Mobile devices are an intrinsic part of doing business today, but they can also be an entry point for security rick for your organization. In this presentation Greystone consultant Tim Sullivan presents tactics and strategies for securing BYOD and company owned mobile devices.
Greystone Technology is a technology services company with offices in Denver, Boulder, and Ft. Collins. Greystone offers fully outsourced IT services, supplemental IT services to support internal IT staff, IT project services,and Wordpress and digital marketing services. Greystone is 16 years old and has 85 employees working along the front range.
About the Speaker:
Tim Sullivan is a Business Technology Advisor at Greystone. Tim manages consulting teams and works with clients on strategic insights and planning, making sure that businesses leverage technology to create solutions that are effective and efficient. On every engagement, Tim underscores the need for an emphasis on security.
Use of mobile in the workplace:
We all carry at least one mobile device with us everyday, many of us have more than one. The reality is, whether they are officially allowed to or not, people are using that mobile device for work. They get their work email on their phones and access company data on their mobile device. And as convenient and necessary as they are, these devices introduce risk.
How many of you require your employees have a mobile device for work?
How many of you issue a company-owned mobile device to employees?
How many of you allow employees to use their own mobile devices for work.
Mobile device ownership is a tricky situation. On one hand, companies want their employees to work in the most efficient way possible. In most cases this includes working while out of the office which requires a mobile device. On the other hand, companies want control over their data, which usually means providing the necessary equipment for employees to do their job effectively. A company is able to have some control over corporate-owned devices, but not so much on personal phones with corporate data. How do companies balance the need for flexibility with the security risk and cost of ownership?
When a company owns the device, they can implement tight controls over the use and protection of the device. There are fewer, if any, employee privacy issues since the device is owned by the company and the service is provided by the company. The drawback is this requires a heavy up-front investment in equipment and ongoing cost of managing and maintaining the devices.
Allowing employees to bring their own device for work (BYOD) is also a balancing act. On one hand, it is easier and less expensive to allow BYOD. But there is increased risk because there is less control. Because of privacy issues, companies cannot control these phones to the degree they can with corporate owned devices.
The reality is a company should assume employees are going to use their own mobile devices, either phones, tablets, or both, to get work done unless they are strictly forbidden to do so. Companies need to have safeguards in place.
Risks include, but are not limited to:
Malware
WiFi hackers
Introducing malware to corporate network
Kids
Loss/theft of device
Think through all the ways a mobile device can be compromised.
Virus
Bluetooth or Wi-Fi hacks
Lost or stolen devices
Employee data theft
Loss or theft of devices is the most common risk encountered.
Remember the story of the CEO that Tim worked for who initially did not want to invest the time thinking through security for their phones? While he was involved in legal proceedings, he left his phone with some very sensitive data in a taxi. When he asked Tim what he could do to help him, it was already too late. Luckily, he was able to get his phone back. However there was still the risk that people accessed sensitive data.
Implement a BYOD Policy:
WHO can access WHAT corporate data on BYOD
Required security measures
What devices are allowed
Privacy expectation & control
Device reset and data deletion in case of loss/theft
Most corporate data on employees mobile devices is in the form of email. Using the Microsoft Outlook app can increase security by keeping control over email even when it is on the device and requiring a PIN, password, or fingerprint password to access the email.
At a minimum, every device should require a PIN, password, or fingerprint to access the device. The device should be set to auto-lock after five minutes. All devices should enable encryption (default state for Apple devices). Employees also need to grant the company the right to delete corporate data off the device at any time.
Companies with corporate-owned devices typically employ more advanced Mobile Device Management software to protect, control, and track their “assets”. They may also install security software to protect against hacking and malware. MDM software can also ensure that devices are up-to-date with their security updates and the core operating system has not been modified.
There is no autopilot for security. Threats, security, and technology are constantly evolving and it's important to stay up to date on the latest in each of those categories with quarterly or bi-annual reviews.
Have any questions? Reach out to us and we are more than happy to answer them for you.