BYOD is no longer a buzzword. With the growth in IT and mobile devices, mobile is now the new endpoint. And with that, it has become more important than ever to have a well defined mobile security policy for your company.
I pulled up an old report by Forrester from 2013. Even back then, 29 percent of the global workforce comprised of information workers. On average, information workers use three or more devices, have multiple work locations through the year, and also use several apps. In fact, most of you who will read this article will also have similar behavior.
With close to a billion employees affected by BYOD across the world, it is obvious that it is high time to include a robust mobile security policy along with any existing security framework and rules that your organization might have.
What Makes a Good Mobile Security Policy
Planning & Strategy
Any mobile initiative should start with a full-fledged plan. As part of your planning and strategy, you have to evaluate and understand how a particular mobile initiative affects your existing IT infrastructure. If you are introducing new products or devices into your existing systems, research on what would be the easiest and most secure way of introducing those into your existing architecture. Research and set timelines and goals through this process.
While a lot of CIOs and CISOs follow this for any new products that they add, it is necessary to go back and evaluate your existing infrastructure to find out whether you already have some existing tools and products that might come under the mobile scenario.
Identify and assess the kind of information and data that your IT workforce accesses on mobile environments. You have to start looking at smartphones, tablets and similar devices in the same way how you would look at any other IT infrastructure. Identify the applications that are being used on a regular basis internally and consider getting a mobile app security audit internally and externally, sometimes even with multiple vendors to be doubly sure.
Simply put, the mobile security policy should be a section of your overall policy and processes and decisions devoted to mobile apps and devices should be clearly defined here.
Planning and strategy are great but now you have to actually create the policy document. Creating a mobile security policy and issuing guidelines will not only help create security definitions but will also help prevent any confusion on how data should be stored or used on any mobile device. In case there is a problem, these guidelines will come in handy.
Some of the common items in a mobile security policy document would cover things like
- Password and access control on devices
- Proper encryption before accessing corporate email or sensitive files
- No jailbreaks or rooting
- Mobile app audits on a regular basis
- MDM/MAM solutions, etc.
The policy can be executed through technology and otherwise. Using technology, you can create rules that limit usage as per policy. This has to be done carefully because if not implemented well, it can be a painful experience for your employees. So, additionally, policy implementation requires diligent training for all employees and staff.
Once you finalize your policy, it is essential that you put it on paper (make it official) and get all your employees and staff members to sign on it. Additionally, education needs to be provided to staff and employees on how they can follow the policy. This will help make policy implementation smoother and your life as a CIO a little easier.
Training & Compliance
Most employees are just not aware of the potential risks created by mobile apps and mobile devices. Therefore, as the CIO or CISO, it is your job to incorporate an org-wide traning program at regular intervals to ensure this awareness problem is solved. Provide a list of apps that are permissible for use and those that are prohibited. Ensure your employees understand risks associated with public wifi networks.
For enhanced security and protection, data on both BYOD and company devices should be encrypted. This helps create an additional layer of security in case the device is hacked or stolen.
Apart from running training workshops, make sure you keep compliance requirements in mind when implementing policies. The most recent GDPR compliance kept every one of their toes the last few months and you should be aware of necessary compliances that are applicable to your business.
Without mobile security, businesses are playing with fire and putting their clients and employees at risk. Implementing a security policy can be overwhelming, but it is a necessity. Consider the above elements of a good mobile security policy when creating your own and simplify the implementation process!