Convenience and productivity shouldn't supercede security. When employees need to access data on their phones, proper security measures should be in place.
Working across multiple devices and staying connected to the office anytime and anywhere may make employees more productive. But, productivity comes at a cost. And that cost may be the loss of sensitive data.
In today’s business environment, it’s common for people to view work-related information on mobile devices—either their own or corporate-issued ones. The problem is those devices don’t have the same level of protection as your network. So, if they're viewing sensitive information on their smartphones or tablets, there’s a greater risk of that data getting exposed or stolen.
According to a Ponemon Institute study, 67 percent of organizations experienced data loss from an employee’s mobile device last year. It costs enterprises an average of $16.3 million a year to investigate, contain, and remediate a mobile malware attack.
Even more troubling is IT departments are unaware of how much sensitive data is at risk. While IT departments believe that 19 percent of employees have access to customer records on their mobile devices, in reality, 43 percent of employees have mobile access to that data.
Some of the top risks for mobile data loss include stolen devices, data compromise, weak authentication, and mobile malware. Protecting mobile data is complex because it involves securing data on the device, in the app, and over the network.
Here are some tips for keeping your company’s mobile data secure.
Perform System Updates
This goes without saying, right? Well, not exactly. According to a recent survey, only 9 percent of companies enforce mobile operating system updates. If you think that’s bad, it’s actually an improvement from the previous year.
Security patches are a simple way to protect devices against security threats, so organizations should require employees’ devices run at least the second-most current version of a mobile system, if not the most current one.
Develop a Mobile Policy
It’s hard to expect employees to be careful with data on their mobile devices if you don’t have a policy in place on how to access and use that data. Whether your organization has corporate-issued devices or employees use their own devices, you need a policy to govern the use of company data.
One of the first things you need is a data classification policy, which determines what data is confidential or sensitive, and restrict mobile access to that data. Other policy measures to consider include:
- Password management: Require complex passwords to access data and the regular changing of passwords
- Multi-factor authentication: Require employees to provide additional information to access data on mobile devices
- BYOD policy: Govern the use of employee-owned devices and establish necessary restrictions
- Limit App usage: Blacklist the use of certain popular mobile apps that have lax security standards (here’s a list of the most commonly blacklisted apps)
Encryption and Data Wipe
You’ll be surprised how common it is for a phone or tablet to be lost or stolen. About 70 million smartphones are lost each year, and 4.3 percent of company-issued smartphones are lost or stolen. Since people carry these devices everywhere, the risk of misplacing them or someone taking them is quite high. That’s why companies need measures in place to protect data on devices.
Encrypting company data is a key way to protect private information if a device is lost or stolen. No matter where a device is or who has it, encryption keeps unauthorized users from accessing confidential information.
If your company uses an Enterprise Mobile Management (EMM) solution, it can allow IT to remotely wipe data from a lost or stolen device. If the device is corporate-issued, IT can perform a full wipe of the data to restore the device back to factory settings. If the device is a personal one, IT can do a selective wipe which removes only corporate data and apps. Either way, remote wipes are a good defense against data loss.
Monitor and Audit Data
Companies should also monitor and audit their data on employee mobile devices to ensure compliance with policies and security of sensitive information. It’s vital for identifying insider threats, data leaks, or malware. Of course, this should be a transparent process in order to not intrude on personal usage.
Many industry compliance regulations require user access monitoring, especially if employees have access to customer data such as healthcare records, payment card information, or financial records.
You need to find out what devices are being used for business functions and track what data is being accessed as well as the user’s location and device ID. Network access controls, device fingerprinting tools and wireless network IPS can help you find this information. Log messages can identify when users access business apps and track device location.
Many EMM solutions help with monitoring and security through mobile device inventory, remote configuration, app isolation, remote wiping, and rogue app detection. They also include application wrapping, secured file sync and share, as well as protected browsers and email.
Employees often need company data on the go to do their jobs effectively. But convenience and productivity shouldn’t supersede security. It’s important to control and monitor what data is available and who’s allowed to access it.