Our mobile devices play a central role in our lives today. Whether they be smartphones, tablets or in other forms such as wearables. They are the first devices to hand when managing our digital lives – both personal and business as they are always with us.
Due to their straddling of both strands of life, they are also a critical point of concern when it comes to protecting the personal and corporate data that they process. In this article, we explore what Mobile Device Management is, the various approaches to it, and examine whether there is a middle ground that smaller organisations can take in beginning to get a handle on mobile device security.
According to Verizon’s 2019 Mobile Security Index Report, one-third of organisations have been affected by mobile device compromises, with public sector, financial & professional services among those most affected. Among the reports other findings were:
- Of those who suffered mobile device incidents, 62% were not trivial incidents. More than three-fifths of those affected described the compromise as “major,” and 41% described it as “major with lasting repercussions”.
- Two-thirds of organisations said they are less confident about the security of their mobile assets than other devices.
- Less than half of organisations had mobile endpoint security in place. And the figures for other key protections—like anti-malware and mobile threat defence—were even worse.
- Nearly half of companies admitted to sacrificing security to “get the job done.” Those that did were nearly twice as likely to say they had suffered a mobile-related compromise—46% versus 24%.
What is Mobile Device Management (MDM)?
Mobile Device Management refers to the software that an organisation may put in place to monitor, manage and secure employees’ mobile devices that are in use across the business. It comes under the umbrella of Enterprise Mobility Management (EMM) which encompasses the wider set of people, processes and technology that focus on managing a business’s mobile infrastructure.
Smaller Organisations at Risk
Traditionally, it has been larger, more well-resourced organisations with bigger budgets and access to the skills needed to configure and maintain such software who have invested in mobile device management. However, this does not reflect the reality that smaller businesses have as much of a need and obligation to protect the data that is on their employee’s devices as do larger ones. Smaller businesses are just as likely to be managing personal, sensitive or high-risk data and if that data can be accessed on employees’ devices, the organisation is carrying risk by not protecting them.
The fact that a business is smaller can make them more attractive to an attacker as they can be perceived as likely not to have the necessary resources or level of maturity needed to protect their assets. Threats to the security of mobile devices – such as those posed by hackers, do not discriminate when it comes to the size of an organisation.
The GDPR Effect
When the GDPR came into force in May 2018, as well as affirming an organisation’s obligations to provide for an individual’s right to privacy, it also defined ways in which those rights can be achieved – among them (in Article 32) – by ensuring the security of processing.
For organisations that may have taken an ad-hoc approach to security in the past, this was a clarion call, recognising that to achieve privacy, security is an essential ingredient.
While many organisations have reviewed their security measures in light of the GDPR and other security-focused regulation such as the Network and Information Systems Directive (NISD), mobile device management is often not addressed with the same rigour as other areas such as desktop and laptop device management.
What are the Threats to Mobile Devices?
The 2019 Mobile Security Index Report notes that users are three times more likely to fall for a phishing link when on a phone than when using a desktop – sufficed to say that mobile devices are a significant source of vulnerability for the business when appropriate controls are not in place.
There are many threat sources to the security of mobile devices. Among them are included:
Many of the threats to the security of mobile devices comes down to what a user does with the device. For example – clicking on a phishing link in an email, installing an unapproved application or using the device on an unsafe network.
The fact that an App is available on the Android or Apple App store, does not mean that it does not pose a threat to the device. Users may also install third-party apps that they have sourced outside of the usual store channels. There are many ways that malware and ransomware can their way onto a device. Apps with excessive permissions can also be a source of data leakage.
Users run the risk of being exposed to malicious code on websites that they visit, which can exploit vulnerabilities that exist in the device or software that they are using.
Despite best intentions, people lose things. Devices are lost daily when people leave them behind in planes, trains, taxis or otherwise. According to security device manufacturer Kensington, 70 million smartphones are lost each year. More relevant in a business context, 4.3% of smartphones issued to employees are lost or stolen every year and just 7% of lost or stolen smartphones are ever recovered.
Other threats to devices can arise due to users not putting in place basic security measures such as a lock screen or pin code. Outdated phone software and unpatched security vulnerabilities also pose a significant threat.
Many people may not give a second thought to using public Wi-Fi networks, but these can be notoriously insecure, giving anyone who chooses to take advantage of their vulnerabilities the opportunity to compromise devices that connect to them. Hotel WiFi’s are an excellent example of networks typically used by corporate users that may be targeted by hackers.
With multiple threats posing a risk to employees’ devices – and by extension – your business’ and your customers’ data, a fingers-crossed approach to mobile device security is not going to end well. Whatever approach an organisation chooses, it should be doing its best within its capacity to equip employees to be the front-line defence that they need to be.
Where to start with Mobile Device Management (MDM)?
There are many approaches to consider when choosing how to implement MDM. The first step is choosing which approach to device management is right for your organisation.
