Securing mobile devices in an enterprise is an essential step in keeping sensitive information and data safe. Unfortunately, you won’t find a one-size-fits-all solution to mobile device security. To help you find the best solution for your organization, let's explore some guidelines for managing and securing mobile devices in the enterprise.
Read on to learn more about mobile device security, what policies work well for enterprises and how your team can define a robust security policy that meets your needs.
-- Article Continues Below --
Read the complete guide on securing data for mobile devices
What is a Mobile Device?
In our modern world, it feels like everyone is using their mobile devices for both work and personal activity. It’s easy to forget that these devices share a similar architecture to computers, albeit with extra communication features. Much like a computer, modern mobile devices aren’t isolated for one specific purpose. For most users, jumping from work-related applications to entertainment features like social media or streaming services is fairly common.
Even so, to truly grasp an understanding of mobile device security, we need to explore what specific characteristics mobile devices possess:
- Operating system (OS)
- Usually small enough to be handheld
- Some type of onboard storage
- The ability to communicate wirelessly
- Some physical connection (the charging port)
- The use of software applications
Of course, these are just generalized features of most mobile devices. Some other characteristics you might find include:
- Camera
- Other network services (Bluetooth, near-field communication (NFC, etc.)
- Speaker/microphone
- Sensors (Biometric, accelerometer, etc.)
Each of these characteristics presents its own specific threats. From the OS to the networking features, the attack surfaces for mobile devices are fairly large — informing our guidelines for managing and securing mobile devices in the enterprise.
Components of a Mobile Device
Within a mobile device is a host of organized services that run in conjunction to run operations. This includes:
- Hardware
- Firmware
- Mobile OS
- Applications
Between certain functions, separations exist. For example, a device’s hardware and firmware will need to communicate with the cellular networking functions. This system runs separately in a real-time operating system (RTOS) called the telephony subsystem that exists on its own processor unknown to the user.
What this illustrates is the complexity of the modern mobile device. It's not just what the end-user sees; it’s also all the underlying systems that keep the phone operational. Unfortunately, this makes securing mobile devices that much more difficult.
Why Do You Need a Mobile Security Policy for Your Business?
It’s incredibly easy to overlook mobile device security in the enterprise. Not only is the threat landscape changing, but solutions based on mobile device management (MDM) systems often leave security concerns partially addressed. Since these devices are often not the main workstation for end-users in an enterprise environment, focusing on other devices is often the prime concern.
It's not an exaggeration to say mobile devices have taken over the workplace over the last two decades. Moreover, the line between what’s a personal device and a work-only device is constantly blurred. If end-users connect their personal devices to work-specific applications and services, it can present a staggering security risk.
For enterprise environments, creating a security policy framework that allows end-users to access work data on mobile devices is quickly becoming standard practice. Businesses that choose to ignore mobile device security leave themselves vulnerable to all kinds of threats and attacks that could easily compromise sensitive work and personal data.
To meet the demands of the modern workplace, businesses need to enact policies that outline:
- Guidelines for mobile device users
- Best security practices
- Outline security platforms and services
Choosing a Mobile Device Policy
If you’re looking to secure mobile devices in an enterprise environment, the first step is to define your mobile device policy. Will devices be corporate-owned? How will end-users use their devices? These are the questions you’ll need to address to ensure mobile devices on your network are secured.
In most cases, you’ll be choosing either a bring your own device (BYOD) or corporate-owned policy structure. Each strategy has its own set of benefits and drawbacks. Often, your team will need to balance device flexibility with security.
Bring Your Own Device (BYOD)
By far the most popular and well-known policy, BYOD allows for workers to use their own devices to connect and interact with the workplace network. While offering the most flexibility for end-users, this policy is often the most susceptible to security threats. For a pretty simple reason too.
With BYOD, you’re putting a lot of the responsibility for managing device security on the end-user. In a perfect world, these workers would be practicing mobile device security best practices like not using public Wi-Fi or not engaging with malicious applications. Unfortunately, as with most security policies, the strength of the strategy lies in the weakest point. This means that even if only one person is not acting according to security guidelines, the whole network is compromised.
Choose Your Own Device (CYOD)
Seen as a middle ground between BYOD and corporate-owned policies, CYOD allows workers to choose from a selection of approved devices. Usually, these devices will come pre-loaded with security protocols and other business-related applications.
While this strategy has some pretty obvious advantages from an enterprise perspective, it still has its disadvantages. For one, workers most likely have a preference to use their own personal mobile devices. Additionally, organizations will ultimately be responsible for what kinds of applications and personal information may reside on the device.
Corporate Owned Personally Enabled (COPE)
At the other end of the spectrum, we have COPE devices. As you might imagine, this policy gives your business the most control over what happens on mobile devices connected to your network. While the business will own and operate all devices, end-users may still have the ability to download and access personal information and applications.
Depending on the security environment, this may offer less freedom than you need. Even so, COPE is the best policy for enterprise environments where security concerns are important. For businesses with even higher security concerns, a corporate-owned business only (COBO) policy may be more attractive. Keep in mind that both of these policy frameworks offer the most control over mobile devices on an enterprise network but also come with a significant price tag.
It’s also worth noting that even within these policy frameworks, threats still exist. Corporate-owned policies only present the best environment for control. Your team will still need to manage devices for security updates and educate workers on best practices to meet the demands of a truly secure network.
Defining a Mobile Device Security Policy
Creating a secure environment for mobile device use in the enterprise means defining policies that are comprehensive and detailed. You won’t find a universal strategy. Your team will need to define your security goals and concerns and match a policy that meets or exceeds those demands. This often includes policies directed toward:
- Device use
- Device ownership
- Privacy policy
- Disclosure policies for enterprise data access
That’s just one part of developing a secure policy framework. While management and IT will need to work together to define these parameters, one often overlooked portion of policymaking is how these ideas will reach the end-user.
Even if you have the most comprehensive plan for mobile device security in the enterprise, all it takes is one end-user connecting to an unsecured network to circumvent strict security measures.
That’s why training is always a necessary component in an enterprise mobile devices security policy. Teams will need to understand risks associated with mobile devices:
- Phishing attacks
- Social engineering attacks
- Password best practices
These are just a handful of examples of items your team should be aware of to ensure your enterprise data is secure. Training is always an evolving process. As new threats and technologies emerge, teams will need to understand the risks and threats intimately. Additionally, IT administrators will need to develop ways to enforce these policies using mobile device management (MDM) platforms.
Unfortunately, no one-size-fits-all strategy exists. Management and IT will need to work together to develop a mobile device security strategy that works for their organization. Even with a robust security policy, threats will always crop up.
Securing Mobile Devices with Archon Mobile
Guidelines for managing and securing mobile devices in the enterprise are quite diverse. Often, teams will need to balance device flexibility with security. Unfortunately, even with protection, devices can still see attacks and threats across the fairly complex mobile device technology stack.
With Archon Mobile, we’ve taken security and put it at the heart of our mobile offering. We build our devices from the ground up using strict commercial solutions for classified (CSfC) guidelines. This means our mobile devices can operate with the highest level of classified data.
For enterprise environments, our mobile security offering means your team has yet another layer of protection. Our system can work alongside MDM solutions to provide ultimate security and protection for sensitive information. To learn more about Archon Mobile, contact us today!
