One of the fastest growing areas of technology is the wide umbrella of mobile devices. With a projected yearly growth of 9 percent there will be an estimated 7.2 billion smartphone users by 2023. And the number of mobile devices isn’t the only thing increasing.
Every year mobile computing power grows stronger and more sophisticated. With some mobile devices even surpassing laptops and computers it’s no wonder we count on them for so much. But as mobile devices consume more of our daily activities they expose us to concerning cybersecurity risks.
Today, a mobile device management (MDM) policy is one of the most important steps any organization can take to protect itself from these inherent risks. But what does an effective MDM policy look like? Let’s review.
Baseline Requirements for an Effective MDM Policy
The purpose of a MDM policy is to reduce the risks of using mobile devices for work-related purposes.
Devices tethered to physical locations and pre-established cybersecurity measures are always safer than their portable counterparts. When employees leave the safety of your in-house security, firewalls, and private wifi, they expose their mobile devices to various risks, including but not limited to:
- Robbery or burglary of the device itself
- Attacks targeting users of public wifi
- Malware hidden in apps users may download
- Email, text, or call-based phishing
- Threats on websites viewed from a mobile browser
To safeguard against these and all threats there are standard requirements for any and all MDM policies.
The most foundational of these is recordkeeping:
To prevent and combat attacks you need to be able to identify the threats, their effects, and their sources. For that you must be able to review thorough and up-to-date records.
One of the most important elements of any and all security programs, recordkeeping is essential for cyberdefense, especially when concerning mobile devices. From a cybersecurity standpoint safely dealing with mobile devices becomes a far greater challenge due to the sheer number of different devices and interconnected systems—each with their own vulnerabilities. For example:
- Individual may operate multiple, unique devices
- In addition, carriers and related settings may vary
- Devices may connect to potentially harmful networks
- Users may download risky apps or use “safe” apps in dangerous ways
Considering the depth and complexity of all the data these mobile devices use, store, and send, record systems may not be able to account for every relevant detail. It remains essential to isolate the details that matter most.
For MDM purposes it’s vital that records are kept of the various operations conducted on organization-owned devices and work-only profiles and accounts. Detailed records should include updated catalogues of:
- All relevant devices, accounts, networks, and their users
- All organizational credentials (logins, passwords, PINs, etc.)
- All apps needed and used on work devices and accounts
- All attacks, as well as details about their causes and effects
- All known existing and potential vulnerabilities
Once you know the scope and scale of your MDM’s jurisdiction, you’ll be able to establish the first line of defense.
Some of the basic defenses you need to consider for all mobile devices and users include the following:
- Secure access protocols – One of the most important things to control is access to individual devices, as well as accounts and networks. You need to ensure that all mobile device users:
- Protect assets with strong passwords and pins
- Update passwords on a regular basis
- Keep credentials private and secure
- Use multifactor authentication (MFA)
- Organization-wide training – Guidelines are most effective if personnel are able and willing to follow them. Regular training on physical and cybersecurity practices ensures staff are able to stay within protocol. Other measures to consider for increasing willingness include:
- Incentives for completion of training, like small bonuses or PTO
- Consequences for missed training or lapses in secure practices
- Anti-malware protections – Even the most cautious users can fall victim to various targeted attacks. It’s imperative to install a firewall and antivirus software that screens for malware, such as:
- Spyware and keyloggers
- Updated software – Finally you must ensure that all hardware and software involved in company-related tasks are updated regularly. Although it may be inconvenient to update immediately, many updates are specifically designed for cybersecurity purposes, such as corrections for identified vulnerabilities.
These standard defenses feed into and off of each other. Together they form a virtual shield wall.
A well-trained staff that keeps their software and credentials updated will naturally decrease the number of possible attacks from accidents or negligent behavior. Decreasing these threats helps ensure that dedicated cyberdefense resources aren’t overburdened.
Once these basic defenses are in place, you should also consider another layer—encryption.
Encryption: Safety, Encoded
One of the most effective cybersecurity tools is actually a practice that’s been around for millenia. For as long as humans have communicated with language, we’ve used ciphers and codes to tactically hide meaning.
Encryption is a method of transforming information into an illegible code that’s impenetrable to unauthorized viewers. To a certain extent an encrypted message is safe even if it’s stolen.
How does it work?
Programs on networked devices will generate algorithms for encrypting and decrypting coded messages. Message encryption provides a representative example of how the overall system works:
- One user writes out a text message or email, then hits “send.”
- As the message leaves the device, the algorithm transforms it into an unreadable version of itself only accessible via the corresponding reverse-algorithm.
- When the message lands on a second device that has the reverse-algorithm, it’s decrypted, and the second user reads the message as it was originally typed.
- If the message is intercepted by an unauthorized user without the reverse algorithm, it will remain encrypted and functionally useless.
The encryption process happens instantaneously. The users may not even realize it is happening in the moment. In addition to discrete messaging between individuals, encryption also works to safeguard information stored in drives or on cloud servers.
