10 Mobile Security Best Practices to Keep Your Business Safe
As smartphone and tablet use continues to expand in the business landscape, organizations have become more aware than ever of the threat of mobile security attacks. While different, what these companies all share is a sense of helplessness — that it’s only a matter of time before someone finds a way to infect their smartphones and tablets with malware or fall victim to phishing.
In some cases, that feeling of helplessness is real, particularly if you’re working for a smaller business that doesn’t have a formal security role or a dedicated team to assess and mitigate potential risks.
However, fending off potential security issues is especially important for these small and midsize firms. Given that their employees tend to juggle multiple responsibilities, they rely on mobile devices to go wherever they’re needed while staying connected to corporate data and applications.
Here are 10 ways your organization can remain proactive in its approach to mobile security and management.
1. Make Upgrading a Priority
According to the most recent NPD Connected Intelligence Mobile Connectivity Report, the average upgrade cycle for smartphones in the U.S. is 32 months — nearly three years. That reflects how often consumers make the move to a new device, and it’s up from 25 months the year before.
That kind of cadence might be fine for people who are only using their devices for personal apps and content, but businesses need to approach upgrade decisions differently. Security researchers learn a lot about the changing tactics of malware authors, distributed denial of service (DDoS) attackers and ransomware campaigns in a three-year period. So do device manufacturers, who are building in protections that specifically address common attack vectors as networks evolve to 5G.
In BYOD environments, it’s critical to set minimum requirements for the devices that are allowed to access corporate systems and apps. Beyond three years from initial release, many devices stop receiving regular OS updates and security patches, making them more vulnerable to new exploits.
If you’re dealing with constrained IT resources, you have to determine the tradeoff between trying to figure out a mobile security strategy on your own and simply making use of what is already market-ready and available to businesses.
2. Make MDM a Mainstay
Companies have always made sure they could keep track of the equipment they’ve purchased, but there’s a difference between monitoring what happens on an oil rig that never moves and a fleet of smartphones that have been deployed to on-the-go employees.
Why You Need an Incident Response Playbook
Get this free guide on how to respond to mobile security breaches — or thwart them altogether.
While mobile device management (MDM) has been adopted by most enterprises, smaller firms have plenty of reasons to explore it as well. MDM tools can be helpful to companies that offer a bring your own device (BYOD) program but want to make sure employee devices don’t open them up to security threats.
While choosing an MDM solution will take some research, midsize firms can get a head start by making sure the devices they deploy or recommend to employees incorporate security capabilities from the chip up.
3. Whitelisting and Blocklisting
Many security threats penetrate companies due to user errors which are often just honest mistakes. Employees might not realize by downloading an app, for instance, that they are effectively leaving the door open to have corporate data stolen from their smartphone.
Whitelisting and blocklisting apps via MDM helps protect employees — and their employers — from these kinds of risks by making it clear which apps and sites are safe.
Blocklists give IT departments peace of mind by blocking access to certain apps and sending notifications when an attempt is made. Whitelists, on the other hand, may be more effective for highlighting the mobile tools employees should be prioritizing over games and social media.
4. Two-Factor Authentication and Biometrics
Weak and easily forgotten passwords can make it simple for rogue third parties to gain access to mobile devices. Two-factor authentication is a straightforward way for small and midsized businesses to begin developing a layered mobile security strategy.
While tokens have sometimes been used as part of two-factor authentication, fingerprints and other biometric identifiers are quickly gaining ground. In fact, 70 percent of businesses will use biometrics for workforce access by 2022, according to market research firm Gartner. Biometrics can be used in tandem with the data separation technologies discussed below.
5. Get Comfortable With Customization
When new hires are brought on board, they usually aren’t given keys to every filing cabinet, the company’s banking credentials or other proprietary data that require a certain level of seniority or privilege. In the same way, it doesn’t make sense to grant every employee unfettered access to all manner of corporate apps and data.
IT managers can get around this with tools that let them customize mobile devices before they are handed out to their workforce. A good example is Samsung’s Knox Configure, which enables businesses to create a myriad of simple-use scenarios, from customizing boot-up screens to creating dedicated-use devices with only work-related apps.
6. Separate Work and Play
Even if they don’t have a dedicated desk with their own drawers, companies often offer employees a safe place of some kind where they can place personal items and secure them until they’re needed at the end of the day. Strong mobile security involves taking a very similar approach to the way data and apps are partitioned on the device.
Containerization, for example, allows smartphones to create separate workspacesof business apps and content that can be centrally protected and managed. Administrators don’t need access to an employee’s personal apps or data and can therefore provide the optimum mix of flexibility and security. This lets IT departments lock down sensitive company information, while letting employees maintain confidence in their personal privacy.
7. Ease the Updating Process
Just as new security threats are constantly cropping up, companies are simultaneously developing fixes that can be applied to mobile devices. Unfortunately, that often puts the burden on a company’s IT resources (which can be scarce or spread thin in midsized firms) to apply all the right patches on a regular basis. According to IDG’s 2019 Security Priorities Study, patch management is still one of the most widely used methods for large enterprises to combat security threats, and smaller firms should do the same.
Technologies such as electronic firmware over-the-air (E-FOTA) mean employees don’t have to wait while patches or other updates are being pushed to their devices. Instead, updates can be scheduled across the entire team, ensuring all updates are tested and compatible, and all devices are uniform.
8. Keep Policies Current
If employees fall victim to a phishing scheme and get locked out of their devices, or data loss occurs because settings were somehow tampered with, a company will probably be quick to outline an updated mobile security policy for everyone to follow.
Rather than wait until disaster strikes, however, the most successful organizations stay on top of security issues and get in front of them from a policy perspective. At least every six months, review your mobile security posture, from your ability to monitor device usage, points of vulnerability and the age of your smartphone fleet.
Then, look forward to new devices that might be integrated into your workforce as part of new hire onboarding or upgrades across a department. Make sure updated policies are well documented. Of course, make sure employees are held accountable for reviewing and adhering to the policy as well.
9. User Training and Security Awareness
The IDG study showed that almost a third of those surveyed, or 31 percent, cited employee training as one of the top areas where they fall short. “This speaks to the perpetual problem of employees as a security risk,” the authors wrote.
Training and security awareness is never a once-and-done activity, but something that should be treated as an ongoing work in progress. The companies that do this successfully make sure the content is easy to understand and available through different channels depending on their preference. Examples could include tips in an employee newsletter, an instructional video on a company intranet or even push notifications sent to all employee smartphones.
10. Seek a Scaleable Path
A small company might not be small forever. Growth can come quickly via a strategic initiative to expand into a new market or territory, an M&A or some other tipping point. What won’t change is the need for your workforce to be equipped with the best tools available to do their jobs from wherever they are.
Of course, configuring and provisioning devices one by one is a nonstarter for IT departments, so think about how you can find an MDM tool or related application that will streamline this process as the organization evolves.
Fortunately, none of the Android mobile security tips outlined here have to be developed from scratch. Solutions such as Samsung Knox Manage and Knox Configure were deliberately designed to help organizations from small firms to large enterprises with the ability to secure, manage and provision smartphones successfully.