With remote work being considered a relatively normal practice nowadays, due in part to the pandemic, we are seeing more opportunities arise for malicious actors to hack into a business’ system remotely. Now is the time to learn how to strategize and implement an effective MDM security policy. Below you will find a thorough definition of MDM security policies, why you should implement one for your business, and how to go about implementing one effectively.
Defining Mobile Device Management
Mobile Device Management (MDM) is a protective system that companies put in place to safely allow their employees to utilize applications and mobile devices. These devices and applications are often the employees’ personal possessions, which can complicate proper protocols when defining controls for them. Devices affected by MDM policies include laptops and computers, smartphones, tablets, and any other device connected to the Internet or other networks.
Companies need to establish a strong MDM policy to ensure that employees limit the possibility of exposing valuable and sensitive data to malicious actors. Understanding why these policies are essential will help you prepare for, develop, and execute an effective MDM security policy.
Context—Why Are MDM Policies So Critical?
Many organizations now rely at least in part on employees’ use of their personally-owned devices for work tasks. In these cases, setting up a secure “bring your own device” (BYOD) management policy has never been more critical. An effective BYOD device management policy will allow companies and their employees the flexibility to operate in nearly any environment.
Employees using non-work-supplied devices can open the door to IT security threats, since you likely lack the kind of oversight and control over devices it provides directly to its employees.
Every device that has access to a company’s system leaves a distinct “print.” When more users have access to the system there are more prints created, which complicates questions about “whose print is whose”—or how a point of access is used. So, to prevent attackers from exploiting these vulnerabilities and slipping into your systems, you need an MDM.
Four Considerations For Effective MDM Policies
One of the challenges presented by BYOD and other contemporary MDM environments is variance. Because organizations have less oversight over (and insight into) what devices are being used for work, there’s less ability to account for their unique security weaknesses.
So, on the one hand, many MDM best practices revolve around uniformity.
On the other hand, some involve addressing variance directly by making irregular and unsafe uses more difficult to engage in or safeguarding them indirectly through safe access portals.
1. Limit High-Level Personal Use
Companies run the risk of exposing vitally important data or information by the mishandling of employee-owned, personal devices. While there should be protections and contaminants plans offered from your MDM solutions, there are simple steps to be taken in preventing attacks.
Limiting high-level personal use refers to the idea of separating devices for work and personal usage, especially for those that hold access to vitally important data (c-suite executives and those with access to employee or customer data). Measures taken to this effect include:
- Providing high-level staff with special devices with which to access said data
- Limiting access to sensitive information to specific devices, provided or BYOD
- Requiring access to secure networks, regardless of device used (see #3 below)
By separating personal and work devices for high-level employees, a company’s IT department will have more control over what the user can access—and can monitor the access effectively.
2. Require Strong Passwords and MFA
When implementing an MDM policy, it is strongly advised that you require a strong password or passphrase for all user accounts. Ideally, it should require minimum length (in characters) and strength (complexity or randomness). Namely, a password should be at least 12 characters and utilize both uppercase and lowercase letters, special characters, and unique symbols. It should also be changed frequently (every few months), with past passwords not allowed to be re-used.
Passwords are a good starting place, but even a strong password is often not fully secure.
Organizations should also implement multi-factor authentication (MFA), which requires users to submit an additional factor (beyond a password) to authenticate access. Factor types include:
- Something you know – A password or biographical question.
- Something you have – Access to a second device or account.
- Something you are – A biometric scan (i.e., a fingerprint).
MFA helps ensure that, even if a password is stolen or guessed, an account may still be safe.
3. Avoid Public Access Points and Insecure Networks
Public access points and public wifi are not safe. While it may be convenient for employees that a cafe or other establishment offers access to wifi, that means that hackers also have access to the network—and, potentially, anything connected to it. If an employee accesses your system in a public setting, that could compromise private data and make it open to cyberattacks.
One of the ways to protect against attacks from public access points is having your employees operate off of a virtual private network (VPN). Namely, you should consider requiring them to be connected to a VPN, regardless of their device or location, to access sensitive data in all cases.
In doing so, you provide a secure network for them to access your systems from anywhere.
4. Use Antivirus and Anti-Malware Software
It is imperative that your company utilize antivirus and anti-malware software to strengthen your MDM security policy. Antivirus and anti-malware work to protect both individual devices and all systems from malware and viruses, password theft, hacking, ransomware attacks, and other forms of cybersecurity risks. Any device that accesses sensitive data should have anti-malware.
When these antivirus and anti-malware software are paired with proper password management and upkeep, it ensures that only the approved users are the ones accessing the system. These software processes do so by actively identifying, reporting, and eliminating unknown uses and unapproved traffic or other threats on devices both inside and outside of the network system.
A Note on MDM Policies and Regulatory Compliance
One final consideration about MDM is how it relates to regulatory compliance, or keeping up with specific cybersecurity requirements based on your industry, location, or other factors.
Put simply, the pace with which BYOD and general MDM risks have evolved over the past few years means that not all regulatory bodies are caught up. Even if your organization is required to comply with one or more National Institute for Standards and Technology (NIST) regulations, you might not be able to find a clear-cut NIST mobile device management policy to follow.
Another challenge is that many organizations are subject to multiple regulatory frameworks simultaneously, with overlapping control and assessment requirements. For example, consider:
- Industry-specific regulations – HIPAA applies near-universally to organizations in and adjacent to healthcare; likewise, CMMC applies to all potential Defense contractors.
- Location-based regulations – Where you do business, or where your customers live, might require special protections (like the CCPA for California or the GDPR for Europe).
- Operations-based regulations – If you process credit card information, you’ll need to be PCI compliant; business partners might want to see HITRUST or SOC 2 certification.
All of these compliance situations (and more) might require robust MDM implementation.
This is why the best way to ensure your MDM policy remains compliant, across any and all applicable regulations, is working with a compliance services provider—like RSI Security.
Protect Your Business with an MDM Security Policy
When a company establishes a strong mobile device management policy they ensure a secure future for its data and computer systems. Regardless of what steps you choose to take when you implement your MDM, it is important for your organization to remain compliant with any applicable rules and to properly manage all devices with sensitive information access.
If you are looking for a company with the experience and experts to help set up your MDM security policy, consider reaching out to RSI Security. We have been in the business for over a decade and work with you to establish a plan that best fits your organization’s individual needs.
To learn more, contact RSI Security today!