are now focused on vulnerabilities and malware that target a mobile device’s app store (e.g. Apple’s Appstore or Google’s Play Store). The vetting and security review requirements vary widely per app store. For example, Apple’s Appstore requires an extremely thorough review process, which considers the safety, performance, security and design of the application. When designing security policies for MDM tools, a whitelist should be developed to ensure that users are only allowed to utilize apps that are developed by reputable businesses and deemed to be generally safe for use.
7. Does your company have a Mobile Device Agreement?
In addition to strong mobile device controls, the device users (your company’s employees) and their activities should also be considered. The most appropriate method of finding common ground between a user and the company is through a Mobile Device Agreement or an Acceptable Usage Agreement. Prior to granting access for mobile device usage, employees should be required to acknowledge and sign an agreement of acceptable use. These agreements may vary, but a few common things to consider are:
- Acceptable use of mobile devices (social media usage, app restrictions, use during work hours, etc.)
- User responsibilities and corporate responsibilities
- Reimbursement policy (if applicable)
- Supported and unsupported device types
- Security configurations and controls (strong passwords, log-outs after inactivity, lock-outs after invalid password attempts, ability to remotely wipe, device encryption, etc.)
- Company’s right to monitor and protect
- Policy enforcement and consequences of policy violation
Likewise, during the employee termination process, having controls to ensure your company and customer data is removed from personal phones and devices is crucial. Mobile device procedures should be built into termination checklists so that, as an employee is exiting the organization, all stored company data, email, cached data and access to resources is removed from personally owned devices.
Moving Forward with Mobile Device Management
The technology shift from traditional business equipment to mobile devices is here to stay, and it will be a fixture in the way companies perform business functions in the future. Embrace these technologies, as they can offer invaluable benefits to both the employee and business. As with any technology, companies must plan proper procedures and develop control activities to mitigate the risks associated with your sensitive customer and corporate data being more mobile.