Below are various mobile device management approaches to consider for your mobile device management:
BYOD– Bring Your Own Device
For many smaller organisations, this is often the approach that they gravitate towards. Employees can use their own devices to access corporate assets. While this approach is cost-effective for the business, it is more difficult to gain an adequate level of assurance that appropriate protections are in place.
At a minimum, a BYOD Policy should be developed and issued to employees’ governing expectations of use of the device for business purposes and the measures that the business requires to be in place on devices that have access to corporate data.
While it is a cost-effective strategy (at least in the short-term), it can be difficult to reach a high level of security assurance. If the business does not manage the device, the controls in place are reliant on the owner of the device and what they have actually chosen to put in place. As such a BYOD Policy alone, that does not exercise or verify the implementation of any controls, is only as good as the people who put it into action.
CLEO–Corporate Liable, Employee Owned
This approach, also known as POCE – Personally owned, corporate enabled, is a variation on the BYOD model. With CLEO, employees own the devices, but their employer pays for its service costs and is responsible for managing and securing the device.
With this option, there can be a perceived potential intrusiveness into an employee’s private life by their employer, due to the employee not having control of a device that is also used for their personal activities. As such, this may not be the preferred approach for some.
CYOD–Choose Your Own Device
The CYOD approach allows employees to choose a device from an approved list. The device is either employee-owned or purchased by the business. This approach is a blend of the BYOD model in that, so long as the device is on an approved list, the employee can use their own device. It is a step up from BYOD, due to the standardisation of devices, but comes with many of the issues that BYOD has, such as the lack of a high-level of assurance due to not being directly managed by the business.
COPE – Corporate-Owned, Personally-Enabled
This is the opposite of BYOD and has traditionally been an approach taken by larger organisations. Instead of making corporate functions work on personal devices, COPE enables use of company devices for personal activities including social sites, email, calls, etc.
Employers provide employees with devices and applications, and the company maintains ownership, ensuring that devices are kept up to date with the latest software versions and security patches and that the applications and activities carried out on the device are in-line with company policy.
With this approach, employers can have confidence in how a device is managed and secured while allowing employees flexibility in using the device for personal purposes. A clear line is drawn with corporate ownership of the device as opposed to the CLEO approach and as such the organisation can implement procedures such as remote wiping without concerns relating to a user’s personal data.
Mobile Application Management – The Middle Ground?
Mobile Application Management (MAM) is the term used to describe when an organisation exercises control over a selection of applications on an employee’s device – for example – the Office 365 suite of Apps, as opposed to the device itself.
An organisation can define App protection policies that restrict what types of applications are able to connect with the corporate network. This allows the organisation to specify, for example, that no devices accessing corporate email can do so unless they have the latest operating system updates installed, or that the ability to export data from certain Apps are restricted (e.g. copying/pasting from email clients). This process may also be referred to as containerisation and an App needs to be compatible with MAM in order to be managed in this way. MAM and MDM are not mutually exclusive – MAM can form part of an organisations wider MDM strategy.
No One-Size Fits All Approach
Deciding which approach is right for your organisation will depend on many factors, including the available budget, technical capability, attitude towards risk and the level of support of the organisation’s executives.
Get the Basics Right and Start Small
Every journey starts with a single step – if you do not have a MDM program in place and yet allow employees to access corporate data on personal devices, as part of a broader enterprise mobility management initiative,you should consider providing security awareness training that includes mobile device best practices, obligations relating to the handling of personal data and issue guidance materials to ensure employees are equipped to avoid common pitfalls when using their mobile devices.
Define an Acceptable Usage Policy (AUP)
Where the organisation supplies and manages the device for employees, an Acceptable Usage Policy should be clearly defined covering areas such as:
- Usage of unapproved Apps;
- Limits on personal use;
- Guidance on using devices on unapproved networks;
- Accessing inappropriate or illegal content.
Review Vendor Options
With more and more organisations moving their infrastructure to the cloud in recent years, MDM and MAM solutions have become more cost effective, user-friendly and readily available. If your organisation had considered them to be too costly or difficult to manage in the past, now may be a good time to reassess these options.
An assessment of the available options will need to be made based on your organisation’s context, needs and risk appetite. The fact that the business may already have made commitments to a certain technology ecosystem may aid the decision. For example, an organisation using Microsoft services may consider Microsoft Intune, which as well as enabling MDM implementation, also offers more broad endpoint management solutions – allowing an organisation to manage policies for their desktops, laptops, printers and other hardware. Managed Mobility Services providers (MMS) can also be engaged to help you manage your mobile device strategy.
Test on a Subset of Users
Should you decide that the time has arrived to roll out a managed MDM program, start small – ensure that the process works on a subset of employee devices before rolling it out to the wider organisation. This will minimise the impact on employees of any teething issues that might be encountered.
Securing mobile devices is an important component of ensuring the protection of any corporate and personal data that your organisation processes. Trilateral can assess your approach to mobile device security as part of our wider IT Security Review service. Should you need advice on this or other areas of data protection compliance, visit Trilateral’s Data Governance page and contact our team.