Enterprise Mobile Security Best Practices—A View from the Trenches

 

In February, CIO magazine published “7 Enterprise Mobile Security Best Practices,” which offered some tips for how to safeguard a mobile environment without taxing your workforce or, presumably, your IT department. In the interest of building on a strong foundation, here are some additional thoughts in response:

  1. Mobile devices need antimalware software. The article asserts that those who want to access the Internet through a mobile device should install antimalware software. That’s certainly true for Android users, but I haven’t seen many antimalware solutions for iOS devices to date. Because there hasn’t been an iOS breach (or at least the public hasn’t been notified about one), there’s been no need for Apple or its third-party app providers to develop an antimalware solution for iOS. Keeping an eye out for updates in this realm makes sense though, since it’s true that discretion is the better part of valor regarding all things mobile.
  2. Secure mobile communications. The article mentions that mobile device communications should be encrypted and require VPN use. I absolutely agree. However, you shouldn’t rely on your devices when it comes to ensuring secure communications. Start with the apps—make sure your apps are securely communicating with your backend systems. If you’re depending on the device, you’re starting in the wrong place.
  3. Require strong authentication, use password controls. This point dovetails nicely with the previous statement. The article focuses on authentication and password controls for devices, but it neglects the fact that the apps should be the real control points for security.
  4. Control third-party software. This is certainly an important area. Going a few steps further, organizations can take advantage of containerization to help protect enterprise data from potential security breaches that might come from third-party software. You also can create a white list of apps you allow and a black list of apps you don’t, with compliance roles to enforce those lists on your devices.
  5. Create separate, secured mobile gateways. The idea here is to make sure that mobile traffic stays focused on legitimate work. I highly recommend creating these gateways after you get a good handle on the apps and data that the members of your user community truly need to do their jobs.
  6. Choose (or require) secure mobile devices, help users lock them down. The article states that companies should restrict Bluetooth access and use of unsecured wireless networks. This is a tricky subject because most organizations are trying to enable users, not disable them. Turning off access to Wi-Fi and Bluetooth defeats the purpose of placing mobile devices in employees’ hands because it limits productivity. I believe that such restrictions are overkill. If you are part of a high-level security environment (think FBI, Department of Defense, and the like), creating such blockades makes sense. Otherwise, the employee productivity and user satisfaction you gain is worth avoiding that level of device lockdown.
  7. Perform regular mobile security audits, penetration testing. If you’re not doing penetration testing on an annual basis, start immediately. If it’s the sort of task that always seems to fall to the back burner, engage a managed mobility services (MMS) provider who can help you through this process. MMS providers can perform mobility health checks, analyze your existing mobility efforts, and point out strengths and weaknesses to help identify areas where you need to focus your future mobile security efforts.
To learn more about mobile security, read our solution brief.

Get in touch with us...