Mobile Device Security Best Practices

Pull up a copy of any security framework published in the last 20 years, and you’ll almost certainly find some mention of asset management. Tracking the hardware and software in your environment is the fundamental step to securing your organization—and that includes planning for mobile device security. You can’t effectively secure what you can’t see, and you can’t patch software on a system that you don’t know is there. That’s why one top standard, the Center for Internet Security Critical Security Controls (CIS CSC or CIS Top 20), gives the top two spots on its priority list to “Inventory and Control of Hardware Assets” and “Inventory and Control of Software Assets.” 

Despite the absolutely fundamental nature of asset management, many organizations neglect it. IT managers especially tend to overlook mobile devices and software, even though these assets are some of the most important elements in risk management. The four factors below make mobile devices and software especially likely to get involved in security incidents: 

1. Mobile devices are easily physically lost or stolen.
2. They often contain sensitive data.
3. They frequently connect to networks outside the corporate network perimeter.
4. Users' normal impatience with security safeguards is even more limited in mobile settings.

Add all that up, and you have a recipe for security incidents involving mobile devices. And that’s a problem that can spread quickly. It is critical that your organization manage, control, and monitor mobile devices in order to protect them from becoming a beachhead for hackers looking to pivot and access internal organization systems. 

There’s no doubt that managing mobile devices properly adds complexity to your security strategy. But you don’t have the option of ignoring the issue. If a breach occurs, your customers and industry partners won’t care about all the reasons you found it too hard to manage and secure your mobile hardware and software assets. If you think it’s too costly or difficult to implement a mobile device or software control, you should reevaluate whether you should use mobile devices as part of your computing environment. 

Review Your Mobile Security Posture 

When you do get serious about mobile security, you’ll quickly discover a host of different solution categories (plus a long list of vendors) that could come into play, including Mobile Device Management (MDM), Mobile Application Management (MAM), End Point Protection (EPP) and Data Loss Prevention (DLP). (Plus many others if we bring mobile device network security into scope.) 

Most organizations will need to consider a mixture of approaches and solutions to manage mobile device and software risks. One thing you shouldn’t do is determine the best solution first. Before you get to the point of solutioning, you should: 

1. Understand all of the risks introduced to your organization by mobile devices and software (HBS can assist with thorough risk assessments that include evaluating your mobile posture).
2. Determine the specific functions or features necessary for your organization to sufficiently manage mobile device and software risk.
3. Evaluate/document whether the solutions your organization already has in place are fully capable of managing your mobile device and software risks.

Below, we summarize first steps toward solutions for the top three mobile device risks listed at the beginning of this post. 

Physical Loss/Theft 

When a device physically leaves a legitimate user’s control, it is likely to face several potential threats. Anyone in control of a device can either attempt to access what’s on the device, or they may use it to access restricted networks or applications through the credentials of the device’s approved user. Even if a device doesn’t make it into the hands of a malicious attacker, it could be used in a way that exposes the organization to compliance or reputation risk. (A huge community of enthusiasts on the Internet revolves around rooting/jailbreaking devices). Finally, you must be ready to deal with devices that terminated employees never return. 

To deal with each of the threats above, consider the following security controls: 

Policy/Process/Standards 

• Require users to immediately report lost devices and report security incidents involving mobile devices. 
• Require users to sign an acceptable use agreement for mobile devices or Bring Your Own Device (BYOD). 

Technology 

• Keep devices updated with minimum OS (iOS or Android) level standards. 
• Monitor for devices being rooted or jailbroken. 
• Monitor for failed login attempts and enable the ability to lock out or wipe devices when there are too many attempts. 
• Establish adequate device access control configurations: 

– Enforce password/pin length/complexity standards. 

– Enforce password/pin rotation, reset, and history standards. 

– Enforce screen lock/timeout policies for devices. 

– Use login banners and warnings. 

Sensitive Data Control 

Ultimately, data is what most organizations really want to secure on their mobile devices. Before you go down the path of choosing a security approach, consider whether the best approach is simply keeping sensitive data off the mobile device in the first place. 

If you do need to allow data to go mobile, you can secure it with a combination of encryption and remote wipe capabilities: 

• Remote wipe – Tools that let you reach out and remove all data on the device (essentially a factory reset). 
• Selective remote wipe – Tools that reach out and remove specific data or apps on the device (more common in BYOD scenarios). 
• Device encryption – Encrypting the device’s hard drive to protect all the data. Be sure your strategy includes plans for managing the device’s encryption keys. 
• Selective encryption – Encrypting certain applications or data on the device. (More common in BYOD scenarios.) 

Outside Network Connections 

Taking devices outside the traditional security perimeter usually strips them of several layers of network security controls that come along with an organization’s firewall and Internet traffic filtering infrastructure. While endpoint network controls enabled by DNS are not strictly an asset management function, you should strongly consider using them. As mentioned above, a compromised mobile device often becomes a doorway that hackers use to breach broader company systems. 

Here are some best practices for managing devices using outside networks: 

Device software installation/usage restrictions 

• If users are allowed to install software/apps, they can install malware, whether accidentally or intentionally. So you should strongly consider app whitelisting or category-based whitelisting. 
• If a mobile device user without software restrictions implemented falls victim to a phishing attack, the device is much more easily compromised and can be used to pivot to internal systems. 

Elevated security requirements for mobile device access to production systems and data 

• If your risky mobile devices don’t need to be on the same network as your servers when they come into the office, Network Access Control (NAC) can help keep them separated. 
• Consider requiring multifactor authentication (MFA) for any system that can be accessed by a mobile device. 

App communication security 

• Ensure that communication channels for all apps on your mobile devices use the latest encryption capabilities such as TLS 1.2 or 1.3 to ensure that traffic transmitted over public networks is properly secured. 

End Point Protection 

• Consider implementing an End Point Protection agent to monitor for and respond to malware infections or other security incidents on the device. 

If you are an IT or security practitioner, remember that deciding whether to accept a risk or to manage it by implementing a control in any given scenario is ultimately a business decision enabled by your expert opinion. HBS specializes in helping leaders assess risk in light of their specific business needs and develop appropriate solutions. Contact us to learn more about how we can work together to secure your organization.