Working remotely and on the go is the norm, and mobile devices are now a critical component of getting work done quickly and efficiently for most businesses. Using mobile phones, tablets or smart watches, there are plenty of ways for employees to access company information from work or personal devices. But this convenience comes with its own unique challenges, not the least of which is the issue of ensuring a strong cybersecurity posture.
Doctors and nurses can now access patient portals through mobile devices, most online banking can be done on a smartphone, and even fast food restaurants and coffee shops are taking online and mobile orders to help customers combat long lines. The convenience of mobile apps and devices means more flexibility and better service in many instances, but it also increases the attack surface for criminals. Personal devices are often not secured with enterprise-grade security, so they are even more susceptible to malicious attacks.
More than ever, businesses are at a higher risk of losing sensitive data as employees take mobile devices to coffee shops, airports, hotels and other places and connect to public Wi-Fi networks -- they unknowingly click on unsafe web links while multi-tasking between work and personal tasks -- and the next thing you know, data-stealing malware is being installed on the device.
Everyone has different habits and levels of security that can leave an organization open to cyber risk. In fact, human error accounts for more than half of security breaches, according to CompTIA’s "Trends in IT Security" study. Mobility isn’t going anywhere, and neither is cybercrime, so it is up to each organization to design a set of guidelines to secure their mobile landscape. The task is daunting, so we’ve compiled a list of best practices to help organizations navigate the complexity of mobile endpoint security.
- Establish clear company policies for mobile. It’s imperative for organizations with a mobile workforce to be upfront and clear about exactly how those devices and applications can and should be used by employees. Whether the mobile endpoints are provided by the organization itself or a BYOD policy is in place, the rules and boundaries should be consistent. Guidelines need to be enforced across all departments and end-users should formally agree to them upfront. Many resources from analysts, to vendors to educational institutions are available to help organizations develop appropriate guidelines, and employees should be given ongoing training and education on those evolving policies.
- Monitor and track all endpoints on your network. This step serves to both ensure employees are following the mobile policies laid out, and that outside or unapproved endpoints aren’t reaching information they aren’t authorized to access. Detecting suspicious behavior is step one, and the monitoring of endpoints is one of the most simple and effective ways to do so. This suspicious behavior can originate from outside the organization, but an internal employee can also be a culprit. Ensure that there is a record of every interaction a device has with your network. Having this historical view and log data helps to identify normal and anomalous behaviors so that any unauthorized endpoints can be addressed immediately.
- Consider partnering to manage mobile security. Especially in the case of many small and mid-sized organizations, security is one of many responsibilities that IT staff tackle on a daily basis. But they often lack the skills and expertise to implement and a comprehensive security strategy. It also is simply not realistic for smaller companies to dedicate the necessary man-hours to perform the monitoring and forensics required for a robust mobile security posture.
There are many products aimed at helping to manage mobile security including mobile device management (MDM) tools. But security is not achieved by implementing a product, and companies need to make sure they are actively securing their company every day. In addition to monitoring endpoints, IT and security professionals also need a plan and methodology to protect lost or stolen devices. Many companies make the mistake of thinking they are safe because they bought the right products. History has proven that no matter how many products you have in place, you can’t just assume your mobile security tools are working and check out -- they must be regularly updated and coupled with industry best practices by staff to achieve your security objectives.
About the author: Brian NeSmith is the Co-Founder and CEO of Arctic Wolf Networks and has over 30 years of experience.