Mobile devices are some of the fastest-growing pieces of tech in the market. They’re also one of the biggest targets and risk factors when it comes to cybersecurity.
Any business that utilizes mobile devices for work purposes—which could be said for practically all of them—needs to be concerned about mobile device management (MDM). Without a solid MDM security policy your company is defenseless against one of the fastest-growing spheres of cybercrime.
Curious what the most important elements of an MDM policy are? Let’s discuss.
What is MDM?
All computers and information technologies that contain sensitive data are targets for cybercrime.
Whether they host valuable data or not, if they’re connected to internal networks and systems that do host critical information, they’re almost just as risky. Mobile devices take all that risk and transport it outside the confines of your organization’s physical location. In doing so they also leave the protection of your offices cyberdefenses, including firewalls and private wifi.
An MDM is a comprehensive plan or policy aimed at reducing and combating these risks.
Without proper security infrastructure in place even personal devices not used for work can pose dangers to your systems. For instance if a client’s personal device connects to protected wifi servers, a hacker could seize control of your system and assets via their unprotected device.
Every single mobile device that comes in contact with your business is a potential cybersecurity threat, particularly when you consider that:
- Employees, clients, and other individuals may have multiple devices
- Unique device models and carriers feature different security settings
- Open networks inside or outside the organization pose dangers
- Applications and software, as well as their use, could open vulnerabilities
In light of these and other dangers you need to protect your company from theft, fraud, and extortion. Different types of MDMs establish rules and regulations for all devices that come in contact with your organization.
Types of MDM Policies
One of the most important elements of an MDM is the overall responsibility of purchasing, ownership, and maintenance of devices and associated connectivity.
Some of the most common general schemes for MDM policies are:
- BYOD – Bring your own device
- CYOD – Choose your own device
- COBO – Corporate owned, business only
- COPE – Corporate owned, personally enabled
Of all of these schemes the two most common are the first and last, BYOD and COPE. That’s because CYOD is really a hedge between BYOD and COPE, and COBO causes inefficiencies for both users and management.
Let’s go over the two main schemes, starting with BYOD:
Bring Your Own Device
In a BYOD policy the user is responsible for purchasing and maintaining his or her own mobile device. Work may be performed on the device, and may be required, but corporate control is limited to connectivity and work-related tasks and apps.
This kind of policy is controversial because of the inherent threats posed by personal devices.
For the organization a BYOD approach is sometimes considered a bare minimum step up from not having an MDM policy at all. Allowing employees to personally own and manage their devices with little corporate oversight can open up significant risks.
Even a careful user who diligently follows all best practices while at work can fall victim to cybercrime when they’re outside of the office. Open wifi networks and a lack of corporate-vetted firewalls are significant security concerns. If work data is unsecured on a personal device, a breach at home or elsewhere could spell disaster for the entire organization.
While a BYOD saves a company money up front, it could lead to far more significant costs in the future. That’s why, for a BYOD policy to work effectively, it must focus on controlling as much as possible. To that effect major factors include:
- Separate user profiles for work use on personal devices
- Password protection or multi factor authentication for networks and servers
- Tight restrictions on use of work apps outside of the workplace
On the user side, there are concerns about privacy and propriety. If an organization is requiring employees to use personal devices for work, there typically needs to be certain protocols in place for the user’s protections, including:
- Replacement or repair for damages related to work activities
- Compensation for bills and expenses incurred for work tasks
- Privacy and security of non-work-related data on the device
For a BYOD policy to benefit both an organization and user it’s imperative to establish clear guidelines and follow them to the letter. While BYOD may seem like the closest thing to a non-policy or laissez-faire approach, it’s even less effective if treated cavalierly.
Corporate-owned solutions are more controlled by definition.
Corporate Owned, Personally Enabled (COPE)
On the opposite end of the spectrum from BYOD a COPE policy assumes far more control for the organization. That’s because, as the name implies, the organization is responsible for purchasing the device. The organization also pays for all ongoing expenses, like data.
Corporate purchasing accounts for the “CO” in the acronym, but the PE is more complex.
When a device is “personally enabled,” it means that its user can treat it as his or her personal device. Importantly, the user doesn’t assume full ownership or dominion over the device; he or she is just allowed to use it freely within the confines of their work contract.
For this to work safely the organization must consider a combination of security measures:
- A separate user account dedicated to work-related tasks
- Strict regulations prohibiting work to be done on any other accounts
- Tight restrictions on downloads and activities on the work account
- Partitions to insulate work-related data when personal account is in use
This kind of policy is a win-win for both parties:
- The organization gets to assume a standard of control over the device
- The user gets a “free” device, alleviating a major personal expense
While this scheme can be costly up front, its benefits justify the expenses. Companies can exercise deeper and broader security measures on devices they own. Licensed users ultimately must follow guidelines set out by the organization, or else forfeit use privileges.
Beyond basic BYOD and COPE policies there are a number of other models as well.
