888.437.3646
FREE HIPAA Compliance eBook
FREE HIPAA Compliance eBook

Mobile Device Security

Learn about best practices that will enhance mobile device security and enable businesses to provide their employees with secure access to corporate resources

When choosing which mobile device to use for your business and how, there are many things to consider. Mobile devices provide quick and flexible access to necessary resources performing everyday activities. However, they are also vulnerable to a wide variety of threats putting sensitive data at risk. As much critical information is being stored on these gadgets, it is increasingly important to keep security in mind when using them. Businesses should apply reliable mobile device management tools which can address data security risks. As these tools are different from those required to secure the typical computer workstation, additional security efforts and best practices are needed.

Keep reading to find more about best practices that enable businesses to provide their employees with secure mobile access to enterprise resources.

What is a Mobile Device?

In practice, it is difficult to unambiguously define the term “mobile devices” because their features are constantly changing. Along with the changing features, threats and security controls are constantly modifying as well. Therefore, it is important to establish a baseline of mobile device features aimed at addressing the related cybersecurity threats. NIST SP 800-124 distinguishes the some of following characteristics of mobile devices:

  •  A small form factor;
  •  At least one wireless network interface for network access, commonly Wi-Fi; 
  •  Built-in data storage;
  • Applications are available through multiple methods (provided with the mobile device, accessed through the web browser, acquired and installed from third parties). 

In simple terms, mobile devices that businesses use for maintaining their operations mostly include smartphones, tablets, and laptops. These mobile devices have long been out of know-how and businesses widely use them in their everyday operations. However, it is necessary to constantly check them for meeting the main security objectives. 

What are the Mobile Devices’ Main Security Objectives?

Mobile devices typically need to support multiple security objectives united along with the principles of confidentiality, integrity, and availability. 

  • Confidentiality means ensuring data, whether in transit or stored cannot be read by unauthorized parties;
  • Integrity implies preventing and detecting changes to transmitted and stored data or devices’ configuration;
  • Availability suggests ensuring users can access resources using mobile devices whenever needed.

Achieving these objectives is an uneasy task. Mobile devices need additional protection measures because their nature generally places them at higher exposure to threats than other client devices. This can be accomplished through a combination of security features built into the mobile devices, additional security controls, and other components of the enterprise IT infrastructure. 

The NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise provides general security recommendations to mobile devices. 

Security-focused device management

Carefully assess the supply chain risks when selecting devices for enterprise needs. Employ Mobile Device Management (MDM) to enforce and monitor secure configuration settings. MDM tools should be configured to enforce storage encryption, strong passwords, inactivity time-out, and other security settings. These measures help protect privacy, enhance security, and fix flaws that leave devices vulnerable to malicious attacks. Require all your enterprise devices to be trusted, which means appropriately configuring them to the organization’s standards, continuously monitoring, and updating to the latest patch level. If any of these conditions are ignored, the device is considered “untrusted” and should not have access to enterprise resources.

Strong Authentication Requirements 

Ensure your enterprise devices have strong login passwords and PINs. Enable using biometric authentication for maximum protection. Enable multi-factor authentication for access to enterprise networks to pair a password or PIN with another form of authentication, such as SMS message, rotating passcode, or a biometric input.

Protect Network Communications 

Remember that every network connection to a mobile device is a potential point of entry that adversaries can exploit to exfiltrate data or gain control over the device. To avoid this, disable Wi-Fi, NFC, and Bluetooth when the device is not in use. It is necessary to remember that disabling GPS services protects the user’s location privacy. User certificates should be considered untrusted because malicious actors can use malware hidden in them to facilitate attacks on devices, such as intercepting communications. Use secure communication apps and protocols. Many network-based attacks allow the attacker to intercept and/or modify data in transit—resulting in leaks of sensitive data, theft of credentials, tracking of a user’s location and activities, and more. Configure the MDM to use VPNs between the device and the enterprise network.

Protect the Mobile Device 

Use MDM systems to protect your enterprise’s devices from malicious software that can compromise apps and operating systems and extract sensitive data. Ensure the deviсes are charged with trusted chargers and cables and avoid using malicious chargers, enabling attackers to take control of the device. Configure your device’s settings to wipe the data automatically after a certain number of incorrect login attempts.

Practice Good App Security 

Use only reliable app stores and disable third-party app stores – they are common vectors for the spread of malware. Prevent malicious actors from stealing sensitive data by minimizing the use of sensitive data in apps. Ensure all sensitive permissions (such as camera location) are disabled by default. 

Plan for lost or stolen devices

In addition to the abovementioned, security experts recommend businesses automatically wipe the device of its internal storage information in the event of it being lost or stolen. This measure prevents data from being accessed and misused. MDM tools mentioned earlier in the article provide these capabilities. There are special management systems and software that provide enterprise-managed devices with this capacity.

Educate Personnel 

Mobile device security should amplify all necessary cyber-security policies. To spread these practices, educate your personnel. Explain exactly how devices are deployed, and what are the allowed configurations and applications. Also, raise awareness of reacting to suspicious emails, SMishing (SMS-phishing), social media usage. 

Mobile device security is a very important portion of the whole business infrastructure security. To protect the devices and keep data stored on them safely, business owners must put into place the abovementioned security practices. Taking the appropriate steps to mitigate risks and prevent losses allows vendors, contractors, and employees to take advantage of mobile devices in the workplace. Remember, failure may lead to legal liabilities, penalties, and/or the loss of your business.

For more detailed information about mobile security consult the Planet 9 team. We’ll be happy to assist:

 

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646

 

Leave a Reply