The Top 8 Mobile Security Risks: How to Protect Your Organization
As enterprises mobilize business processes, more and more sensitive data passes through and resides on mobile devices. While almost every CIO knows how important mobile security is, getting a grip on it can be tough. There’s a lot to consider, and new factors enter the equation all the time.
In the questions that follow, you’ll find an overview of the key issues you need to be on top of right now to protect your organization, its employees and its customers. If you answer no to many of these questions, you may have some significant gaps in your approach to mobile security. The good news is that you’re not alone – and there are solutions available to address each of these challenges.
1. Do you stay in control when devices go missing?
- Are your procedures for lost/stolen devices clearly defined, well understood by your entire staff and adhered to?
- Is IT able to perform a remote wipe (and confirm that data is permanently deleted)?
- Do you impose password protection on every device, regardless of who owns it (Bring Your Own Device; Corporate Owned, Personally Enabled; etc.)?
- Do you insist that devices automatically lock after a brief period of inactivity?
- Are the devices in your network (again, regardless of the ownership model) discoverable via location-based tracking?
- Do you have backup and restore capabilities that allow you to provision a new device quickly and easily?
- Can mobile workers easily and safely initiate some remote security tasks themselves through a user self-service tool (e.g. locking a misplaced device remotely)?
2. Do your users understand and follow your policies?
- Do you provide training and documentation for new employees that explains how they should approach mobile computing?
- Is that training reinforced regularly and in different ways?
- Do they truly understand what’s expected and why it matters?
- Do you account for different learning styles (some users will respond better to video; others to a checklist, etc.)?
- Do you ask users to sign your policy document and are they aware of the penalties of not complying?
3. How do you keep rogue apps and malware at bay?
- Do all devices accessing your network have appropriate anti-virus/anti-malware capabilities installed or built-in?
- Do you keep an up-to-date whitelist of third-party apps?
- Can you run a quick check at any time to make sure that all the apps in use are authorized?
- Are BYOD users required to keep devices current with OS upgrades, software and app updates, and (if not built-in) anti-virus protection?
- Do you have a corporate app storefront?
- Do you have a mechanism in place to manage apps throughout their lifecycle (deployment, updates, retirement)?
- Are you able to automatically detect when jailbroken or rooted devices try to access your network and can you automatically program next steps?
- Can employees find out which apps are approved, recommended or mandatory for their role?
- Are users prompted to enter their device password before installing apps?
- Are your anti-virus measures for non-mobile devices up to date and adequate? (Malware exposure can occur when users connect a mobile device to an infected desktop computer via USB, but most desktop anti-virus software will help prevent this type of attack.)
4. How do you keep work and personal content/data separate?
- Can you enable and control a separate work space or container on the devices you manage, across multiple operating systems?
- Do you have a mechanism to prevent data leakage across multiple devices (e.g. making it difficult for users to send corporate data through unsecure channels like social media)?
- Can you enable content/file sharing securely?
- Can mobile users securely view, edit, and share files, and save them securely for offline use?
5. Can you ensure data is secure, at rest and in transit?
- Can you enforce encryption, for data that’s resting on devices and for data in transit, to the standard your policies demand?
- Are users prevented from disabling encryption manually?
- Can app data move securely along its path without a third-party VPN?
- Do you have confidence that your systems can protect your customers’ data regardless of how closely employees follow your policies?
6. How do you control authentication?
- Do you authenticate devices and users beyond single-factor identification?
- Do your systems produce an alarm when an unauthorized device accesses the network? Can you control what happens next?
7. Can you monitor your mobile ecosystem in real-time?
- Are you able to get a quick snapshot of your complete mobility landscape, through a unified dashboard?
- Can you easily create and export reports for auditing/compliance/logging?
- Can you configure your systems to create alerts and take automatic actions when security breaches are detected?
8. Can you apply appropriate security policies to the various user profiles in your organization?
- Are you able to provide the highest security for those users who require it?
- Are you able to meet all the compliance requirements of your industry?
How to protect your organization
If you’re looking for answers to any of the challenges in this checklist, DNV GL’s Digital Solutions – Cyber Security Team is here to help. We can help your organization develop a plan that will be easy to implement and easy for your employees to live with. If you would like to speak with a member of our global cyber security team, please e-mail us at firstname.lastname@example.org or call me Craig Reeds at 480-524-4840.