If less than half of organizations have mobile device security policies or, at the least, a good handle on protecting critical data stored on employees’ devices, as many consultants and industry trackers estimate, it’s time to tighten up. Here are 10 basic steps to an airtight mobile system:
1. Craft, implement and police mobile device security policies. Document basic, thought-through policies that prescribe who gets what device, how they can be used, what network access will be available to whom, and how the policies will be enforced and by whom. Cover all the details. “A lot depends on the value of the data to be protected–lunch menus don’t matter; [sales] contracts do,” underscores Craig Mathias, a principal at the Farpoint Group, a wireless and mobile computing consultant in Ashland, Mass.
3. Standardize on company-purchased devices, ideally from one vendor. Having willy-nilly rogue devices with multiple operating systems is understandably more difficult to manage and protect.
4. Run education and user awareness campaigns. Basic technology education and training techniques work. Routinely repeat training; one global electronics manufacturer does quarterly sessions.
5. Consider two-level protection. At the corporate network level, device management software maintains and monitors device access and allows locking or wiping out access to a lost device. At the device level, use whatever security protection comes with the device itself, such as personal identification numbers (PINs)-although this is easier said than done, as most users don’t take the time to implement PINs or other security on their devices.
6. Use encryption and/or security capabilities of in-place software. At professional services firm Avanade, with 2,500 laptop-equipped employees (about 300 of whom use their own personal digital assistants), highly confidential documents cannot be sent unless they’re encrypted using rights management features within Microsoft Office 2003, according to Craig Nelson, Avanade’s information-technology director. (Avanade is partially owned by Microsoft.)
7. Consider identity authentication. Passwords and PINs are basic security measures. There’s growing number of more sophisticated schemes to authenticate users, including physical keys such as smart cards as well as fingerprint and biometric readers. For two-factor authentication, these can be used with passwords, PINs or other code. Likewise, software can, for example, make automatic callbacks to a mobile device or lock the device after three unsuccessful log-on attempts. About one-fourth of companies currently use authentication call-back to a mobile device to address insider threats, but 47% had no plans to do so, according to the Aberdeen Group’s benchmark on insider threats. Generally, authentication is more stringent in the security-conscious health-care and financial-services industries.
8. Install antivirus software on the network and on the device itself. Third-party software providers, which have perfected antivirus protection for PCs in the U.S., are scurrying to develop suites for both mobile devices and corporate networks. (Costs for antivirus/malware mobile security are expected to match what companies spend on securing desktops.) In Europe, where both mobile usage and instances of viruses are higher, some communications providers offer antivirus protection as part of the call package.
9. Secure data where it exists on the network and the device. “Our best practice is what we call thinking end-to-end, with data properly secured wherever it exists on the network,” Mathias says. “End-to-end” seems to be the new vendor mantra for mobile device protection.
10. Remember the users. As Brian Serra, senior security consultant at integrator Forsythe Solutions Group, points out, don’t make wireless security so cumbersome that employees install their own access points or other workarounds.
