0

DEREK SMITH: Countering the security risk from mobile phones

The mobile phone has become a necessity in today’s workplace. It has become common practice for companies to allow employees access to company e-mails, read, review and respond to critical company files, and even attend video conferences via their personal devices.

However, do you and your company truly understand the security challenges posed by mobile devices? In the first of this two-part series, this writer gave an overview of the significant cyber security threats to smart phones and other mobile devices. These were included, but not limited to, mobile malware, android rooting, fake access points, unsecured wi-fi, SSL certificates and packet sniffing. Now, in the second this two-part series, we move to discuss counter-measures for the major threats facing smart phones and other mobile devices.

Bring your own device (BYOD) policy

Your company will benefit from this written policy in two ways. First, it will clarify your IT strategy and provide a framework for employees to learn about cyber security on their devices. Furthermore, the company will be able to focus its efforts and budget on critical mobile protections with a good BYOD policy, and be able to set an enforceable standard of conduct for the use of employee devices that will ensure their safety. Essentially, a company should work to balance the freedom of employees to use their phones for personal use with the tools they need to access their work assets safely whenever they need them.

Prohibit non-approved cloud storage

Employees need to work on a document at home over the weekend, or a vendor requires papers that need to be reviewed. There are always tempting scenarios that may arise from time to time that prompt you to “send a document to a personal e-mail” or into a “Google Docs Dropbox environment”, which would seemingly ease the burden associated with this process. In many cases, this kind of behaviour is benign. However, a company is at risk whenever employees take work files outside your encrypted network. Cloud-based backup systems are recommended for most companies. Keep all documents in a central location that is protected by the company so employees can access them easily. Once that is achieved, they will be able to address this mobile security challenge.

Containerisation

Companies should create “containerised” communication channels on an employee’s personal phone to mitigate mobile security challenges. This simply separates your company’s applications and data from the employees’ personal activities. It depends on your network, and needs, how you create this “walled garden” type approach. You can accomplish this by installing zero trust enable applications, requiring a minimum of two-factor authentication to enter the company’s network through a mobile device or installing a Virtual Private Network (VPN).

Conclusion

In short, a company can improve the security posture of its employees’ mobile devices with several defensive tools. These tools, which should be deployed based on the smart phone and mobile device’s data taxonomy, can reduce threats/vulnerabilities in data, application and network connectivity.

• NB: About Derek Smith Jr

Derek Smith Jr. has been a governance, risk and compliance professional for more than 20 years. He has held positions at a TerraLex member law firm, a Wolfsburg Group member bank and a ‘big four’ accounting firm. Mr Smith is a certified anti-money laundering specialist (CAMS), and the compliance officer and money laundering reporting officer (MLRO) for CG Atlantic’s family of companies (member of Coralisle Group) for The Bahamas and Turks & Caicos.

Commenting has been disabled for this item.