Everyone wants to be flexible these days with what mobile devices they use for work, and where they use them.
But that can cause a headache for you when trying to keep your organisation safe from online threats.
Staff want to be able to share corporate data, and access company email accounts and networks wherever they are, but that means you literally have to put your IT security in the hands of your users.
Here are 5 risks you need to get on top of before letting your employees access corporate resources from mobile devices, and how you can help mitigate them.
1. Bad passwords
It’s likely that you already protect remote access with multi-factor authentication (by requiring a secure VPN with token authentication, for instance). This is a very smart idea as time and time again we’ve seen that people don’t choose good passwords, and they also re-use them across systems.
But have you thought about how your users access email on their mobile devices? If they only need to type a password in order to access email anywhere, then so can an attacker who guesses that password.
Why would a bad guy bother to attack a VPN if he can just guess a poor password to an email account and then, masquerading as that person, ask for the information he wants?
So make sure you enforce a strong password policy across the business and teach employees how to pick a proper password:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
2. Dodgy apps and rooted phones
For some users, the temptation of free apps and extra functionality can be too great.
There are undoubtedly some cool and interesting things you can do with your phone if you go off-piste but it can be dangerous.
Rooting a phone can open up features which make it far easier to attack, and dodgy apps can steal passwords and data or run up huge phone bills.
So, adopt a policy that company-owned devices must not be rooted, and if you have a BYOD (bring your own device) programme, it’s a good idea to prevent your users from connecting rooted devices to your business network.
3. Old devices
In the smartphone world, old doesn’t mean years. In fact, it’s even possible to buy a brand new device which is, at the same time, too old to receive security updates.
Phones, just like workstations, need to be patched with the latest security updates. When a vendor stops patching, the risk of being compromised increases rapidly and forever more.
Everyone knows they shouldn’t run Windows XP anymore but the danger posed by out-of-date smartphones is exactly the same.
Make sure that your IT department understands the risks, and enforce a policy of requiring operating system versions that are likely to be actively maintained for the expected life of the device.
4. Unlocked phones
Many organisations have a screen-lock policy which ensures that workstations left idle will lock themselves. Unfortunately some of the same organisations neglect to implement a similar policy on their company phones.
Lock screens stop somebody with physical access to your phone from using it, whether they’re a thief, a corporate spy or your own child benignly tweeting nonsense to your company’s Twitter followers.
Adopt a policy that makes lock screens and short idle times mandatory.
5. Workstation infection and data loss
Even if you do a great job managing your mobile devices, it’s easy to forget that they also double up as a handy USB-stick. Plug them into a PC and you’ve instantly got a portable device to store content on.
Phones used in this way share the same risks as any other portable media – they’re a great way to spread malware. The phone doesn’t even need to be infected, it can just be a carrier.
Just like a USB key, anything unencrypted is also easily accessible to anyone who has physical access to the device.
Data on mobile devices should be encrypted and subject to the same policy you enforce for other portable storage devices.
If your employees aren’t allowed to plug USB devices into corporate computers then that applies to phones too, no matter how badly they need charging. If portable USB storage is allowed, then make sure you scan, scan, scan…
7 deadly IT sins
‘Mobile negligence‘ is one of Sophos’s 7 Deadly IT sins. You can read more about that and the 6 other sins here.