Ongoing Analysis and Testing
Beyond basic recordkeeping, defenses, and encryption the most persistent cybersecurity requirement involves constantly assessing your cyberdefenses and then looking for areas of improvement. One of the most effective and comprehensive methods of ongoing analysis is called penetration (pen) testing.
A form of ethical hacking, pen testing simulates an actual attack on your system. The deeper and more realistic the attack is, the better insights it can produce. Pen testing an entire system allows you to identify:
- Where hackers can get in from
- What they can do once inside
This knowledge is key to being able to stop a criminal from penetrating your systems in the first place. A thorough pen test doesn’t simply involve an attack simulation, there’s also follow-up guidance and resources for patching up vulnerabilities (those that were discovered through the simulated attack).
Mobile pen testing is slightly more focused in scope since it generally involves apps developed or used by your company. The attacker will target any vulnerabilities located within the apps, including connections to other apps or data stored on devices.
Even though a mobile pent test is more limited in scope, it’s an essential part of any MDM policy.
Different Types of MDM Policies
Across various industries and organizations, individual MDM policies can vary depending on a company’s needs. That said, there are certain patterns that define the most common types of MDM. Some of the most common schemes, in order of control, include:
- BYOD – Bring your own device
- CYOD – Choose your own device
- COPE – Corporate owned, personally enabled
- COBO – Corporate owned, business only
Of all of these schemes, the first is the least restrictive. Organizations allow employees and associates to use their personal devices for work tasks. The final one is the most restrictive, with organizations supplying devices but enabling only work uses on them.
The most common of these four schemes, by far, are BYOD and COPE. Let’s go over requirements for each, beginning with BYOD:
MDM Requirements for BYOD Policy
The main feature of a BYOD policy is that employees and associates have control over the devices they’re using, since they ultimately own them. This kind of policy can lead to cost savings, as you don’t need to supply devices for employees. But there are also increased security risks from a handful of inevitable factors:
- Wide variety of devices, apps, and programs
- Lack of control over non-work-related device use
- Less ability to hold users accountable, even for work-related use
If you’re not providing the devices, it’s harder both in theory and in practice to control how your employees are using their own private property. Therefore more measures need to be taken on the side of insulating company apps, networks, and data.
Some best practices include:
- Separate user profiles for work and personal operation
- Intensive security and non-sharing measures built into controlled apps and accounts
- Restrictions on connectivity and functionality on public wifi networks
- Training on best practices for both company and personal apps
Above all every device user needs to know that any device they perform work tasks on is a crucial source of vulnerability for both them and the organization.
Shifting ownership to the organization can help immensely on the security front.
MDM Requirements for COPE Policy
In contrast with BYOD a COPE policy allows an organization to exert much more control over mobile devices. That’s because, as the name implies, the organization is in charge of purchasing and maintaining the devices. However, they enable them for personal use as well. In practice it’s like the users own the phones, when in fact they’re just licensed operators.
This scheme has benefits for both the user and the organization. For the user these include:
- Reduced expenses for the free phone and accompanied data
- Less personal liability for maintenance and replacement of the device
For the organization the main benefit of this scheme is control. To take full advantage of a COPE plan organizations should implement the following measures:
- Separate, partitioned accounts for personal and work uses
- Prohibitions on doing work-related tasks on any other accounts or devices
- Restrictions and monitoring of all activity on the work account
All that control comes at a price, both the initial purchase and over the lifespan of individual devices, including data and maintenance. However, safeguarding against cybercrime can mean much bigger savings down the road.
Best Practices for All MDM Policies
No matter what type of MDM policy your organization settles on, it’s important to translate the requirements detailed above into best practices. This will keep all stakeholders safe. At the end of the day what matters is that you make a plan and then stick to it.
So, whether you’re buying mobile devices for your users or allowing them to use their own, you need to make sure you:
- Keep detailed records
- Establish standard defenses
- Encrypt sensitive information
- Perform ongoing analysis
An effective MDM policy is seamlessly secure. Having cybersecurity in place doesn’t mean you won’t be a target of cyberattacks. Instead, it means that when attacks happen, you’ll be able to prevent their effectiveness and protect your assets.
For all these practices and more hiring professional help can be the difference between effectively implementing your MDM policy and falling victim to cybercrime.
That’s where RSI Security comes in.
Mobile Device Management Requirements — RSI Security
A well-developed and executed MDM policy is one facet of overall cyberdefense. To keep all elements of your organization protected it’s imperative to secure all information technology it comes into contact with.
And RSI Security can help you with all of your cybersecurity needs.
Our mission at RSI Security is empowering organizations with professional cyberdefense. We offer robust, comprehensive managed security services, including tailor-made MDM policies. We can analyze your business’s existing cybersecurity, highlight its strengths and weaknesses, and help you maximize your defense systems.
With over ten years of experience providing cybersecurity solutions we are your first and best option for cyber-protection. To safeguard your business contact RSI today!
Work From Home Cybersecurity Checklist
Review the best practices to keep your remote workforce safe and secure. Rest easy and give your clients the assurance they need that their information will be safe by implementing cybersecurity best practices as your employees work from home. Upon filling out this brief form you will receive the checklist via email.