Mobile technologies have introduced a completely new world of risks to organizations that use them. While many larger enterprises have the resources to mount comprehensive campaigns, the era of mobile computing has placed smaller companies smack in the middle of a widespread and proliferating security crisis.
Here are three steps to help SMBs develop smarter mobile security policies in this ever-changing landscape.
First step: policy
Map out a security and mobile device policy that clearly separates personal and corporate data commingled on devices. Employees need to know specifically what they can and can't do on their mobile phones. You should write a user-focused rules of behavior document that every employee must understand and sign before they are granted access to your network.
Second step: education, access controls, and audits
It’s important to educate users on both the risks the devices present to the organization and your expectations of conduct. But strong, clearly stated company policy should also be consistently enforced through access permissions, published audit reports, and other sanctions. Frequent reminders that are integrated into general company-wide communications can make it clear what is expected and create a culture of good stewardship of digital devices and network resources.
Users should also be taught about the many basic precautions they can take to mitigate risks associated with lost or stolen devices -- and how to keep both personal and corporate resources significantly safer. These steps include:
- Setting lock screens with strong passwords of 8- to 10-character minimum length
- Installing anti-virus/anti-malware apps
- Implementing data encryption
- Securely backing up all data
- Installing device locator and remote wiping capabilities
- Keeping operating systems and apps updated
Third step: ongoing monitoring
Continuous monitoring and measurement will be essential to address known and emerging threats. This effort requires focus, discipline, leadership, and innovation involving:
- People -- trained, skilled information workers
- Culture -- a true concern for protecting employee data
- Leadership -- for the big picture, and priority setting
- Process -- You can't improve what you don't measure. What are you doing with the technology once you buy it?
- Technology -- Is it implemented properly? Are you monitoring it? Is it integrated across your entire enterprise?
Strategies to monitor and assess devices and their data should include identification of all mobile devices accessing your network of IT assets, real-time monitoring and correlation of all activity, and both alerting and reporting on violations of security policy, user privacy, and compliance.
For companies of any size -- but especially SMBs -- the most essential and urgent task at hand is to build a culture of good stewardship of devices and data through a robust and detailed company policy and consistent enforcement at all levels, from entry-level employees to CEOs. Everyone in a company has to work together to combat intrusions and data loss.