Almost all employees use mobile devices in the Enterprise IT Environment
The share of Americans that owned a smartphone in February 2019 was at 81%. If we consider the Americans in the age group below 49 the percentage is over 90%. If we consider the age group 50 – 64 years the percentage is at 79%. Smartphones are as vulnerable to cyber attacks as laptops and traditional desktops and sometimes even more. Lots of businesses offer mobile devices to their employees to enhance their workspace mobility. More businesses allow their employees to bring their own personal smartphones to work and use them to access company IT infrastructure and services. Both cases bring extra cybersecurity risks and those should be mitigated.
In the SMB world, we see more of BYOD (Bring Your Own Device) that in Large Enterprises. It does not bring extra-costs for the company and most of the time there is not enough IT knowledge inside the company to understand the IT security exposure. It is not bad to allow the employees to use their personal devices but in the case the company can’t afford a Mobile Device Management System nor a Mobile Threat Prevention Software a minimal set of rules and policies must be enforced. This is to protect the security and integrity of the company’s data and technology infrastructure. They should refer to the usage of mobile devices when using these devices to access the company’s IT Infrastructure. The main points of the policies should refer, at minimum, to acceptable use policies, security, and risks.
Acceptable use policies should tell users(employees) what is acceptable and what is not when using mobile devices to access the company IT network. For example, what sites they are allowed to visit and what sites they are specifically not allowed to visit during work and while using the enterprise infrastructure. What company resources they are allowed to access like, for example, email, calendars, and contacts. An acceptable use policy should clearly specify what the users are not allowed to do using mobile devices and company IT Infrastructure. It should be explicitly forbidden to send company confidential documents or transmit illicit content.
When it comes to security no rooted or jailbroken device should be permitted. Such devices circumvent even the basic security mechanism put in place by the Operating System providers of mobile devices. Also, we believe it should be mandatory that all devices should be protected by PIN/password and this mechanism should never be deactivated. This is a form of protection of device data in case it is stolen or forgot in the wrong place. Devices should have the automatic PIN lock based on time periods – for example, if not used for 5 minutes the smartphone should auto-lock.
In terms of risks, employees need to know the IT security risks they expose to when using such devices to access company IT systems. They shall be made aware, understand and assume liability for risks like a partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.
With the above policies documented and explained to the users some of the risks would be eliminated. We recommend that besides the policies companies shall have Mobile Threats Prevention software in place, but related to this topic we will discuss in another of our blog articles.
Roca Networks can help audit your company cybersecurity and implement best practices. If you are interested please fill in your details and we will contact you.