But, these advantages come at a cost. The rise of employee-owned mobile devices in the workplace brings new security challenges. Protecting sensitive business data becomes more difficult than ever.
How much is mobile impacting security? A new study finds that employee’s mobile devices are increasingly the cause of data breaches. In fact, over two-thirds of IT and IT security professionals in the study claim that their organization likely had a data breach as a result of employees accessing company data from their mobile device.
So, what can you do about this? Can you ban employee-owned mobile devices? Of course not. Mobile is the new reality for businesses. Most businesses can’t possibly stop employees from bringing their own devices into the workplace.
So, how can you protect your sensitive data in this new, mobile world? Of course, one option involves providing your employees with company-owned devices. If you take this route, you can set up Mobile Device Management (MDM) tools, and control the devices.
But, this still doesn’t ensure that employees aren’t also using their own mobile devices in the workplace. The question is…how can you protect your mobile data across devices that you can’t control?
Today, let’s explore this question. Here are 5 steps you must take to protect your business data in a mobile world:
1. Educate, Educate, Educate
Do you really want to assume that users know how to securely use their phones, or protect the data on their devices? Do you think they’ll know to avoid public wifi, phishing emails, malware, or any of the many threats to mobile security?
The first step in keeping your data secure in the mobile age is education. Your employees must understand best security practices for their mobile devices. We won’t get into all of them here, but if you want to read more, we’ve outlined 14 security tips for mobile users, in this two-part article (part 1, part 2).
2. Implement BYOD policies
It’s the new mobile reality. Employees will bring their own devices into the workplace. They will use those devices for work-related tasks–often without the company’s knowledge.
Most of the time, employees aren’t trying to do anything malicious. They’re just trying to get their job done. The problem is, when employees don’t understand what they can (and cannot) do with their personal devices, you put your data at risk.
What should you do? As explained below, creating clear BYOD policies is one of the first steps you should take. If you want to avoid accidental security breaches, employees must understand the rules and restrictions of personal devices.
“Companies can combat these threats by having BYOD (Bring Your Own Device) policies and Acceptable Use policies for personal assets,” says Christopher Roach, Managing Director and National IT Practice Leader of CBIZ Risk & Advisory. “This could include the use of application software loaded onto these mobile devices that encrypts data and requires additional measures in order to access company information on the device. The key to protection is two-fold – both technology and training must be utilized in order to provide the best protection for the company. The company should have the ability to “wipe” the mobile asset remotely if it is loss or stolen, thus reducing or eliminating the risk to the company.”
What makes a good BYOD policy? As explained above, BYOD policies include both technology and training. We won’t get into every aspect in this article, but it’s a topic I’ve covered in a previous article, which you can find here. Additionally, if you’d like to learn more about technology to help you manage BYOD, here’s a roundup of solutions over on PCMAG.com.
3. Treat the device as a portal
“The best way to protect data on a mobile device is to not have any data on it in the first place,” says Brian Allison, Senior Account Executive at Innovative Network Computer Solutions. “As we’ve seen from some of the recent activity with the San Bernardino iPhone and even more recent activity by the LAPD, devices can be hacked and without the manufacturer’s assistance. The assumption needs to be that data outside the four walls of the enterprise is subject to compromise (and yes, inside the four walls it can still be compromised, but the defenses can be better controlled there).
Instead, the mobile device, whether tablet or phone, should only be used as a portal to view information. It’s possible to have full rights to the data being viewed, to not only read it but to also make changes to it, but the data itself stays on the server, wherever that may be located. That way, if the device is lost or stolen, it can be shut off in terms of network access at a moment’s notice to make sure the data remains protected.”
4. Define what data needs to be protected
Now, if you treat the device as a portal, should you make all of your data available to mobile users? Not at all. One the biggest data security mistakes is making too much data available on mobile devices.
Just because you can make it mobile accessible, doesn’t mean you should. The fact is, much of your data should not be accessible on mobile devices. Why? Maybe it’s sensitive data, or maybe making it accessible via mobile devices offers little value.
For instance, your salespeople might need product and customer location data available on their smartphones. But, do you need sensitive HR data available outside of the office? Not only is it sensitive data, but offering access via mobile devices provides little value. It’s a high-risk, low-reward option. As explained below, understanding which data needs the most protection is one of the most important steps you can take.
“Define what needs to be protected,” says Ali Solehdin, Product Expert at Absolute. “Data is a big bucket for most organizations and attempting to protect everything is an expensive and unrealistic approach. For a first step you should determine what data is important and sensitive, where it is located, and who is authorized to access it. Run data audits across all mobile endpoints to determine what data is stored on these devices and align it with the end user to verify that access is warranted.
These initial steps will define the scope of the work and allow you to focus your planning and resources only on data that requires a higher level of security. Once this initial work is complete, you can create a mobile data strategy that supports your specific requirements.”
5. Use best security practices in development
Why does this happen? As explained in the article, much of it boils down to priorities. For many businesses, security takes a backseat to development speed. As developers rush to meet deadlines, security often gets glossed over.
However, with the added security risks of mobile, businesses cannot afford to ignore security in the mobile development. As explained below, you must follow security standards in any mobile development project.
“Anyone developing mobile applications should utilize industry accepted security standards and best practices to reduce the risk of compromise,” says Kristen Peed, director of corporate risk management at CBIZ. “For example, minimum standards should be developed (and trained on) the PCI Mobile Payment Acceptance Security Guidelines, OWASP Mobile Top Ten vulnerabilities and mitigation practices, and incorporate application vulnerability assessment and code review throughout the development process and routinely after deployment.”
These are just 5 mobile security tips for business, but the list could certainly be much longer. If you would like to add anything to this list, I’d love to hear it. Feel free to share in the comments.