Got mobile-security sieves within your workforce?
Mobile devices are ubiquitous among every business, every staff, in almost every situation. That can mean a happier, more connected company of employees, but it also means a nexus of security issues, when it comes to the information that your workers can access, and easily compromise at that.
We're not talking about malicious people! But a weakened state of mobile security is ripe for unwitting open doors, when it comes to third-party intrusion. The facts are the facts.
A recent InformationWeek study showed that 80% of mobile devices at work tap into enterprise data, requiring just a password to do so, and that 86% of them are not hardware encrypted.
As report writer Michael Finneran put it: that can mean "security gaps big enough to drive a semi through." If your resolution this new year is to close that hole, here are five things you can do to improve mobile security, and keep your data networks "semi" free.
1. Stem the Flow of BYOD: Some 65–92% of employees bring their own mobile devices to work, meaning everything from laptops to smartphones. All those different platforms, and all those different versions — plus company policies that are, in the main, about simply trusting workers to do the right thing when it comes to passwords, permissions, and in-the-network behavior — create security gaps. First things first, one way to control the increasingly varied environment of mobile and personal data is to red-light the bring-your-own-device culture until you've decided what training and policies should guide the mobile landscape.
2. Secure the Mobile Perimeter: Having temporarily closed the dam, now look at the anti-malware measures that your company's mobile policy has put in place. Got one? If not, you're among the 80% of businesses in the survey that said they don't use anti-malware on all mobile devices.
3. Visit and Re-Visit Wi-Fi Policies: While you're looking at what's on the devices your employees use, look also at the system that's allowing information to flow to them (and back). Corporate-data Wi-Fi should be at the level of WPA2 encryption, not the old-school WEP passwords — or even the earlier WPA systems — that nearly half of the businesses responding to the InformationWeek survey still use.
But that's not all. Every employee accessing your network remotely on a separate Wi-Fi system — from home, for example — needs to conform to secure-connection standards as well. At-home workers should be connected via VPN.
It's also not sufficient to have good policies in place, unfortunately. You have to monitor your well-protected Wi-Fi after it’s in place. Couple strong mobile Wi-Fi encryption practices with a regular scouring of your network for unauthorized access points and sources of interference. Most businesses that are among the 26% actively monitoring their network for these problems use a separate wireless intrusion-detection system, or they get one as a built-in part of their wireless LANs.
4. Focus on Tablets and Smartphones: If there's a new sieve in the mobile security space, it's the result of policy gaps surrounding ubiquitous phones and tablets. To help lock down the data compromises that these can introduce, require some basic steps:
(a.) Power-on passwords for all devices carrying corporate data.
(b.) Passwords must be as complex as possible. No four-digit open-sesames.
(c.) Every device should have to carry an on-unit security certificate or token.
You can augment and streamline these steps by creating and keeping up-to-date a list of mobile devices that meet or exceed company mobile-security policies.
5. Implement a Mobile Device Management System: These are the central nervous system of a robust mobile-security environment. MDM systems allow you to look at and control the information on any mobile device to which it's attached. This creates a quantum shift in the kind of control that you can exercise. Apps can be white- and black-listed; you can even create an in-company app store, rather than allowing users to bring in any kind of un-vetted software. Meanwhile, jail breaking and tampering with devices tips off the MDM system, and lost or stolen units are eminently wipeable. InformationWeek has created a buyer's guide to the MDM environment.