Mobile Device Security in the Workplace
Mobile devices are all but essential in today’s world. However, bringing mobile devices into the workplace can quickly cause headaches for employers. Staff might waste precious time on their mobile devices, potentially resulting in lost income for the company. Employers may also face security concerns from staff who attempt to connect their mobile devices to company devices or networked systems.
On the other hand, absolutely disallowing mobile devices can quickly result in disgruntled employees and disruption of business functions that rely on the increased availability afforded by mobile devices.
Security Loopholes and Possible Safeguards
Because of the myriad security threats posed by mobile devices, the best safeguard for organizations is to develop some sort of standard operating procedure (SOP).[1] Such procedures can include a mobile device management solution or a mobile device hardening policy, if deemed necessary. In any case, an effective SOP should consider the following security loopholes and possible safeguards.
Physical compromise
The portability of mobile devices makes it difficult to maintain strict physical control. Mobile devices can be lost or fall into the hands of malicious parties. This can be especially troubling when an employee has used the mobile device to handle precious information related to office work.
To ensure against physical compromise, mobile devices should include some dual authentication mechanism, and any office data transmitted to the device must be encrypted. A more robust solution could be a mechanism that wipes the mobile device’s data after multiple wrong authentication attempts.
Untrusted hosts
Mobile devices, especially personal mobile devices or jailbroken devices, can be used to host insecure and untrusted applications. Using a policy of bring your own device (BYOD) can be a problem for organizations that use BYODs like other computing devices in the enterprise, not realizing that they are not hardened like normal hosts.
Either BYODs should be prohibited or all mobile devices to be used by staff should be hardened before use. Another way to ensure security of enterprise resources is to run the enterprise applications in safe, or “sandbox” mode.
Online/network access
Sensitive information is put at risk when mobile devices are connected to untrusted networks through Wi-Fi or cellular networks. Organizations can protect this information through encryption at data storage, VPNs or some other sort of authentication mechanism over the network, and disabling unnecessary interfaces on the device.
Insecure or malicious mobile apps
Another aspect of vulnerability is the large number of cheap or free mobile apps that are actually malicious or harmful. Such apps may lead to compromised sensitive information.
Only approved apps should be installed on mobile devices; all other apps should either be prohibited or controlled through some central mobile device or app management solution.
Tethering connections and data exchange
Sometimes mobile devices are connected to other systems for purposes like data exchange, tethering internet connection, backups, synching, or some other sort of networked functionalities. However, if the mobile device is infected with malware, connecting that device to an organization’s systems could put the organization’s data at risk.
To avoid risking organizational data, mobile device connection with the organization’s system should be prohibited, either by instructions or by blocking exchange applications, while the mobile devices is being hardened for first use. Alternatively, the organization can insist that mobile devices connected to its network be controlled through mobile device management solutions.
Location services
Locations services are commonly used by mobile applications. However, for some organizations (like governments or the military) locations of certain staff or sites must be kept confidential.
To ensure necessary confidentiality, disable locations services while hardening the mobile device.
Summary of loopholes and safeguards
Decide whether to prohibit or restrict
Outright prohibition of mobile devices in the workplace has become less of an option as the devices have become more widespread. Some very sensitive organizations may still use prohibition policies.
For the organizations that can afford it, providing official mobile devices to employees is a valid option. These devices can be hardened prior to use, and the organizations can then disallow BYODs.
Other organizations may consider a hybrid model, prohibiting mobile devices within very sensitive areas, but otherwise allowing mobile device use, including BYODs.
Deciding whether to prohibit or restrict mobile devices is based on the unique needs of each organization.
Ensure security through training and awareness
After deciding whether to prohibit or restrict mobile devices, an organization should develop an SOP based on its security needs. Such an SOP would mostly consist of rules designed and enforced by the information security department, with the consent and support of top management.
Employees must also be made aware of the threats posed by mobile devices to the organization’s security. Conducting exercises and audits is one of the best ways to test staff awareness. Security-conscious employees can sometimes be more beneficial than any automated solution, but one odd careless, untrained staff member can easily jeopardise a complete security setting.
