October is National Cybersecurity Awareness Month — a time when all of us in the cybersecurity industry work together to remind everyone about key security practices. This year’s theme is “Own IT. Secure IT. Protect IT.” The first — Own IT — refers to taking personal responsibility for security. When it comes to individuals taking security into their own hands, we immediately think of mobile devices. Whether the mobile devices you allow in your environment are corporate-issued, employee-owned or a mixture of the two models, here are the best practices we recommend for any mobile device.
- Require Endpoint Security Software. Any device that connects to your network, whether employee- or corporate-owned, is an endpoint with access to your network. It’s no longer the case that only PCs are vulnerable; criminals are increasingly targeting smartphones and tablets running iOS, and Android devices are especially at risk. If the devices are corporate-owned, make anti-malware software part of the standard configuration, set to trigger regular updates. If you allow employee-owned devices to connect to your network over Wi-Fi, make having activated and updated anti-malware software a required part of your mobile-connection policy.
- Fortify Your Logins. A mobile device that has access to corporate data must be locked with a PIN code or passphrase. Also, require both strong passwords and multi-factor authentication for any access to the corporate network, regardless of whether the device connects via internal Wi-Fi or from networks that you don’t control. These measures don’t just protect you against unauthorized use of the device; they also guard against criminals guessing passwords or using stolen credentials to gain access from outside your network.
- Mandate VPN Use. Since mobile devices connect over the air, they are susceptible to eavesdropping. If your employees are going to connect to your network, require that they do so via a VPN to take advantage of strong encryption. Look for a VPN that supports multi-factor authentication to protect the VPN logins. Also, consider segregating the mobile connections, and putting them behind a dedicated firewall that strictly controls the corporate applications and assets they can access remotely.
- Secure Your Wi-Fi. If you offer guest Wi-Fi, keep it on a separate network that allows no access to the corporate network. Similarly, educate your own users about the dangers of public Wi-Fi. Not only can other users eavesdrop on the traffic, but criminals have been known to set up fake hotspots near coffee shops, libraries and other public places to entrap users.
- Protect Against Malicious Apps. Applications that masquerade as something fun or useful that are in reality designed to steal data are one of the biggest risks of mobile devices. If your devices are corporate-owned, establish policies that limit or block the use of third-party software. For BYOD environments, the only realistic way to protect corporate assets is to allow no access to the corporate network at all. As an alternative, allow access only through a virtual desktop. This provides some protection, since the sensitive information is solely on-screen, not resident in the phone’s memory.
- Develop and Require a Secure Configuration. Either require (for corporate-owned) or strongly recommend (for BYOD) a standard, secure configuration for mobile devices. This includes requiring a lock code or password for access to the phone, avoiding unsecured wireless networks, and hiding the phone from Bluetooth discovery (or if possible, disabling it altogether).
- Enable Remote Lock and Wipe. If your devices are corporate-owned, be sure you are able to remotely lock the device or erase the data if it’s ever lost or stolen. To alleviate employee concerns over the possibility that their personal data could be lost, use containerization. This allows you to provision separate work and personal environments so you can wipe only the corporate data from the device.
- Conduct Mobile Security Audits. Hire an outside firm to annually audit your mobile security and perform penetration testing. Testing using the same mobile devices that you use in your environment will uncover potential issues before a criminal discovers them.
The above measures address basic prevention in a mobile environment. There are others, such as round-the-clock active security monitoring, that we don’t include because they’re simply beyond the realm of what an in-house IT department can handle. That’s where we come in. During National Cybersecurity Awareness Month, while everyone is pushing to make security top-of-mind, why not take the next step with SOCBOX? Contact us, email firstname.lastname@example.org, or call 877-284-7789.