How to build a data fortress for your organisation

As the rate of mobile device adoption continues to rise and the sophistication of these devices advance, users are becoming more efficient road warriors than ever. Unfortunately, they’re also introducing a lot of risk into corporate data.

Given that mobile devices are inherently moving targets used outside the organisation’s perimeter — and outside its firewalls, threat management, spam and content filtering, and other tools used to keep evildoers at bay — it’s vital to apply best practices to the use of mobile devices to keep exposure to risk and loss to a minimum.

Sadly, though, many organisations these days not only do not manage their mobile security risks, they don’t even manage mobile devices.

Organisations need better control over the devices that connect to their networks if they want to keep a tight rein over corporate data. This means taking a proactive role over mobile devices and getting the organisation to define security policies for the devices that connect to their data.

As any security expert will tell you, though, there’s a fine line between enough security to keep things safe and protected and a smothering blanket of security that gets between people and the jobs they must do.

EASY TO INTERCEPT

As a start, anybody who wants to use a mobile device to access the Internet should install and update anti-malware software on her smartphone or tablet. Most experts recommend that all mobile device communications be encrypted as a matter of course, simply because wireless communications are so easy to intercept and snoop into.

Those experts also recommend that any communications between a mobile device and a company or cloud-based system or service require use of a Virtual Private Network (VPN) for access to occur.

VPNs not only have strong encryption but also provide opportunities for logging, management and strong authentication of users who wish to use a mobile device to access applications, services or remote desktops or systems.

Many modern mobile devices include local security options such as built-in biometrics — fingerprint scanners, facial recognition, voiceprint recognition and so forth.

Beyond a simple account and password, mobile devices should be used with multiple forms of authentication to ensure that possession of a mobile device doesn’t automatically grant access to information or systems.

Companies should consider whether the danger of loss and exposure means that some number of failed login attempts should cause the device to wipe its internal storage clean.

THIRD-PARTY APPLICATIONS

Smartphones are so dangerous because they are essentially miniature computing platforms that can accept any nature of third-party applications.

Limiting the installation of unsigned third-party applications to prevent the bad guys from requisitioning control of your devices should be implemented.

Companies or organisations that issue mobile devices to employees should also establish policies to limit or block the use of third-party software.

This is the best way to prevent possible compromise and security breaches resulting from intentional or drive-by installation of rogue software which could be used to siphon information into the wrong hands.

Bluetooth capabilities on today’s smartphones may make it easy to talk on a hands-free headset, but they’re also a target for hackers, who can take advantage of its default always-on, always-discoverable settings to launch attacks.

In order to limit your exposure, users should disable Bluetooth when it is not actively transmitting information. It also suggests switching Bluetooth devices to hidden mode. Organisations can limit exposure by making this company policy.

At least once a year, organisations should hire a reputable security testing firm to audit their mobile security and conduct penetration testing on the mobile devices they use. Such firms can also help with remediation and mitigation of any issues they discover.

Sam Wambugu is a monitoring and evaluation specialist; [email protected]