CIOREVIEW >> Mobile >>

Reforming Security Policy: Prioritizing the Value of Safety in Mobile Devices

By CIOReview | Tuesday, July 26, 2016

In the era where information technology binds major business operations together, mobile devices such as smartphones and tablets act as handy tools to achieve specific business goals. However, apart from being a boon for enterprises, mobile devices also represent a significant risk in terms of information and data security. Ignoring the value of appropriate security procedures and applications invites the risk of unauthorized access to the company’s data and IT infrastructure, subsequently paving a path for data leakage. To incorporate a considerable level of sophistication and security, adopting a mobile device security policy is always considered as a wise initiative. A reliable security policy stages three vital components: a software application to manage the devices connected to the network, a written policy that outlines the responsibilities of both employers and users, and an agreement to be signed by the user acknowledging that they have read and understood the policy.

The biggest pre-existing challenge is that users in an enterprise fail to recognize that mobile devices form a wide platform of threat for IT and data security. Underestimating the impact that may occur, they often do not effectuate the same security and data protection strategies as they would on desktop computers. The second challenge is that when users use their own devices, they often give utmost gravity to their own rights on the device rather than their employer’s need for effective data protection.

To overcome the aforementioned challenges, a robust and well-planned security policy gives a framework for securing the mobile devices, also linking other policies that reinforces the company’s control over IT and data security.

The urge for writing a security policy

Writing a mobile device policy forces companies to predict the scenarios before they grant the freedom for employees to use their own smartphones and tablets on the company’s network. To narrow down the complexity involved in planning a policy, an enterprise should consider the following questions: Which security tools offer the desired level of protection for the devices connected to the network? Which web browsers should be used by the employees? What level of support can we expect from IT? To make sure nothing is missed out, constant co-ordination with the company’s IT, HR, accounting and legal executives might turn out to be beneficial.

Network security

Strong authentication and encryption of sensitive data are always considered as the supporting pillars of an IT network infrastructure. While a security policy will mention, for instance, that a two-factor and/or mutual authentication is mandatory and a VPN should always be used while accessing the company’s network remotely. The policy may even restrict the choice of certain network carriers.

With the aim of guiding your organization to tackle various forms of data vulnerabilities, we present a step-by-step security procedure.  

1. Create Robust Security Policies.

Focusing on the basics first, creating a mobile device security policy is always a necessary step. Establish an appropriate control that swiftly aligns with your corporate policies and makes total sense for your organization. For instance, an organization in a highly balanced industry will make sure that all data stored on the employees' mobile devices as well as any removable device used with those devices are encrypted. Whereas, enterprises from other industries may consider the approach to be unnecessary.

2. Incorporate the Existing Security Policies into Mobile Devices.

While securing a mobile device with security policies, always carry the existing policies. For example, for accessing the company’s network if you need passwords with 12 characters including at least one symbol, uppercase and lowercase, then the same rule should be applied for any other mobile device. Also, decide whether the feature Bluetooth file-sharing will be enabled for mobile devices which are intended to be blocked from accessing the enterprise network.

3. Put the policies into action.

The next step involves effective execution of the policies with the help of mobile device management (MDM) tools. Without effective enforcement of policies, employees will consider your mobile security policy as optional set of rules, especially if your company sports a bring your own device (BYOD) work policy.

4. Maintain a list of all the Mobile Devices.

To incorporate security measures efficiently, it is crucial to keep a list of all mobile devices that are being used to connect to the enterprise network. You may be inclined to underestimate this step and consider it unnecessary, but knowing about the devices is as important as securing them. For instance, if your BYOD program only supports iPhones and Android devices, but some employees are using BlackBerry, then you must reconsider your policies, or else verify whether that devices are being blocked.

5. Set the criteria for proactively wiping the devices.

While fabricating the mobile device security policies, in addition to the password based security, define a protocol to wipe the data completely during imperil events. For example, devices can be assigned with the feature of deleting all its contents after 6 failed login attempts, or when an employee reports the device to be being lost or stolen. Security tools can be also used to wipe the data on any device that hasn't been connected to the company’s network in a specified period of time.

6. White-listing the apps.

Adopting the white-listing reduces the risk of unauthorized access; restricting and controlling the type of apps that employees can install on their devices. If a company allows installation of any app on iPhones or Android phones, it simply means inviting a potential threat into the company. So, from a security perspective, incorporating the feature of white-listing is always a wise option. Additionally, if the process of getting new apps approved requires the hassle of waiting for a long time, employees will be filled with disgust.

While the mobile security arena may have its own challenges and issues, its all a part of the security infrastructure you must streamline. By taking precautionary measures and dealing with data loss, your employees will be able to leverage enormous benefits from the mobile devices at workplace.