Top tips for improving mobile security

The obvious downside to corporate use of mobile devices is that it makes the whole process of network management and security significantly trickier.

Throwing mobile phones, smartphones, PDAs, laptops and even iPods at corporate networks has changed the game irrevocably from the good old days of desktops PCs connected over a LAN. 

Pity then the hapless IT manager who has to safeguard a network teaming with potential vulnerabilities while also having to deal with the loss or theft of devices and the information they contain.

With such a situation in mind, ZDNet.co.uk has come up with some top tips to give IT managers a fighting chance when it comes to mobile security.

1. Take time to identify and assess the risks
While you may be getting sick of hearing the endless mantra around the need for risk assessment and management, there really is no substitute for it. The idea is that, if you don't know what your risks, threats and vulnerabilities are, how can you possibly guard against them and target resources where they are needed most?

But you don't have to get bogged down in a huge, formal, multi-month project, requiring streams of consultants and thousands of pounds. Such initiatives can instead comprise an informal, high-level discussion with the business as to what the key priorities and concerns are, followed by a gap analysis to understand whether existing processes, policies and technologies are up to the job. It is important to formally capture and document the results, however, to prevent anything from falling through the cracks.

2. Regularly update security policies as new technologies are introduced, and ensure that they're enforced properly
If you haven't already come up with a set of comprehensive and documented security policies, then it's really about time you did, because these act as the foundation for everything else. At a basic level, they illustrate to users what you've decided are right and wrong behaviours and how you think they should and shouldn't be doing things. Policies should also make it clear who in the organisation will get a mobile device, how they can be used, what network access will be available to whom and how the policies will be enforced.

It's no use just keeping these policies in a drawer and expecting everyone to know and understand them by telepathy; they have to be publicised and people have to be made aware of what they mean in a day-to-day sense, so they shouldn't be filled with technical jargon and they have to be explained.

However, it's also no good spending time and effort coming up with such documents if you don't put the mechanisms in place to police compliance and act if someone, even if it's the boss or one of your colleagues in the IT department, is in breach.

3. Ensure that staff are adequately educated and trained so that they know how to minimise security threats themselves
Although it may seem to be the case sometimes, the majority of personnel don't maliciously go around trying to put the company and its sensitive corporate data in jeopardy. It's more likely that they'll do something stupid, inappropriate or careless and you'll have to pick up the pieces.

Staff consistently prove to be the weakest link in the security chain and the only solution is to educate and train them adequately and appropriately — ideally when they're first recruited into the company so that they're aware from the outset of what key security issues exist and what is accepted best practice. The idea is to guide them towards making the right decisions, which can go a long way towards solving the problem.

4. Focus on securing data not devices
According to a survey undertaken by Rhetorik Market Intelligence, of 371 UK-based organisations of all sizes questioned, nearly two-thirds saw data loss as a very important threat, while only 42 percent considered the physical security of the devices themselves to be a very high priority.

Those figures make sense when you consider that it's information that makes the world go round. Losing devices can be expensive, but the organisation is unlikely to grind to a halt because of it, whereas it might if sensitive data gets out into the public domain.

A worthwhile security control in this context might be encryption software to secure information on the devices themselves and make it more difficult for unauthorised users to view that information in the event that things go walkabout.

Another option is to ensure that users employ SSL-based virtual private networks (VPNs) if trying to access any system on the corporate network. And, if you're feeling flush...

...it could also be worth considering two-factor authentication, which includes digital certificates and biometrics, remote monitoring and data-wiping offerings.

5. Don't be shy about using the built-in security features of mobile devices themselves
One idea is to encourage users to lock up their devices when they're not using them. If you can, get them to create a password to lock up the SIM card on their mobile phones, for example, or to turn off services such as Bluetooth and Wi-Fi if they don't need them just at that moment. Also ensure that software, such as antivirus programs, is kept up-to-date and, if such software doesn't come as part of the package, then add it yourself.

6. To do this successfully, however, will entail standardising on one or more company-owned devices, rather than allowing an explosion of uncontrolled consumer gadgets to occur
More than a third of respondents in Rhetorik's survey said that they had banned the use of consumer devices, but a huge 51 percent said they routinely employ a mix of personal and company-owned gadgets, while about eight percent use only their own handhelds.

While the use of consumer devices may appear to be a cheap way of doing things on the surface, it does generate problems — and hidden costs aplenty.

Firstly, it makes it more likely that IT managers will be unaware of exactly what technology is in use in their organisations, making it more difficult to take appropriate action.

Secondly, failing to standardise means that you can end up with a wide range of devices knocking about that are difficult and time-consuming to configure, secure, support and manage because they don't belong to the company but to individuals, which makes them more difficult to control centrally.

Thirdly, because gadgets are getting smaller and more sophisticated, it's increasingly difficult to know who is carrying what around in their pockets. The problem here is that, because these devices are essentially fancy storage devices, disgruntled individuals can use them to steal information. They can also act as a reservoir for viruses and worms and, therefore, pose the risk that they may infect the corporate network if they're left to run unchecked.

Finally, consumer devices, unlike their enterprise cousins, rarely have much security functionality built in, beyond notoriously insecure password protection which most users decline to activate anyway, because this would add to their price tag. This means that, if they are lost or stolen, sensitive corporate data, including emails, may all too easily become prey to prying eyes.

7. Always be careful to balance security issues against usability considerations
This one's tricky. While, by instinct, IT managers would prefer to lock down everything that moves to save it from harm, in practice, the reason that users are so keen on mobile technology in the first place is that it's convenient, flexible and helps them to do their jobs better — important considerations that shouldn't be overlooked, not least because, if you don't get it right, they're likely to simply ignore you or introduce workarounds.

So your best bet is to talk to people, find out what their requirements are and weigh them up against the risks. The aim is to find a balance so that everyone gets the best of both worlds: you're happy that you've done what you can and they're happy because they don't need a 10-page manual just to try and start up their handheld.

8. And last, but by no means least, don't forget the dangers of wireless networks
The problem with wireless networks, whether they're inside or outside the enterprise, is that they're inherently insecure. While the situation is somewhat better than it used to be, even in-house you have to be meticulous about adding extra security protection or even limiting usage to segregated visitor areas.

Outside in the big wide world, however, where mobile workers may well be using hideously insecure hotspots in cafes or airports, much danger awaits. And, in this scenario, it is simply imperative that devices are protected by everything that can be mustered, from firewalls and antivirus software to intrusion-detection systems. SSL VPNs are just as imperative in their own way for securing remote communications, and network access should strictly be prohibited without one.

Are there are any other tips you can think of in terms of how to go about securing mobile devices effectively? If so, post a comment at the bottom of the page and let us know.