For Mobile Device Management
Mobile devices, like smartphones, tablets, portable printers, and compact laptops are essential business tools in the fast- paced world in which we live and work today. These small but powerful tools make the workplace and your employees more agile and versatile – providing them with the capacity to operate and to be productive while they are both on the move or otherwise away from the office.
However, because of their capacity to keep us connected and engaged, regardless of where we are, our mobile devices also are a major source of increased cyber risk – so having and implementing an integrated mobile device security strategy is essential.
The Need for Mobile Device Protection
Just like the work stations, laptops and stationary printers used in your offices, your employees’ mobile devices are a factor in your organization’s endpoint security profile. They all provide attractive attack vectors for hackers, for phishing and ransomware perpetrators, and for others who may want to infiltrate your network and systems to do harm by destroying or stealing data, funds and, or credentials. As with any security breach, cyberattacks that target these devices can bring your organization to standstill. They also can damage your company’s reputation. Perhaps even worse, they can compromise the systems of your clients, customers, and partners – potentially jeopardizing your most important relationships and causing irreparable harm to your business. In the world of hybrid work, this reality is compounded by the fact that many companies are embracing the “bring-your-own-device” (BOYD) to work concept. Unfortunately, the home and remote networks your employees use to access your IT systems may not be as safe and secure as your company’s networks.
How ACS Can Help
We provide our clients with a full-range of cybersecurity capabilities – including for your team’s mobile technologies. We can help you give your workforce the flexibility and connectivity it needs while also reducing the cyber risk profile those devices create for your organization.
Furthermore, as they download and utilize personal apps, interact with social media platforms, visit questionable websites, use unsecured public Wi-Fi resources, and leave their phones unlocked in public places, the chances of these devices being compromised increases exponentially. According to Verizon’s “2022 Data Breach Investigations Report, “roughly 82 percent of all cyber-compromise events occur as a result of some form of human error, including failures to employ “best practice” cybersecurity protocols.” These best practices include simple things like changing passwords frequently, locking devices when they are not in use, not using unsecured Wi-Fi networks, and ensuring that devices make use of encryption and authentication software. Other research indicates that 1 in 3 organizations have experienced cybersecurity intrusions as a result of employees’ mobile devices having been accessed and compromised. In fact, in one high-profile incident, a team of hackers installed malware on the devices of more than 25 million smartphones simply by gaining access to a popular social media network through one person’s cell phone.
ACS’ Tips for Hardening Your Mobile Device Securit
Here are some measures you can take to improve the cybersecurity profile of the mobile devices your employees utilize to conduct business on your behalf.
- Establish Clear and Consistent Private Application Usage Policies: As was mentioned earlier, one of the most challenging types of security breaches to avoid is your employees downloading unauthorized or potentially dangerous applications on to the mobile devices they utilize to conduct business on behalf of your organization. It is important to have clear and consistent policies on this topic and to update and communicate them frequently. This can include requiring employees to log out of all personal applications before they attempt to connect to your network. It also can entail proactively providing employees with information and intelligence on popular applications that have been shown to create security challenges. As a further measure, we also recommend this policy make mention of the fact that employees should not allow others to have access to, or to use, any mobile device, cellphone, tablet, etc., that they utilize for work purposes. This is because even those we trust can download apps or files, or visit websites, sometimes inadvertently, that can result in security breaches.
- Establish Network Connectivity Protocols: The impacts of incursions that begin with your team’s mobile devices are magnified when those devices connect to your organization’s networks because this gives cyber actors with malicious intent access to more of your IT infrastructure. To limit the nature of this risk, it is important to have, to update, and to frequently share, protocols and policies that outline when, where, and how employees can use their mobile technologies to connect to your organization’s servers. This is important when these mobile devices are company property and have been issued exclusively for company business, but it is especially critical if your company embraces the “Bring Your Own Device” (BOYD) approach. Again, under these circumstances, it is important to emphasize the need for employees to shut down personal apps that may be running on their devices before they access your network. It is also important that they gain access to your network via the most secure Wi-Fi available, and that they be running the latest and most up-to-date versions of the Windows or iOS operating systems on their devices.
