The need to secure newer mobile devices (smartphones, tablets, etc.) has grown since they now meet the basic criteria for malicious, cyberspace-based attack:
- Developer kits are readily available
- Mobile devices are in widespread use throughout the world
- Motivation is increasing since usable/saleable data live on these devices
In addition, BYOD (Bring Your Own Device) has introduced related, security-oriented concerns and complexities:
- How can we accommodate personal equipment in the workplace, particularly when two-thirds of 20-something workers in a recent survey from research firm Vision Critical state that “they, not the company, should be responsible for the security of devices used for work purposes”?1
- How do we manage the large variety of mobile devices, many with differing operating systems, processing capabilities, and user interfaces?
- How do we structure our security offerings to permit broad access to low-risk functions while restricting high-risk activities on a need-to-have basis?
Protecting a smartphone (or tablet) gets easier if you take the perspective of Garin Livingstone, one of our technical staff, who pointed out: “It is just a small computer; all of the same security concerns and rules that apply to PCs also apply to smartphones.”
As described in a recent InformationWeek article2, corporate response from the IT department should consist of these three stages:
- Set policy for mobile device use
- Train users
Mobile-device-use policies should protect company data, while enabling employees to do their jobs efficiently. The policy should protect, but not inhibit, the use of data from a mobile device; this usually requires the protection of the device itself with a strong focus on what data is available and where it will reside.
Some policy suggestions:
o Deploy an anti-malware utility set to scan automatically
o Set continuous updates of operating system and anti-malware utility
o Encrypt company data (if stored on the device itself)
o Backup data to a secure site (preferably daily)
o Require passwords and make them complex
o Set an auto-lock period of five minutes or less
o Set browsers to high-security mode
- Remote access:
o Access data/applications securely via SSL, HTTPS, or VPN technologies
o Provide virtualized access to data stored at the corporate site
In our next article, we will review training and enforcement, highlight some tools, and wrap-up with first-step suggestions.
1. Visit Network World athttp://www.networkworld.com/news/2012/061912-byod-20somethings-260305.htmlto review the article “Young employees say BYOD a Right not Privilege” by Ellen Messmer.
2. Please review the May 12, 2012 InformationWorld article “Mobile Security Gaps Abound” by Michael Finneran.