8 Tips for More Secure Mobile Computing
Mobile devices are a huge part of enterprise IT. Here's what to advise their users to do to keep their devices — and critical business data — best protected.
October 23, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt729a7aeb50330ba1/64f0d4f8cf4d247602d0b833/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Security professionals often talk about the importance of enlisting users as allies in the battle for better security. When it comes to mobile security, that alliance must be a working reality rather than a managerial dream — namely because these handheld machines are typically employee-owned, thus placing their use and precise configuration out of the hands of enterprise IT.
Developing this partnership begins with convincing users they're an important part of business security. Depending on the industry, that could include training on regulations as they apply to mobile devices, education from cyber insurance companies, and presentations from intellectual property attorneys.
Once employees are on board, what specific actions should be encouraged? We went looking for best practices across the Internet, and eight kept showing up. It's important to note that only two of them require products or services that aren't included with most mobile devices. Two of the tips involve user behavior. And the other four are all about using features of the mobile device or operating system in the most secure manner possible.
We'd also like to know about your best practices. What actions or technologies not on this list are critical in your organization? Conversely, is there anything on our list you've found to be unnecessary? Let us know in the Comments section, below. After all, good communication about security is definitely a best practice.
(Image: bnenin via Adobe Stock)
Start with the most basic point: Nothing else matters if anyone can pick up a mobile device and start using it. Ensuring that the person using the device is authorized to do so is Job No. 1 when it comes to mobile security.
There are, at this point, a number of ways for that authentication to take place. A reasonably strong passcode is one. Biometric authentication is another. In either case, if it's not enabled, it can't be effective.
One of the things users don't want - and won't tolerate - is security that adds a great deal of "friction" to the user experience. That's what makes user authentication so attractive. It adds very little friction for users, while adding plenty of friction for unauthorized individuals. That greatly lowers the chances users will try to find a way around the authentication process.
Malicious actors feast on out-of-date operating systems. That's as true for mobile operating systems as it is for OSes on servers and laptops. And the rise of Web-facing enterprise apps means it's less likely that an OS update will break critical enterprise functionality.
All mobile OS vendors have a regular stream of "point" updates and smaller security patches that are released on a schedule. These should be automatically applied unless the IT team has information indicating that something specific will break in their application infrastructure.
That said, when major updates are released, both IT and security teams should exercise caution. These major updates, marked by new names or version numbers, frequently have issues that are uncovered in the first few days or weeks of public release. Many experts recommend waiting until the first point update before upgrading to the new OS so as to avoid acting as a high-stakes guinea pig for the vendor.
Every mobile OS vendor updates its operating system to patch known vulnerabilities. And users can ignore those patches and improvements by jailbreaking their devices. While a jailbreak - escalating user privilege to get around the OS vendor's software restrictions - is a way to get "forbidden" apps and functions onto a device, it's also a good way to roll out a welcome mat for malicious apps.
Of course, it's relatively easy to say, "Don't jailbreak your device," and most users wouldn't consider going through the process required to eliminate the built-in protections on their phones or tablets. But, as with so many vulnerabilities, it doesn't take very many points of access for an attacker to inflict considerable damage.
One of the anti-jailbreak strategies for enterprise IT and security teams involves understanding why employees want to jailbreak their devices and then offering them "legitimate" ways to get the same functions and features. While some employees might be reluctant to give away the "rebel" feeling that comes from a jailbreak, it's likely most will be happy with a more secure way to get the functionality they need.
Among a mobile device's distinguishing characteristics is its ability to go virtually anywhere its user goes. That means it can be found in places considered to be hostile environments for sensitive enterprise data.
What makes an environment hostile? In many cases, it takes no more than an easily accessible Wi-Fi network to make a location unfriendly. And that danger comes from a combination of mobile device behavior and Wi-Fi capabilities.
Most mobile device users think their devices are safer than laptop computers because they communicate over cell data networks. It's true that the tools for intercepting Wi-Fi signals are more common than those for cell data transmissions, but in an attempt to be helpful, most smart mobile devices will use a Wi-Fi connection if one is available and will prioritize Wi-Fi over cell data for communications. Many best practices lists suggest turning Wi-Fi and Bluetooth off to avoid connecting to a less secure network, but users are typically loathe to disable any device capabilities. That means security teams must explain why Wi-Fi networks are less secure and how to protect data when they're being used.
One of the best ways to protect data from the ravages of insecure networks is to encrypt it during motion. Such encryption calls for a virtual private network (VPN) between the two ends of the conversation.
