What’s your business’ policy for dealing with mobile device security?
The immense popularity of mobile devices is inescapable, yet most small businesses have given little real thought to how best to manage them. Until recently, I shared the opinion that there often isn’t much to worry about. The amount of corporate data on mobile devices was limited (most of it to email) and we can usually remotely erase a lost device, thereby dealing with the most obvious threat.
But as the usage of mobile devices has grown, so have the amount and types of sensitive information that they contain. Cloud-file syncing apps now make it easy for all sorts of files and documents to find their way into any employee’s pocket. It’s time to recognize the significance of this and grapple with the implications — time for small business owners and managers to plan and execute a mobile device strategy.
Policy
The first step in developing a strategy is to conceptualize and then write down what you would like to happen, typically in the form of a mobile device policy to be disseminated to and signed by employees.
Start by defining the scope: What types of mobile devices are covered? Most people think of smartphones and tablet computers, but the policy might also apply to laptop computers, flash drives, external hard drives, and anything else portable that contains corporate data. And surely the policy would apply to company-owned devices, but certain or all of the provisions should also apply to employee-owned devices that access company data.
Once you have defined which devices you’re concerned with, you can set guidelines for how they should be configured and used. A basic policy should state which corporate data is allowed to exist on a mobile device. It should also require at a minimum that all devices containing corporate data be protected with a password and disk encryption. Finally, every mobile device policy should require employees to notify the IT department immediately if a covered device is lost or stolen.
Moving beyond the basics, a more comprehensive policy might dictate which apps are allowed to access corporate data or which apps can be installed on the device. It might prohibit employees from jailbreaking or rooting their devices. It might set or restrict certain device or app settings, such as how many days of email can be stored or whether apps containing corporate data can be backed up to the cloud.
The possibilities can be overwhelming, so a good place to start is by finding a policy example or template online. Keep in mind, however, that when you dig into the details there is often no single right answer. What’s best for you will depend on your circumstances and corporate culture. It’s all about balancing security with usability and choice.
Enforcement
Once you have developed your policy, the second part of the strategy is to enforce it reliably. While certain aspects may require nothing more than communicating expectations to employees and obtaining their commitment to following them, frequently the risk is too great, or the expectations too technical, to rely solely on willing, conscious compliance.
The solution is to use a mobile device management (MDM) solution, which allows the IT department to strictly enforce policy specifications. Entry level MDM is included with Microsoft Exchange, Microsoft Office 365, and Google Apps for Business. These offerings are sufficient for basic policy requirements and can completely wipe out a lost device or selectively wipe their associated apps.
More advanced MDM solutions — like MobileIron, AirWatch, Cisco Meraki, and Microsoft Intune — add features like automatically installing or removing apps and “wrapping” corporate data and apps in a secure, self-contained area, insulating them from everything else on the device. Ranging in cost from zero to a few dollars per device or user per month, they are an effective tool for businesses with more complex needs.