7 mobile device security best practices for businesses

7 mobile device security best practices for businesses

ByCyberCentra

It’s up to IT admins to enable employees to work from their mobile devices, but they must keep mobile security at the top of their list in addition to end-user experience.

Users are most productive when they have mobile access to their corporate resources, so enabling this access is a critical goal for most organizations. However, mobility is complex. It is not as simple as giving an end user a device and having them log into their preferred email client.

IT admins must consider getting devices to a securely managed and productive state while ensuring the onboarding process is simple, minimally invasive and streamlined for end users. Further, they must guarantee that users can perform all necessary productivity tasks in a secure environment.

IT administrators should follow these 7 mobile device security best practices for businesses to ensure they meet these goals.

7 mobile device security best practices for businesses

1. Manage mobile devices with an MDM

Any organization that gives access to corporate data on mobile devices should consider using mobile device management. MDM is an IT admin’s first line of defence regarding securing mobile devices. In some cases, an MDM platform can manage various devices, including iOS, Android, Windows, macOS and even Chrome OS devices. MDM is a flexible tool that gives admins many controls to ensure devices are secured and properly supported. Additionally, consider looking into Apple Business Manager and Android Enterprise programs for business-only mobile devices. They integrate with the MDM to give organizations more privileges on a device to enforce higher-level security configurations, including advanced restrictions and settings controls, home screen layout, single app mode, multi-user and shared modes, and zero-touch enrollments.

2. Manage authentication and access

There are plenty of different approaches that IT admins can take to enable mobile authentication, including the following:

PIN code management

The PIN often serves as a password for mobile devices, preventing bad actors from gaining unauthorized access. Organizations should enforce a PIN code policy for the safety and security of end users and the organization. This policy could, for example, require a minimum of eight digits for the PIN. This ensures that devices are always in compliance. IT can best implement this policy from an MDM.

Multifactor authentication

Admins may do their best to ensure mobile device security, but once a device leaves the office building, it is susceptible to numerous attacks. An admin can’t always control what network that device will connect to next or the risk conditions the device will enter. Multifactor authentication (MFA) will provide more comprehensive security by confirming that the end user logging on is who they claim to be. It requires two or more authentication methods, including PIN or password, SMS verification and biometric factor authentication. An admin can then set parameters for when to require MFA based on the device’s trust and risk conditions. MDM can also be a mechanism to push out the requirement to devices, integrating the preferred MFA into the MDM enrollment workflow and allowing the MDM to serve as the central hub for all device security and enrollment configurations.

3. Enable data loss prevention policies

Users require numerous applications on their mobile devices to complete their jobs, so IT admins must ensure that corporate data is not copied and accessed in an unmanaged or untrusted application. Organizations can use app protection and DLP policies to prevent company data from being saved locally to the device. IT admins can also restrict data transfer — or the “open in” option — to other apps that are not approved or managed, limiting specific capabilities, such as copying and pasting.

Platforms such as Microsoft Endpoint Manager will even allow app protection policies on Microsoft apps without requiring admins to enroll devices in an MDM. For devices enrolled in an organization’s MDM, the MDM is the mechanism to create and enforce these security restrictions to ensure data loss protection.

4. Set corporate and BYOD remote lock and device wipe policies

What happens if an employee loses a device or leaves the company? Every business should develop a corporate-owned and BYOD policy for handling device loss and data wipes, once again reminding you of the 7 mobile device security best practices for businesses

Under this type of policy, whenever a mobile device is lost or stolen, the organization can take actions to secure data, including a data wipe, reset or device lock.

This type of policy gets messy with BYOD environments; not every user likes allowing IT to control their devices. However, both Google and Apple have addressed this issue with platform updates. In iOS 13, Apple introduced User Enrollment, which significantly restricts how much an MDM platform can do on a personal BYOD iPhone — including removing the ability to perform a factory reset of a device. Google’s Android Enterprise work profile feature enables users to keep distinct work and personal apps and data for Android devices. Each profile is entirely separate; the organization manages the work apps and data, while the end user’s apps, data and usage remain untouched. This restricts invasive management tasks, such as factory resets.

5. Keep BYOD and corporate devices updated

Keeping devices updated is not an easy task, but it is extremely important. Mobile devices are a growing target for malware and other attacks, and one of the best ways to fight against that is to ensure that all managed devices are fully up to date.

IT admins can take many different approaches to keep devices updated promptly. Asking users to implement updates is simple but not always successful. One of the best ways to encourage end users to update is to enforce controls via the MDM. For devices enrolled with an MDM platform, an IT admin can schedule a mobile OS update for all users — ideally in a low-use time, such as the middle of the night. IT can take that a step further on corporate-only devices, and the MDM can schedule, download and auto-install the updates.

It can be a bit trickier with BYOD environments. Mobile IT admins can schedule a prompt for the user to download and install the update, but it is still up to the end user to trigger the process. However, there are mechanisms IT admins can implement via MDM; one such mechanism is a compliance policy. A compliance policy would allow an admin to create an “if this, then that” automation for devices.

An example of this would be a compliance policy that targets devices with a specific version of iOS. An admin can create an action that would send a notification to a user to update; after two days, if that device hasn’t updated, an admin can take steps such as quarantine or removal of corporate email and access from the device. These restrictions would remain in place until the user updates the device OS.

These compliance policies help keep corporate data safe while encouraging end users to stay current. While this example targeted iOS devices, the same policies can apply to Android devices.

Managed security providers

6. Monitor device compliance and automate with mobile threat defence

MDM is a management tool with device-level security controls. It cannot detect and prevent attacks from malicious applications, networks and phishing. There has recently been an increase in phishing attacks against mobile devices.

Mobile devices, like desktops, are still endpoints, and IT needs to secure them. Mobile threat defence (MTD) platforms detect man-in-the-middle attacks over Wi-Fi and identify suspicious behaviour on a device. By proactively searching for malware, harmful applications and mobile phishing attacks. It can then remediate issues with various methods. Including killing the device’s Wi-Fi or cellular connection to prevent further data leakage or working with an MDM to quarantine a device. At a high level, an MTD platform can perform these functions:

  • Monitor a device’s activity to detect cyberattacks in real-time.
  • Monitor device applications for suspicious behaviour that may leak user data to untrusted sources.
  • Monitor for OS vulnerabilities and kernel exploits.
  • Monitor device networking activity for man-in-the-middle, Secure Sockets Layer (SSL) stripping, and SSL decryption attempts.

CyberCentra provides an all-in-one solution for MTD and MDM platforms to provide stronger security for mobile devices and users.

7. Keep your end users informed

IT admins can use as much technology as possible to fix a problem. It is vital to train end users and keep them informed about current threats and vulnerabilities.

Helping end users understand the importance of updates and how they can affect corporate data — should help them make the right decisions related to device security. Understanding the best practices for businesses regarding the 7 mobile device security is important for every company.