A Simple Approach to Mobile Security for Companies
“Mobile security is a Grinch.” Whenever I talk to an information security officer or compliance officer around the holidays, I usually find them in a place that is neither merry nor bright. Christmas is far from the most wonderful time of the year in the information security community. There are budgets being worked on, end-of-the-year projects that need tidying up and everyone knows what is coming on Jan. 2. On top of all this stress and mayhem, the, “Hey, my kids got me an iPad for the holidays, how do I work on it?” emails come flooding into all information security employees’ mailboxes. This torrent of incoming mobile devices into secure business networks is now trumping long lines at the mall and obnoxious relatives as the biggest holiday pain of the year.
Mobile Device Management (MDM) needs to be discussed across various verticals inside the business. A mobile policy means different things for sales than it does for marketing or human resources. When discussing a potential policy, it is important to understand each vertical’s needs and concerns.
I’m not out to write a cure-all prescription for mobile security ailments. Each organization has different goals, objectives and company cultures that must be understood. Building out a process needs a foundation for an effective approach, especially in a mobile security scenario. A team has to talk about, think about, write about and work out a game plan before any software is installed or hardware is racked.
What I am going to do here is break down the nonnegotiable aspects of mobile security in its most simple, elementary form. I want to talk about it now, in September, because nearly four months might be enough time to head off the deluge of iPhones and Androids that are inevitably coming. Hopefully, I can provide enough fuel to fire up internal discussions that help organizations come up with a process for this issue.
Mobile Security and Device Management
A mobile device is a device such as a laptop, tablet or phone that can be easily transported. Mobile devices are actually a good thing because they can increase productivity and have an immediate return on investment for an organization. The ability to work outside the borders of your office space and reduce power cost can save organizations money, not to mention the direct and indirect benefits of closely connecting with technology.
There are two types of mobile devices that can come into play in an organization: corporate, company-owned devices or personally owned devices. Corporate-owned devices are mobile devices that a company loans to an employee for productivity purposes. More often than not, the company sets policies and procedures to protect this device (since it is often an expensive asset) and to ensure it is being used for business purposes. Personally owned devices are generally mobile devices purchased by an employee for the purpose of enjoyment, such as social media or Web browsing. Being able to check Facebook and work email on the same device is a great asset in today’s world of “I want everything now.”
At its core, personal devices utilizing corporate information is not a bad idea. A company could spend up to $1,000 on a corporate device, along with maintenance, software, etc. If I bring my iPad or laptop to work, I am spending that $1,000 myself, and all I need is access to my work assets.
The debate here is that when an organization wants to utilize controls on a personal device, its owner usually goes ballistic, claiming the company should have no control over his or her device. The fact of the matter is that yes, it is your device, but you are utilizing company data — which is property — on that device. For example, if I go camping on a campsite, I bring my own vehicle and equipment onto the site. Yes, it is my vehicle and my equipment, but because I am accessing assets that aren’t mine, I have to abide by the rules of the campsite and use my personal assets under those guidelines.
How to Craft a Mobile Policy
Now that we’ve covered some of the basics, I want to get into some of the ways to go about structuring internal discussions on building a policy around mobile security. Start by identifying what you are looking to control. It really comes down to the data control in a bring-your-own-device (BYOD) scenario. I’m sure administrators don’t really care about social media apps or family pictures, but what they really care about is the company data (read: property) that can reside on those devices.
Do your employees, starting with the chief executive officer, understand the value of corporate data and why losing it can be so damaging? If you think about it, data has been mobile for centuries. Remember those nifty attaché cases people used to carry to and from work? I guarantee those cases contained some pretty interesting information, and if it were stolen or lost, it could leave the company in a jam. This is the same thing, only with a different “case.”
This is why it is important to encrypt, encrypt, encrypt. Have your employees understand the value of encryption. Doing so can be the difference between “I lost my laptop” and “I lost my laptop, and we are now liable for millions of dollars in damages.”
Pass codes are also necessary. Why this is a hot-button debate in corporate settings is beyond me. Listen to this logic: I have a locker at the gym with a combination lock on it to protect my wallet, phone and keys while I am away. These devices hold data on them that are just as valuable to a company and even an employee. I have yet to encounter a compelling argument against password protection.
Lastly, talk to your peers. The problem with the mobile security and cybersecurity landscape as a whole is that people isolate themselves. Form user groups and look for organizations that you can join that will give you a forum to discuss this issue. Trust me, you are not alone.
To stand back idle and keep your head in the sand is not the way to address this matter.