Top tips for improving mobile security

Top tips for improving mobile security

Summary: While mobile devices may be a dream tool for staff, they can be a security nightmare for IT management

SHARE:
TOPICS: IT Employment
3

The obvious downside to corporate use of mobile devices is that it makes the whole process of network management and security significantly trickier.

Throwing mobile phones, smartphones, PDAs, laptops and even iPods at corporate networks has changed the game irrevocably from the good old days of desktops PCs connected over a LAN. 

Pity then the hapless IT manager who has to safeguard a network teaming with potential vulnerabilities while also having to deal with the loss or theft of devices and the information they contain.

With such a situation in mind, ZDNet.co.uk has come up with some top tips to give IT managers a fighting chance when it comes to mobile security.

1. Take time to identify and assess the risks
While you may be getting sick of hearing the endless mantra around the need for risk assessment and management, there really is no substitute for it. The idea is that, if you don't know what your risks, threats and vulnerabilities are, how can you possibly guard against them and target resources where they are needed most?

But you don't have to get bogged down in a huge, formal, multi-month project, requiring streams of consultants and thousands of pounds. Such initiatives can instead comprise an informal, high-level discussion with the business as to what the key priorities and concerns are, followed by a gap analysis to understand whether existing processes, policies and technologies are up to the job. It is important to formally capture and document the results, however, to prevent anything from falling through the cracks.

2. Regularly update security policies as new technologies are introduced, and ensure that they're enforced properly
If you haven't already come up with a set of comprehensive and documented security policies, then it's really about time you did, because these act as the foundation for everything else. At a basic level, they illustrate to users what you've decided are right and wrong behaviours and how you think they should and shouldn't be doing things. Policies should also make it clear who in the organisation will get a mobile device, how they can be used, what network access will be available to whom and how the policies will be enforced.

It's no use just keeping these policies in a drawer and expecting everyone to know and understand them by telepathy; they have to be publicised and people have to be made aware of what they mean in a day-to-day sense, so they shouldn't be filled with technical jargon and they have to be explained.

However, it's also no good spending time and effort coming up with such documents if you don't put the mechanisms in place to police compliance and act if someone, even if it's the boss or one of your colleagues in the IT department, is in breach.

If you haven't already come up with a set of comprehensive and documented security policies, then it's really about time you did

3. Ensure that staff are adequately educated and trained so that they know how to minimise security threats themselves
Although it may seem to be the case sometimes, the majority of personnel don't maliciously go around trying to put the company and its sensitive corporate data in jeopardy. It's more likely that they'll do something stupid, inappropriate or careless and you'll have to pick up the pieces.

Staff consistently prove to be the weakest link in the security chain and the only solution is to educate and train them adequately and appropriately — ideally when they're first recruited into the company so that they're aware from the outset of what key security issues exist and what is accepted best practice. The idea is to guide them towards making the right decisions, which can go a long way towards solving the problem.

4. Focus on securing data not devices
According to a survey undertaken by Rhetorik Market Intelligence, of 371 UK-based organisations of all sizes questioned, nearly two-thirds saw data loss as a very important threat, while only 42 percent considered the physical security of the devices themselves to be a very high priority.

Those figures make sense when you consider that it's information that makes the world go round. Losing devices can be expensive, but the organisation is unlikely to grind to a halt because of it, whereas it might if sensitive data gets out into the public domain.

A worthwhile security control in this context might be encryption software to secure information on the devices themselves and make it more difficult for unauthorised users to view that information in the event that things go walkabout.

Another option is to ensure that users employ SSL-based virtual private networks (VPNs) if trying to access any system on the corporate network. And, if you're feeling flush...

Topic: IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Mobile VPN

    Great article Cath, thank you; just a wee bit puzzled on your limiting considerations fro a VPN for mobile to SSL VPNs in your point 4 "4. Focus on securing data not devices".

    There are an increasing number of UK and European businesses that are finding end user productivity benefits coupled with significant application performance benefits by hiding gaps in cellular and WiFI coverage from both applications and end users. Together with the ability for applications to run in poor coverage areas where they would not run previously, having a VPN that is specifically designed to cope with the demands of wireless would seem to make sense.

    One such example can be found at http://www.netmotionwireless.eu/ :)
    Kind regards
    Stef
    NetMotion_Wireless
  • VPNs for mobile devices

    I suspect you're right Stef, in that it's by no means necessary to stick to SSL VPNs - we'll check back with Cath on whether she meant to imply that SSL VPNs are the ideal solution. Of course I'm somewhat familiar with the NetmotionWireless story, having heard you speak on my panel at the IBA Forum, and I think most people would agree that application session persistence is one of the most important factors. I'm not sure that SSL is exactly the best for that.
    Lonester
  • Enterprise mobility = laptops, PDAs and Smartphones

    Thank you for your comments Matt - much appreciated.

    I forgot to mention for enterprise readers interested in a single infrastructure to serve Windows laptops, PDAs and Smartphones, NetMotion Mobility XE has just been certified by Microsoft for WM6 http://www.netmotionwireless.com/company/press/10_24_2007.aspx
    Kind regards
    Stef
    NetMotion_Wireless