Protect your mobile device – Part 1

The need to secure newer mobile devices (smartphones, tablets, etc.) has grown since they now meet the basic criteria for malicious, cyberspace-based attack:

  • Developer kits are readily available
  • Mobile devices are in widespread use throughout the world
  • Motivation is increasing since usable/saleable data live on these devices

 

In addition, BYOD (Bring Your Own Device) has introduced related, security-oriented concerns and complexities:

  • How can we accommodate personal equipment in the workplace, particularly when two-thirds of 20-something workers in a recent survey from research firm Vision Critical state that “they, not the company, should be responsible for the security of devices used for work purposes”?1
  • How do we manage the large variety of mobile devices, many with differing operating systems, processing capabilities, and user interfaces?
  • How do we structure our security offerings to permit broad access to low-risk functions while restricting high-risk activities on a need-to-have basis?

 

Protecting a smartphone (or tablet) gets easier if you take the perspective of Garin Livingstone, one of our technical staff, who pointed out: “It is just a small computer; all of the same security concerns and rules that apply to PCs also apply to smartphones.”

 

As described in a recent InformationWeek article2, corporate response from the IT department should consist of these three stages:

  • Set policy for mobile device use
  • Train users
  • Enforce

 

Mobile-device-use policies should protect company data, while enabling employees to do their jobs efficiently.  The policy should protect, but not inhibit, the use of data from a mobile device; this usually requires the protection of the device itself with a strong focus on what data is available and where it will reside.

 

Some policy suggestions:

  • Device:

o   Deploy an anti-malware utility set to scan automatically

o   Set continuous updates of operating system and anti-malware utility

o   Encrypt company data (if stored on the device itself)

o   Backup data to a secure site (preferably daily)

  • User:

o   Require passwords and make them complex

o   Set an auto-lock period of five minutes or less

o   Set browsers to high-security mode

  • Remote access:

o   Access data/applications securely via SSL, HTTPS, or VPN technologies

o   Provide virtualized access to data stored at the corporate site

In our next article, we will review training and enforcement, highlight some tools, and wrap-up with first-step suggestions.

 

 

References:

 

1. Visit Network World athttp://www.networkworld.com/news/2012/061912-byod-20somethings-260305.htmlto review the article “Young employees say BYOD a Right not Privilege” by Ellen Messmer.

 

2. Please review the May 12, 2012 InformationWorld article “Mobile Security Gaps Abound” by Michael Finneran.