10 Tips for More Secure Mobile Devices
Mobile devices can be more secure than traditional desktop machines - but only if the proper policies and practices are in place and in use.
June 27, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltf4b058f06318a38f/64f0d616edca0121f77e2a3b/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Computing and mobile computing are, to an ever-growing degree, the same thing. According to research by StoneTemple, at the beginning of 2018, 63% of Web traffic comes from mobile devices; they expect the number to pass 2/3 of all traffic by the end of the year.
Most users, and most security professionals, seem to think that mobile platforms are inherently more secure than traditional desktop and laptop computers. In many circumstances that's correct, but that assumption can lead to behaviors that carry significant risks.
Fortunately, there are steps a security team can take secure mobile devices: Some of these are actions that the security team should take, while others are actions that should be taught to users. Many of these steps fall squarely in the "it just makes common sense" category of things. That doesn't mean that security pros and users alike don't need a reminder to check for each of these to be on their list of positive behaviors — and on the list of results to be enforced by policy on all devices.
There are many behaviors that can contribute to mobile device security or risk. We'd be interested in hearing about the behaviors that you see as important — but that didn't make our list. Use the comment section to let us know what we missed.
In any ecosystem, there are individuals who feel they have a better way of doing things. For mobile devices, those feelings are often expressed through jailbreaking, or installing non-canonical operating system versions. In a surprise to no one, jailbroken phones represent a huge security vulnerability.
Beyond sidestepping vulnerability patches and enhanced security functions, OS versions available from jailbreak sites can carry malware on its own. While there are a handful of app-specific benefits that a jailbreak may offer, none are worth the enterprise risk that jailbreaks represent.
The two most effective tools in the fight against jailbreaks are user education and MDM that enforces specific OS versions for devices that connect to the enterprise network.
Good encryption is a critical component of good security. There's little debate about that. The trouble is, there are many users (and more than a few IT departments) who believe that mobile devices are inherently secure and don't require encrypted communications.
While cellular communications are more secure than the average Wi-Fi link, they're not impregnable. Sure, it's illegal to intercept cell signals, but it's not impossible. And most mobile devices are able to connect to both cellular and Wi-Fi networks, often without the user being aware of which is being used for data transfer.
The solution is straightforward: Equip mobile devices with VPN software and require their use. Encrypted communication tunnels solve the same problems for mobile devices that they do for traditional endpoints, with the additional advantage of taking away a user's need to know what sort of network is carrying their data.
One of the great things about mobile devices is that they're always at hand, ready for use. A strong password (or any password, for that matter) can seem an offense against the basic concept of a mobile device, since it adds friction and time to the process of beginning a transaction.
By some estimations, one in four financial services breaches start with a lost or stolen device. IT security professionals can't bolt devices to users' hands, but they can require passwords so that a lost device is an inconvenience rather than a catastrophe.
Biometrics can ease the burden on users if the specific mechanism meets the security requirements of the organization. Whether a known password, a fingerprint, or a face is used for authentication, no enterprise should allow un-protected smart phones to hold any sensitive information.
There's a misconception that some smartphones don't get malware-infected. That's obviously not the case, and anti-malware software is a serious advantage for mobile devices.
There are anti-malware products and services available for all mobile platforms - though some of them may not look like traditional antivirus applications.
As with several other items in this article, anti-malware can be required for network connection by an MDM suite that enforces policy. As more mobile devices are recruited for botnets, the understanding of the importance of running anti-malware on these devices will grow.
Smartphones and tablets are highly likely to contain both enterprise and personal information. IT security should protect both by using software to partition the device data into personal and enterprise data.
Partitioned data allows the IT security staff to delete corporate data when the employee leaves the company, when the device is lost or stolen, or when the employee is on international travel where frequent border crossings (with their possibly intrusive device scans) are part of the itinerary.
Thoughtful data partitioning will allow the user to protect their personal data, corporate IT to protect sensitive IP, and all parties to concentrate on the business at hand rather than the state of the corporate data on a phone.
As mobile devices have been increasingly used as primary computing platforms for executives, sales professionals, and other mobile workers, the value of the data generated and stored on those smartphones has increased. That's one of the reasons it's so important to have an effective, comprehensive data backup program in place on every mobile device.
Whether the device backs up to a cloud service or when synchronizing with a laptop computer, all data on the smartphone or tablet should be securely backed up on a regular basis.
Some device ecosystems include provisions for regular backup while others require the use of third-party software. In either case, IT professionals should be leading the move to fully backed-up mobile devices across the enterprise.
Mobile devices aren't just tools for carrying on conversations and generating data; they're also keys to the enterprise application kingdom. That's why the logical doors that open enterprise apps should be protected by two-factor authentication.
Devices themselves won't be protected by 2FA, because the devices are themselves so often used as one factor in an authentication scheme. Rather, individual applications, networks, and services can be set up to require more than a simple password to access.
Two-factor authentication is becoming more widely accepted in corporate application environments; it should be required, whether the endpoint is a laptop computer or the latest smartphone.
Computing and mobile computing are, to an ever-growing degree, the same thing. According to research by StoneTemple, at the beginning of 2018, 63% of Web traffic comes from mobile devices; they expect the number to pass 2/3 of all traffic by the end of the year.
Most users, and most security professionals, seem to think that mobile platforms are inherently more secure than traditional desktop and laptop computers. In many circumstances that's correct, but that assumption can lead to behaviors that carry significant risks.
Fortunately, there are steps a security team can take secure mobile devices: Some of these are actions that the security team should take, while others are actions that should be taught to users. Many of these steps fall squarely in the "it just makes common sense" category of things. That doesn't mean that security pros and users alike don't need a reminder to check for each of these to be on their list of positive behaviors — and on the list of results to be enforced by policy on all devices.
There are many behaviors that can contribute to mobile device security or risk. We'd be interested in hearing about the behaviors that you see as important — but that didn't make our list. Use the comment section to let us know what we missed.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024