Here's what to include in your security policy for mobile devices
Smartphones and tablets are great tools for productivity in the workforce. However, they can cause security concerns, especially in these days of WFH and BYOD. How can you allow your employees the flexibility to work from anywhere with their own devices while protecting from the dangers of hackers and cyber crime?
Create a Mobile Device Security Policy
Include these 7 areas in your policy and you’ll have a strong foundation.
- Set-up a secure login. Ensure that phones and tablets require a login to access them, whether it’s a swipe pattern, PIN or biometric credentials.
- Use the latest versions of software and firmware. The latest versions will have patches and fixes for known bugs and security loopholes. Using outdated versions gives hackers a backdoor to your network.
- Immediately report lost or stolen devices. Have a strategy in place for wiping the data from the phone. Apple phones can be erased through Find My iPhone. Android phones can be erased through android.com/find.
- Encrypt your devices. Simple, but effective.
- Require VPN use when accessing from networks outside of the company. Whether from public WiFi in coffee shops, airports, hotels or from an employee’s home network, require that they use a VPN to gain access to their work data. Not only will it encrypt their data, protecting it from snoopers and hackers using the same WiFi, but you can also provide them full access to email, network folders, even printers, with the right VPN setup.
- Don’t allow rooted or jailbroken devices. If employees choose to do this to their personal device, let them know that they cannot use it for work purposes as well. These devices have unauthorized access and elevated privileges within the device system, which remove security features built in by the manufacturer. According to OWASP (Open web Application Security Project), doing so can “allow malware to bypass many of the device’s built in security features… Mobile devices now hold more personal and corporate data than ever before, and have become a very appealing target for attackers.”
- Use Mobile Device Management (MDM) software to get a complete picture. Keeping track of all of the mobile devices allowed can be done within the framework of good MDM software. They provide administrators with tools to track what the devices are accessing as well as managing updates, locating lost devices and remote wipe.
You can allow BYOD within your organization, but only by using a well-structured policy. Dr Engin Kirda, with malware protection provider Lastline, told ZDNet, “Devices should not be able to directly access sensitive resources, and access should only be allowed to some organizational resources through VPNs.”