"Whether company-issued or an employee's own, mobile devices are pumped full of information, both business and personal in nature. This means that important business information, emails and sometimes mission-critical applications are intermixed with companies' employees' personal data and media.
"Typically, mobile devices lack security features, such as encryption and access control. When security on mobile devices, from laptops to smartphones and tablets, is not up to scratch, critical business information could be at risk," warned Richard Broeke, sales manager of Securicom, a specialist IT security company.
He continued "The majority of South African companies allow employees to use their own devices for work purposes. For the most part these are unmanaged, unprotected, and there are no measures in place to enforce security policies around the storage and use of company data. Also, if a device is lost or stolen, all the information on there goes with it. Any company data housed on them is, therefore, vulnerable."
Mobile devices, like corporate networks and PCs, are increasingly becoming targets for criminals. In the past two years, attacks on mobile devices have increased substantially as criminals adapt their strategies for mobile. Statistics from a leading global IT security software vendor shows that mobile malware has increased by 58%. Thirty-two percent of mobile malware is designed to steal information from compromised devices.
Against this backdrop, Broeke said that all companies that allow employees to use mobile devices for work purposes should enforce the installation of security software on them. This goes for both company-issued devices as well as in a "bring your own device" environment. Security is just a component of effective mobile device management, though.
With a credible mobile device management platform, he said, companies can do more than just enforce device security installations and upgrades to mitigate malware. They can also perform device compliance checks; monitor network traffic and user behaviour; block disallowed apps; identify mobile threats, and block devices that are unmanaged, lost or don't adhere to company blacklist or whitelist policy; and security rules. A good MDM solution also enables companies to enforce a security policy for mobile devices effectively.
Just as corporate email usage policies have become the norm for restricting how, for what and when employees can use company email, so security policies around the use of mobile devices have become necessary.
Enforcing a security policy enables companies to define and limit the activities that employees are allowed to perform on mobile devices when it comes to their work.
Policies should detail the security requirements for each type of device that is used in the workplace and allowed to connect to the corporate network. This could include the way that passwords are configured, prohibit specific types of applications from being installed on the device, and enforce the encryption of data stored on devices.
Of course, employee education and buy-in are the key. Users need to be educated about the risks of mobile malware, downloading rogue applications, accessing the corporate network from unprotected devices, and storing critical business data on unsecured smartphones. They should also be shown how to use their privacy and permission settings.
Broeke concluded by saying that organisations need to inform their employees clearly about the security implications of using mobile devices for work purposes.
"Ground rules should also be established to ensure that their security requirements are being met while acknowledging employees' right to privacy."