Some mobile device users think they don't need a VPN because they see cell data networks as inherently safe. While it's true that sniffing cellular data is more difficult than pulling traffic from a Wi-Fi network (and illegal at a federal level), it can be done. But that's not the real reason encryption is so important.
Most mobile devices spend a great deal of their lives communicating via Wi-Fi. And most mobile devices spend a great deal of their lives someplace other than inside the office. Put those factors together, and they make for circumstances that require a VPN's protection. Whether an organization opts to use a single on-premises VPN provider or requires a VPN selected by the employee, make sure that network sessions are encrypted through a VPN tunnel. A big piece of this is educating employees to not just have a VPN installed on their devices, but to use the VPN at all times.
Devices that can be carried by an employee can be lost or stolen. That means the data on those devices can be lost or stolen, as well. And even if systems and policies are in place limiting the sensitive data on mobile devices, employee login information and pieces of authentication data are likely to be attached to the device and wandering around with the hardware. This exposure is why the ability to reach out and remotely wipe the data on mobile devices is a critical part of mobile security.
Both iOS and Android devices come with the capability for remote wipe, which should be enabled on all enterprise devices. Clear policies also should be in place for how long the search for a missing device will continue before it is cleared.
It's true that most mobile device management (MDM) systems used by enterprises have remote wipe as a capability. The point is that, especially if the enterprise is not supplying the device, employees may not welcome the presence of an MDM client on their personal smartphones or tablets. The capability for remote wipe should be part of the security toolkit no matter which mechanism is used for implementation.
Many people don't think of mobile platforms as susceptible to malware in the same way that laptop and server operating systems have become. But malware and zero-day vulnerabilities are as much a reality for mobile platforms as they are for their more massive relatives.
Anti-malware systems exist for both iOS and Android systems. Prudent security practices indicate that anti-malware software should be in place on every mobile device attaching to enterprise networks and data.
Anti-malware protection is important, not just for the security of the mobile device, but because these small systems can become very large points of entry for attacks on the enterprise network. Anti-malware software tends to have a very small impact on performance at the device level, and ransomware or remote access Trojans can have a huge impact on the organization, so the balance is clear - it weighs in favor of the protective software.
When employees conduct business using their mobile devices, it's likely that some critical data will reside on those systems. And even if critical data is stored only on enterprise servers, the employee's productivity will depend on a mobile device set up with the applications needed. That's why a current backup of applications and data is important for securing enterprise data and productivity.
As with many security functions, device backup is a feature of every mobile operating system. And, as with the other functions, it has to be enabled before it can be effective.
Device backup, whether to a laptop computer or a cloud service, should be a requirement for every enterprise-connected mobile device. A solid backup makes recovery from malware or device loss possible, and makes a remote device wipe far less painful (and therefore much more likely to be performed) than for an unprotected device.
When employees conduct business using their mobile devices, it's likely that some critical data will reside on those systems. And even if critical data is stored only on enterprise servers, the employee's productivity will depend on a mobile device set up with the applications needed. That's why a current backup of applications and data is important for securing enterprise data and productivity.
As with many security functions, device backup is a feature of every mobile operating system. And, as with the other functions, it has to be enabled before it can be effective.
Device backup, whether to a laptop computer or a cloud service, should be a requirement for every enterprise-connected mobile device. A solid backup makes recovery from malware or device loss possible, and makes a remote device wipe far less painful (and therefore much more likely to be performed) than for an unprotected device.
Security professionals often talk about the importance of enlisting users as allies in the battle for better security. When it comes to mobile security, that alliance must be a working reality rather than a managerial dream — namely because these handheld machines are typically employee-owned, thus placing their use and precise configuration out of the hands of enterprise IT.
Developing this partnership begins with convincing users they're an important part of business security. Depending on the industry, that could include training on regulations as they apply to mobile devices, education from cyber insurance companies, and presentations from intellectual property attorneys.
Once employees are on board, what specific actions should be encouraged? We went looking for best practices across the Internet, and eight kept showing up. It's important to note that only two of them require products or services that aren't included with most mobile devices. Two of the tips involve user behavior. And the other four are all about using features of the mobile device or operating system in the most secure manner possible.
We'd also like to know about your best practices. What actions or technologies not on this list are critical in your organization? Conversely, is there anything on our list you've found to be unnecessary? Let us know in the Comments section, below. After all, good communication about security is definitely a best practice.
(Image: bnenin via Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024