- Implement an Encryption Policy: Any organization that handles sensitive information, whether it be proprietary or related to business being conducted on behalf of clients or customers, should have a policy in place that requires such information be encrypted before it can be stored or transmitted – either from a company-issued device, and even more importantly, from an employee’s own personal device. Most smartphones and tablets enable users to employ encryption software for such purposes simply by making some minor adjustments to their security settings. This can be a crucial step in protecting your company’s sensitive data, especially in situations where employees have lost their devices or have had them stolen.
- Establish Password Security Protocols: Requiring the members of your team to change their passwords frequently is one of the best and easiest ways to ensure that their mobile devices (and desktop technologies) remain safe and secure from bad cyber actors. Surveys consistently indicate that many of us use the same passwords, without any deviation, across all of the devices, websites, and secure portals that we access for work or to conduct personal administrative or financial business. Obviously, this is done primarily for convenience, but is a very risky practice that can often result in very inconvenient outcomes – like having one’s personal or work data compromised or stolen. To avoid such outcomes, here at ACS, we recommend you instruct your employees to change their company passwords every 60 to 90 days – and that this be triggered by the company communicating routine reminders and monitoring whether employees are following through and initiating the requested changes. As part of this policy, we also recommend you establish specific password parameters – a minimum of eight letters or numbers combined with other alpha-numeric figures and at least one symbol.
- Implement Two-Factor Authentication: Authentication requires that an employee respond to an automatically generated prompt before he or she can access your network using a mobile device. The use of authentication software typically entails inputting a code that is sent to an employee when he or she attempts to connect to your IT architecture. This code is normally delivered via email, text message or voice recording. Here at ACS, we use an authentication software application called Duo when working with clients and we have found that its utilization can dramatically reduce the risk of hackers gaining access to a company’s network through its employees’ mobile technologies.
- Establish Expectations for Technical Updates: The most vulnerable personal computing device is a device that has not undergone routine updates. This is because bad cyber actors spend much of their time trying to figure out how to exploit holes in operating systems and software applications. When updates are processed on your employees’ mobile devices (and desktop and office equipment, too), it often means that the creator or provider of that operating system or software has proactively identified a gap or gaps in its product’s security wall by conducting its own incursion analyses for test purposes, or by monitoring the actions and behaviors of known cyber criminals. Ensuring that your employees are activating these updates on their devices is an essential threat mitigation practice. Likewise, utilizing an Endpoint Security product to identify devices that have access to your network and that have not been properly or recently updated is a great investment because it can prevent malicious incursions into your networks before they can be launched. Endpoint security software also can provide real time threat detection and monitoring 24 hours a day, seven days a week, 365 days a year – by shutting down individual devices (mobile and stationary office equipment, like desk top computers and servers) before they are able to spread viruses, malware, and other forms of malicious code.
- Establish a Cybersecurity Culture: Finally, one of the greatest returns on investment you can get for your time and money when it comes to mobile device cybersecurity is building cybersecurity awareness into your company culture. This includes emphasizing that it does not stop at the office door – but that it applies wherever your employees may be working, including their homes or on the road. One way to emphasize this type of culture is through continuous training and communication – both about emerging cyber threats and their potential implications for your organization, aswell as about the mitigating strategies that are being developed to neutralize them. Part of your cybersecurity training also should entail establishing the expectation that your company will be communicating with employees frequently to remind them about your cybersecurity policies and mechanisms and the role they need to play in ensuring that they are being utilized consistently and are effective. Informed and well-trained employees are often the first line of cybersecurity defense because if they are alert and informed they often can identify and initiate preventative actions before a cyber incursion attempt is successful. Among other things, training your team to recognize the signs of suspicious emails, which are the most common mechanisms cyber criminals use to gain access to company networks, can pay huge dividends. The same is true of educational efforts that are designed to help employees recognize phishing, spoofing and phone scam campaigns.
ACS Can Help with Mobile Device Security
Here at ACS, we provide our clients with a broad array of cybersecurity capabilities, including those designed to help protect the mobile devices your employees use to do company business when they are away from the office. We can help you establish and implement the necessary policies and procedures and provide the direct technical support your employees need to ensure that they are accessing your network and being productive in the safest and most efficient ways.