Other Schemes, Hybrids, and Loopholes
As noted above, BYOD and COPE are just the two most common types of a MDM policy. In addition to these, those we glossed over provide minor tweaks to the common practices:
- CYOD – Users are given a choice between a select set of eligible devices that fit the security criteria and measures of an organization’s MDM. Whether the user or organization purchases the device varies.
- If the organization purchases the devices, this is a user-customized COPE plan
- If the user purchases the device, this is more like a limited BYOD plan
- COBO – This is the most restrictive plan possible; the organization provides a phone for the user to use only for work purposes. Extremely tight restrictions apply to what can be done on the phone. While this maximizes security, it can be a hassle for users because:
- They may need to carry two devices on them at all times
- Their own personal devices may use different peripherals
When it comes down to it, the efficacy of any MDM policy depends on user responsibility and accountability. In any kind of MDM the acronym isn’t the important part—what matters most is ensuring security across all devices, despite who owns and operates them.
For that there are best practices.
Best Practices for an Effective MDM Policy
In order to establish a robust MDM policy that works, no matter what scheme, there are some key practices you need to commit to. Some of the most important of these include:
- Detailed recordkeeping
- Standard cyberdefense procedures
- In-depth analysis
Let’s go over each in more detail:
Knowledge is Power
One of the most important and foundational elements of any security plan is recordkeeping.
For effective MDM you need to keep detailed, up-to-date records of all available data relating to the devices and users governed by your policy. That potentially includes everything about corporate-owned or operated devices or accounts.
To position your organization to best defend itself you must compile accurate data concerning:
- Relevant devices, accounts, networks, their users, and credentials
- Apps related to or used on work devices and accounts
- Any and all attacks and vulnerabilities
Even user-owned devices can be subject to surveillance if they’re used for work purposes. While the extraction, processing, and storage of data from user-owned devices can lead to privacy concerns, these details need to be negotiated and agreed upon. Concerns like these are a main factor in many organizations’ choice of COPE policies.
But recordkeeping is only the first step. You also need to establish key cyberdefense measures.
Vigilance and Diligence are Key
Beyond recordkeeping it’s imperative to install basic cyberdefense methods on all devices. Some of the most essential practices include:
- Authorize all use – A key tenet of cybersecurity, you need to make sure that the only individuals with access to sensitive data and other assets are users authorized to do so. To that end, ensure that:
- All devices, accounts, and networks require strong credentials
- Credentials are strong, private, and updated frequently
- Multi factor authentication (MFA) is preferred
- Install anti-malware software – In addition to safeguarding access with credentials it’s imperative to protect users from attacks that could compromise the privacy of their passwords, pins, or any other data. It’s encouraged that you install software which identifies, reports, and eliminates:
- Spyware and ransomware
- Trojans and all other malware
- Update software and hardware – All updates to hardware and software must be downloaded as soon as their safety is confirmed. This is a crucial protection, as many updates are specifically designed to fix discovered vulnerabilities.
- Train all personnel thoroughly – Finally, proper training ensures that hardware and software are being used properly. Regular mandatory trainings should empower all staff with personal devices to:
- Understand proper use of their device
- Identify, report, and avoid risks
A well-trained staff that practices appropriate caution will fall victim to fewer attacks and petty cybercrime schemes. Thus, dedicated cyberdefense resources can be concentrated on more serious and insidious threats, such as large-scale targeted attacks.
One of the best defenses is to get inside the minds of the attackers themselves.
The Best Defense is a Good Offense
To understand and prevent attacks on your organization’s system through mobile devices it’s imperative to understand your vulnerabilities inside and out. In the world of cybersecurity the best way to do that is through penetration (pen) testing.
Pen testing is a form of ethical hacking. It involves simulating an attack on your digital systems and assets to carefully analyze all elements of the attack, including:
- How and where the hackers get in, past your defenses
- Where they go once they’re inside
- What they leave behind
Pen testing an entire cybersecurity system involves testing any and all possible methods to access your assets. Mobile pen testing is focused on apps developed and/or used by your company. A mobile pen tester will attempt to seize control of as much of your information as possible by exploiting vulnerabilities in an application used on a mobile device.
One of the most intensive and valuable practices, pen testing is best left to professionals from outside your organization—like us!
Professional Device Management and Cybersecurity
Whichever kind of mobile device management policy you decide is best for your organization, it’s important to establish your plan and hold all stakeholders accountable. But MDM isn’t the only thing you need to worry about from a cybersecurity perspective. Any and all information technology needs to be safeguarded to ensure the security and privacy of your assets.
RSI Security has solutions for any cybersecurity issue you may have.
Our mission is providing professional cyberdefense to keep organizations of all shapes and sizes operating smoothly—something we’ve been doing for over a decade. Our comprehensive managed security services include various protections, like an MDM policy customized to your exact needs. To bolster your cyberdefenses contact RSI today!
Work From Home Cybersecurity Checklist
Review the best practices to keep your remote workforce safe and secure. Rest easy and give your clients the assurance they need that their information will be safe by implementing cybersecurity best practices as your employees work from home. Upon filling out this brief form you will receive the checklist via email.