In this post we continue from our previous post about how to secure wireless devices at your place of business.
How to Secure Mobile Devices in Your Office
1) Always test your mobile security policy and threat landscape before implementing it:
> Before you actually start to implement and enforce your policies, it is always important to evaluate them first in a test environment to see how they will work in a real-world environment. Some technical examples of what needs to be tested includes the following:
> The connectivity of the wireless devices that will be issued to each employee;
> Checking the safety of the functionalities of the mobile apps that will be installed and used on the wireless devices;
> Checking out the performance of each wireless device (obviously, a wireless that does not live up to the performance metrics that have been set forth could prove to be a security vulnerability at a subsequent point in time);
> Making sure that the wireless devices that you will be acquiring and issuing to your employees are very difficult to jailbreak or be rooted;
> Making sure that the wireless device does not accidentally revert back to the vendor settings; but rather to the default settings that you have set forth in your mobile device security policy.
2) Secure each and every mobile device before they are issued to your employees:
Once you, the IT staff, as well as the CIO are satisfied with the results with the test results from the procedures conducted in the test environment, then the next step is to make sure that the wireless devices that you will be distributing to your employees have all of the security functionalities installed onto them. Obviously, this will vary from business to business, and in the specific manner in which the employees will be using them. But in general:
> Make sure that the initial password you establish is hard to guess, but easy enough for your employee to remember. This can be a lot trickier to do than it sounds, thus you may want to consider using a mobile based Password Manager in this regard.
> Make sure that Two Factor Authentication (also known as “2FA”) is installed. The first layer of security will obviously be the password, but the second layer could be a challenge/response question.
> Check the website of each wireless vendor from whom your organization will be procuring the wireless devices for the latest firmware and software upgrades/patches. Make sure they are installed and configured once again, on each and every wireless device before they are issued to your employees.
3) Always enforce your mobile device security policies:
Once you have initially deployed all of the wireless devices to your employees, the next step is to make sure that the policies you have set forth are constantly being enforced and that your employees are abiding by them. One of the best ways to do this is to, at random time periods, is to conduct a manual audit of these devices, to make sure that there is no misuse by the employees. Remember that in this regard, you have every right legally to conduct such audits because these are wireless devices that owned and facilitated by the organization that you work for. Another key issue at stake here is Bring Your Own Device, or “BYOD” for short. For example, they can be no gray area whatsoever in this regard. If you want your employees to strictly use company issued wireless devices, then you must state so, and forbid your employees from using their own smartphone to conduct work related activities. But on the other hand, if you are OK with employees in using their personal smartphones, then you must set forth and establish very clear guidelines in the manner in which they can be used for conducting every day job functions. Remember, BYOD brings along with it key security vulnerabilities, and you may not be easily able to conduct random security audits on them because these wireless devices are personally owned by your employees.
Other kinds of activities that should be included here include the following:
> Conducting various Pen Testing exercises in order to unearth any unknown anomalies and security vulnerabilities;
> Keeping an accurate inventory list of all of the wireless devices that have been issued and returned (and in the case of the latter, deleting all permissions after an employee is no longer with the organization);
> Checking for firmware and software upgrades/patches at least once a week;
> Making sure that there are no rogue, or unauthorized mobile apps installed on company issued wireless devices.
In our next blog, we wrap up our series on how to secure your mobile device environment by examining other factors that you need to consider as well.