Developing an Effective Mobile Security Policy
Lack of an effective mobile security policy is a fundamental root cause for many failed security efforts. The policy must be risk-based, covering all identified risks on mobile devices, both organization-issued and individually owned, and all user groups, including regular employees and temporary contractors.
The policy development process should determine which applications are to be made available to which mobile user group and on what types of devices. Typical mobile applications may include email, sales force automation, field service applications, dispatching, extended CRM, etc. These applications can drive productivity and revenue growth if deployed and managed securely.
An effective security policy needs to clearly translate regulatory compliance requirements into organization's risk management processes and procedures to protect data from loss or compromise. It also needs to speak clearly on user's responsibility for device configuration, its usage, data backup and protection. The information stored on a mobile device should be limited to what is required while on the move.
In addition, the policies must be enforceable via active IT monitoring and software tools. Organizations should regularly review the policies to take into account of any new security threats associated with business environment changes.
Ensuring Employees' Responsibility and Awareness
The employee is a great factor for both good and bad in mobile security. In a recent CSO survey, 28% of all mobile users use their mobile devices to access the Internet, and 86% of them admitted to having no mobile security. A careless or security-unconscious user can easily put an organization's confidential information at risk.
Lack of mobile user training and awareness is a major factor that contributes to many user errors and incidents. A less-trained user may not even know a procedure to handle security. In some cases, a mobile user may simply bypass any required configuration procedures in order to get a job done.
Employee education and awareness should become a valuable corporate culture. A well trained employee can help an organization to greatly minimize mobile security risks. [See also Security Awareness Programs: Now Hear This!] It is critical that all security policies should get buy-in from lines of business leadership, end users and support team across the organization.
Organizations should put employees in a driver seat for an effective security governance effort. They can become a most critical layer of security defense in any risk mitigation strategy.
Establishing a Baseline Security Configuration
As the use of mobile technologies in business increases, more and more critical business and sensitive personal information is being collected, processed and transmitted over shared wireless networks. Mobile devices need to be configured adequately to protect the device itself and data on it from unauthorized use, data disclosure and malicious attacks.
During a planning phase of mobile device deployment, all devices should be considered to meet a baseline requirement in terms of corporate security policy. A baseline security configuration may include:
* Password protection at power-on
* File or directory encryption
* VPN for email and internal network access
* On-device firewall
* AV software
* Latest security patches
Enforcing the baseline security configuration for all devices can help an organization to establish a bottom-line of defense from each device. Similar to an Internet facing device hardening, on-device resources, wireless interfaces, e.g. WiFi, Bluetooth, RFID, wireless printer, and application functions should be minimized to reduce the likelihood of wireless attacks.