Deploy a centralised Mobile Device Management (MDM) solution
A centralized MDM solution ensures all the mobile devices operating in an organization’s network are used per the organization’s policies. The solution can either be a commercial-off-the-self software with minor customizations or entirely custom-built for the needs of a particular organization.
Because an effective centralized MDM must meet the organization’s specific needs, the solution must be acquired after necessary planning and preparation. For example, BYODs must be hardened before they are allowed access to the organization’s network, just like officially issued devices.
Conclusion
After reviewing its business objectives and budgetary constraints, an organization should determine whether it wants a mobile device policy based on prohibition or restriction. This goal forms a basis from which a mobile device usage policy should be created. An MDM solution can then be procured or developed to enforce the created policy.
The best security measures for mobile devices are implemented in response to relevant threats, with minimum hindrance on routine work. Haphazard security leads to wasted resources and, in turn, loss of productivity. Every organization must thoroughly plan and implement its mobile device plan to maximize use while minimizing distractions and security threats.
About the Author
Abdul B. Subhani, is the founder and President/CEO of Centex Technologies, an IT consulting company with offices in Central Texas, Dallas, and Atlanta. He is also an adjunct faculty member of the Texas A&M University - Central Texas computer information systems department. Abdul is a Certified Ethical Hacker, a Certified Fraud Examiner, Certified in Risk and Information Systems Control, a Texas Licensed Private Investigator, member of FBI Infragard, member of Forbes Technology Council and the recipient of multiple other advanced IT credentials.
He has been recently recognized as one of the 40 under 40 by The Armed Forces Communications and Electronics Association for his significant contributions in the field of science, technology, engineering and math (STEM).
Abdul has been a frequent keynote speaker, moderator, and panelist at leading international technology conferences, and he has given speeches to thousands of students at colleges and universities.
On the other hand, absolutely disallowing mobile devices can quickly result in disgruntled employees and disruption of business functions that rely on the increased availability afforded by mobile devices.
Security Loopholes and Possible Safeguards
Because of the myriad security threats posed by mobile devices, the best safeguard for organizations is to develop some sort of standard operating procedure (SOP).[1] Such procedures can include a mobile device management solution or a mobile device hardening policy, if deemed necessary. In any case, an effective SOP should consider the following security loopholes and possible safeguards.
Physical compromise
The portability of mobile devices makes it difficult to maintain strict physical control. Mobile devices can be lost or fall into the hands of malicious parties. This can be especially troubling when an employee has used the mobile device to handle precious information related to office work.
To ensure against physical compromise, mobile devices should include some dual authentication mechanism, and any office data transmitted to the device must be encrypted. A more robust solution could be a mechanism that wipes the mobile device’s data after multiple wrong authentication attempts.
Untrusted hosts
Mobile devices, especially personal mobile devices or jailbroken devices, can be used to host insecure and untrusted applications. Using a policy of bring your own device (BYOD) can be a problem for organizations that use BYODs like other computing devices in the enterprise, not realizing that they are not hardened like normal hosts.
Either BYODs should be prohibited or all mobile devices to be used by staff should be hardened before use. Another way to ensure security of enterprise resources is to run the enterprise applications in safe, or “sandbox” mode.
Online/network access
Sensitive information is put at risk when mobile devices are connected to untrusted networks through Wi-Fi or cellular networks. Organizations can protect this information through encryption at data storage, VPNs or some other sort of authentication mechanism over the network, and disabling unnecessary interfaces on the device.
Insecure or malicious mobile apps
Another aspect of vulnerability is the large number of cheap or free mobile apps that are actually malicious or harmful. Such apps may lead to compromised sensitive information.
Only approved apps should be installed on mobile devices; all other apps should either be prohibited or controlled through some central mobile device or app management solution.
Tethering connections and data exchange
Sometimes mobile devices are connected to other systems for purposes like data exchange, tethering internet connection, backups, synching, or some other sort of networked functionalities. However, if the mobile device is infected with malware, connecting that device to an organization’s systems could put the organization’s data at risk.
