In today's ever-evolving world of new gadgets, devices and connected technologies, it is becoming increasingly difficult to keep a cap on the new risks that arise on a daily basis, writes Clint Merritt, CISSP, senior information security analyst for a global technology company.
Overall, when it comes to mobile security, users are typically defensive because they don’t want you to take away the convenience of their mobile device and its capabilities. Users of mobile devices become dependent upon their devices and are very skeptical when Big Brother wants to manage and control them.
From the business' point of view, these devices are seen to facilitate the innovation and connectivity to get ahead and stay ahead in the market. The easier it is for your employees to search and find information, the more efficient they can be and the greater their productivity. However, the liabilities, risks and exposures that come from having your company data accessible from or on these devices must be considered.
Managing mobile security risks
Fortunately the risks are in their infancy, offering a window of opportunity to prepare and have controls in place for mitigating the hackers and malware before they are in the headlines. It must be accepted, however, that the risks will grow, in the same way security vulnerabilities grew in the PC world.
That said, recommending an approach is kind of like asking you to jump on a speeding train travelling at 70mph then getting to the control room. There are many approaches to managing mobile devices, including “bring your own device”, "company issued and managed", or “personally owned and managed”. Your company’s culture, upper management and IT will determine which approach will be successful.
Security Think Tank: Challenges and opportunities of smartphone security policy
The key is having an approach backed by a mobile device management system (MDMS) that allows you to build policy that suits your organisation's needs. This will be the foundation that gives the mobile device administrator(s) the controls to quickly adapt to risks and requirements that evolve over time.
Building a mobile security policy
In setting policy, start with the objective of earning users' trust, including those in upper management, who will undermine your efforts, not to mention the security of the company, if allowed to flout policy. Build policy with a view to ensuring usability is not severely compromised, and let users know what is acceptable and what is not and why. Discuss and develop the policy with them, and then drive awareness. The foundations will also be set by creating an inventory of users and devices that your company and employees agree to. From here you can select and implement a MDMS that suits your needs.
The key to mobile management will be to keep it flexible enough to keep the morale of your user base at a level that builds trust. The basics of a documented mobile device policy, an asset inventory, and stated minimum requirement, such as a device lock-out password or pattern, are the low-hanging fruit that can establish the philosophy of having a controlled approach. As problems become apparent, the MDMS tool is there to quickly respond to the risk. In this case, you will be the hero protecting your users from harm – as opposed to harming your users to protect them.