5 ‘best practices’ for mobile device management
Although there’s no magic answer, following these will lead you in the right direction
Technology is ever-thriving and progressing, especially with the growth and increased used of smartphones and tablets. If organizations are not providing devices to their employees, most will bring their own and connect them via Exchange ActiveSync or Lotus Notes Traveler. They may even install unmanaged cloud service products that you’ll potentially never be aware of.
So, how do organizations keep up with it all while protecting access to the network at the same time?
Although there is no magic answer or solution, following these “best practices” will lead you in the right direction
1. Write a mobile device usage policy: When creating a policy for mobile devices in the workplace (sometimes known as personal device user agreements), it's important to outline what's acceptable and what’s not like:
• Verbiage on how hourly employees should access email after regular business hours
• Types of files and data that are allowed to be stored on mobile devices,
• Services that are allowed to be accessed (e.g. OneDrive, Dropbox, SharePoint Online, etc.),
• The rights that the company retains with regard to personal devices (e.g. the right to completely wipe a device and delete all its contents, or the right to selectively wipe only company data from the device)
Ensure that new hires and current employees receive the agreement, have read it thoroughly, and sign it.
2. Passwords, encryption, and remote wipe:
• Require a PIN or password of at least four characters (some are requiring six now).
• Ensure the screen locks after 5 minutes of non-use.
• Enable full device encryption. With encryption there's little risk of the company data being accessed if a device is lost or stolen.
It’s recommended to institute these practices at a minimum.
3. Keep IT simple: When a new hire joins your organization, provide them with a single URL or instructions on how to connect their device to your systems and applications (making sure they first read and sign the company's mobile device usage policy). Increased security usually means increased inconvenience, so it’s important to find the right balance between productivity and security. Mobile device management solutions can help us reduce risk but, they aren’t perfect and they aren’t a substitute for end user education.
4. Adopt a mobile device management (MDM) platform that works for your business: If your organization is considering an MDM platform or solution, it's important to consider the following when choosing the right service:
• Which devices are you trying to protect? Do you need to secure only handhelds like phones and tablets or, do you also want to secure laptops?
• What type of security do you want to implement? Do you only need to secure the device from being accessed if it’s lost or stolen, or do you need more advanced capabilities like geofencing?
• Is MDM, on its own, sufficient for your needs? MDM provides basic protection that will keep someone out of a lost or stolen device, but do you need to take security to the next level by pairing these capabilities with information rights management, conditional access, or multi-factor authentication to prevent data leakage of sensitive information?
5. Ensure backup and recovery: Employees and consumers are becoming increasingly aware that backing up data is critical, but they may not necessarily be diligent about the security of those backups.
You may have secured the device itself but have you enforced policies to ensure that an iTunes backup is encrypted? Many MDM solutions can do this, or even disable the ability to back up a device altogether.
It's important to consider, organizationally, a backup and recovery service should all else fail. Services like OneDrive for Business and SharePoint Online help keep data safe regardless of what happens to the device but, making your data accessible in these services makes security enforcement, for both the device and for access to the data, even more important.
The bottom line: These “best practices” take into consideration some of the most important aspects of mobile device management and “bring your own device” challenges to work. However, it is a complex topic that can and must be customized to the needs of each business and its policies.
MDM is one important piece of the mobile security puzzle and a great step forward to ensure your data remains safe.
Jeff Trudel is a network engineer at Maine-based Systems Engineering. He can be reached 603-226-0300 or through syseng.com.