To avoid risking organizational data, mobile device connection with the organization’s system should be prohibited, either by instructions or by blocking exchange applications, while the mobile devices is being hardened for first use. Alternatively, the organization can insist that mobile devices connected to its network be controlled through mobile device management solutions.
Location services
Locations services are commonly used by mobile applications. However, for some organizations (like governments or the military) locations of certain staff or sites must be kept confidential.
To ensure necessary confidentiality, disable locations services while hardening the mobile device.
Summary of loopholes and safeguards
| Threat | Suggested Safeguard |
| Mobile device falls into the hands of a malicious party |
|
| Untrusted mobile device |
|
| Untrusted network |
|
| Untrusted applications |
|
| Interaction with other systems for data exchange and storage |
|
| Untrusted content |
|
| Location services |
|
Creating a Standard Operating Procedure for Mobile Device Use
Decide whether to prohibit or restrict
Outright prohibition of mobile devices in the workplace has become less of an option as the devices have become more widespread. Some very sensitive organizations may still use prohibition policies.
For the organizations that can afford it, providing official mobile devices to employees is a valid option. These devices can be hardened prior to use, and the organizations can then disallow BYODs.
Other organizations may consider a hybrid model, prohibiting mobile devices within very sensitive areas, but otherwise allowing mobile device use, including BYODs.
Deciding whether to prohibit or restrict mobile devices is based on the unique needs of each organization.
Ensure security through training and awareness
After deciding whether to prohibit or restrict mobile devices, an organization should develop an SOP based on its security needs. Such an SOP would mostly consist of rules designed and enforced by the information security department, with the consent and support of top management.
Employees must also be made aware of the threats posed by mobile devices to the organization’s security. Conducting exercises and audits is one of the best ways to test staff awareness. Security-conscious employees can sometimes be more beneficial than any automated solution, but one odd careless, untrained staff member can easily jeopardise a complete security setting.
Deploy a centralised Mobile Device Management (MDM) solution
A centralized MDM solution ensures all the mobile devices operating in an organization’s network are used per the organization’s policies. The solution can either be a commercial-off-the-self software with minor customizations or entirely custom-built for the needs of a particular organization.
Because an effective centralized MDM must meet the organization’s specific needs, the solution must be acquired after necessary planning and preparation. For example, BYODs must be hardened before they are allowed access to the organization’s network, just like officially issued devices.
Conclusion
After reviewing its business objectives and budgetary constraints, an organization should determine whether it wants a mobile device policy based on prohibition or restriction. This goal forms a basis from which a mobile device usage policy should be created. An MDM solution can then be procured or developed to enforce the created policy.
The best security measures for mobile devices are implemented in response to relevant threats, with minimum hindrance on routine work. Haphazard security leads to wasted resources and, in turn, loss of productivity. Every organization must thoroughly plan and implement its mobile device plan to maximize use while minimizing distractions and security threats.
About the Author
Abdul B. Subhani, is the founder and President/CEO of Centex Technologies, an IT consulting company with offices in Central Texas, Dallas, and Atlanta. He is also an adjunct faculty member of the Texas A&M University - Central Texas computer information systems department. Abdul is a Certified Ethical Hacker, a Certified Fraud Examiner, Certified in Risk and Information Systems Control, a Texas Licensed Private Investigator, member of FBI Infragard, member of Forbes Technology Council and the recipient of multiple other advanced IT credentials.
He has been recently recognized as one of the 40 under 40 by The Armed Forces Communications and Electronics Association for his significant contributions in the field of science, technology, engineering and math (STEM).
Abdul has been a frequent keynote speaker, moderator, and panelist at leading international technology conferences, and he has given speeches to thousands of students at colleges and universities.
[1] For more information about guidelines for managing the security threats posed by mobile devices, see this NIST publication: http://dx.doi.org/10.6028/NIST.SP.800-124r1
Sponsored By
Centex Technologies
Centex Technologies