The 2021 Mobile Security Index surveyed 856 professionals responsible for the procurement, management or security of mobile devices for their organizations.
The survey found 60% of respondents considered mobile devices to pose the greatest IT security risk, and that 76% of respondents have faced pressure to trade mobile security for expediency.
One of the key contributing factors to mobile security issues is the blurring of lines between personal devices and business devices. Security gaps arise where no clear policy exists regarding the use of personal devices for business purposes, or where policies are unenforced. The degree to which these instances are often exacerbated by the remote or hybrid work model is demonstrated in the data: as in a Lookout report which found a 364% increase in mobile phishing attempts between 2019 and 2020.
Employee devices fall into one of the following categories:
BYOD, or Bring Your Own Device Employee selects and owns device, primary use is personal.
CYOD, or Choose Your Own Device Company-owned device chosen by employee from an approved list. Personal use may or may not be allowed.
COPE, or Company-Owned, Personally-Enabled Selected and owned by the company. Personal use may be allowed in a sandbox.
COBO, or Company-Owned, Business-Only Selected and owned by the company. Personal use is not allowed.
Regardless of which device ownership approach is used, employers should consider the following imperatives surrounding the use and regulation of devices by employees:
Establish clear policies as part of a comprehensive program
- With a CYOD, COPE, or COBO protocol, the variety of devices is limited to those chosen or approved by the employer. Therefore, if you are using one of these approaches security may be easier simply because of the limited variety of devices. However, a BYOD program means you’ll need to be prepared to secure a larger variety of operating systems and patches, and to address a more varied scope of vulnerabilities.
- Coordinate with your legal department to ensure you can enforce your policies in the event of a breach. For example: if it becomes necessary to examine or even to remotely wipe an employee-owned device.
- As always, it’s essential to make policies accessible and understandable to all employees regardless of primary language—this may mean providing device security protocols in translation where needed.
- Make sure all employees know what is expected of them regarding their device usage, especially when using a personal device for business purposes. Clear communication in this regard can mitigate instances of sharing devices with non-employees, password negligence, and/or inappropriate web browsing.
- Educate your employees about the potential dangers of shadow IT and backing up organization data on local or non-controlled devices. Vulnerabilities are created when IT cannot see or control the storage of sensitive information.
- Educate users on the importance of keeping applications and operating systems scrupulously up-to-date, as well as to the sensitivity of app permissions.
A zero trust approach may be optimal where device variety is larger. Because zero trust automates many security decisions, it can reduce the degree to which security relies on end-user choices.
A Mobile Device Management (MDM) solution can be used to secure and support devices remotely, particularly where a variety of non-homogenous devices are in use. MDM can isolate business applications in a “container” area, ensure patches and updates have been installed, and remote wipe a compromised or stolen device.Additional best practices
- If you use DLP (data loss prevention) to block the exodus of information, be certain to provide a legitimate, secure, and functional means of sharing files outside your organization
- Provide an external-facing, memorable email for your employees to report a lost, stolen, or compromised device
- Regularly rehearse your incident response plan to ensure quick, smooth deployment in the event of a breach