Three tips for improving mobile security

Elizabeth Millard//October 16, 2014

Three tips for improving mobile security

Elizabeth Millard//October 16, 2014

columnist Elizabeth Millard webIt’s almost impossible to recall a time before smartphones and nonstop connection. The efficiency and always-on gains seen by mobile technology has come at a price, however.

According to security firm Kaspersky Lab, mobile is becoming one of the fastest-developing IT security areas, and in 2013, malware on mobile devices reached new heights and attained a new level of maturity. Cybercriminals are using sophisticated tactics, such as creating “helpful” apps that covertly install spyware, to capture information that will get them into corporate networks.

For many IT managers, mobile security can be especially tricky, since about half of all enterprises allow employees to connect their own devices to the network, bringing risk of malware picked up from nonwork apps and games. But there are ways to beef up security, no matter what your mobile policies might be. Here are three tips to get started:

1. Outsource device management. Many organizations and enterprises find it easier to bring in specialists when it comes to mobile management, notes Matt Woestehoff, director of business development at The Foundation, a Minneapolis-based technology firm.

“From a security standpoint, a company’s biggest vulnerability is not knowing the right answer, or worse, not knowing the right questions to ask,” he says. “In outsourcing to someone who does mobile consistently, you’ve got certified professions to question, learn from, and guide both technology and policy.”

Woestehoff adds that an outsource provider can put extra levels of security in place, such as creating a dedicated number for support calls, and only allowing authorized users to call and create support tickets. A provider can even ask a caller to state a password phrase that must be said before any corporate information is pushed to the devices being managed.

2. Make remote deletion available. If an associate leaves the firm or a smartphone gets left in the back of a cab, suddenly you have a security issue. Previously, “remote wipe” technology would remove all data from the device, as long as it was connected to a network. But the tactic has become more sophisticated, and now, a firm would be able to remove only those files or data related to the enterprise.

Making sure this option is in place can be hugely valuable for staying on top of mobile security, since it can be used quickly and effectively. Often, the strategy can be part of a larger software suite, like customer relationship management (CRM) applications, or enterprise resource management (ERP) tools.

“With one click, we can remove a company calendar, email, and contacts from anyone’s device if it’s connected to our CRM,” says Heather Manley, president of Minneapolis-based IT services firm On-Demand Group. “A company must be able to remotely delete sensitive data off these devices without permission.”

3. Create a BYOD-specific policy. When a firm has a “bring your own device” environment, there must be a security policy in place that articulates security strategies that will be in place. For example, employees should understand that corporate data can get wiped from their devices remotely, without their go-ahead, if IT senses a threat. Also, it’s important that everyone at a firm understand, even at a basic level, what kinds of security issues are specific to mobile technology, like mobile-based malware and phishing.

“Make sure you set proper employee expectations about what these policies mean,” says Steve Quigley, sales director at Plymouth-based IT consulting firm Clear North Technologies. “Employees need to truly understand that they will forfeit some control of their personal devices.”

Part of the policy should cover privacy issues, and acknowledgement that the firm will have access to whatever’s on the device, even personal content like photos and text chats. Although that might make some employees uncomfortable, the fact is that if a device is connecting into a company network, then security must be implemented in a comprehensive way, and that might involve personal content.

With some firm policies, awareness of security issues, and a few savvy strategies, mobile devices don’t have to be windows of opportunities for cybercriminals.

Elizabeth Millard has been writing about technology for nearly 20 years. Her work has appeared in ABA Journal, Law Office Computing, Business 2.0, eWeek, and TechNewsWorld.