Chief Information Officers should start making sure that mobile devices on their network as secure as possible. In this article Larry Dignan, describes that the biggest threat to corporate security stems from employees bringing their own devices on the network. Its not necessarily the devices that aren’t secure its the people that own the devices that are negligent. Many people still do not have PIN codes on their devices and if users were to open spam on their phone many devices automatically download messages in their entirety allowing for malware to install itself. CISOs must implement BYOD policies and enforce mandatory PIN codes and software that allows remote wiping if a phone were to be lost. Since the internet of things is become more prevalent people need to be aware that the more devices they have connecting to the internet the more vulnerable they are. Dignan says that devices should have auto-lock enabled, should be kept within sight at all times and to have auto-discover Bluetooth turned off. This is some of the advice he gives to securing devices in an organization. He also states that malware will get more significant in the years to come as more and more devices become available to hackers on the internet.
Article: https://hbr.org/2016/09/your-biggest-cybersecurity-weakness-is-your-phone
Ahmed A. Alkaysi says
Mobile security is absolutely necessary in the corporate world, and I don’t think companies are taking it seriously. My work has a policy where you cannot take any pictures on company premises, but I won’t say if there are any other policies in place. I think one of the most basic things employees need to do is avoid putting confidential work related information on their personal devices. At least at my company, if we bring our laptops to do work, we need to login to a virtual environment first.
Loi Van Tran says
The company that I work for has a very strict policies on BYOD. First no personal laptops, jump drives or any sort of storage devices are permitted on premises. Secondly, we provide a separate WIFI connection for guests and employees personal devices. The user cannot directly connect to the Wifi unless it is approved by the security team, in which they would provide you a temporary username and password. Only company approved phones and tablets are authorized to store work documents. These devices are encrypted by the company and provided to the employees on an as needed basis. Some devices also requires the user to have a strong authentication. Overall I think the company I work with has very good policies, but as the article stated, the weakest link is still the people.
Jason A Lindsley says
We also have a very strong BYOD policy at our work. We utilize a Mobile Data Management (MDM) solution with a containerized environment for mail, calendar, and contacts. We’ve locked down our webmail so that it cannot be accessed via native applications on the device.
If a device is lost or compromised, it can be remotely wiped from the admin console.
Security policies are pushed to our devices that require the phones to auto lock after 30 seconds and passwords must be reset periodically.
Any documents that are opened from e-mails must be viewed in a content viewer and cannot be saved locally on the device.
While I believe there is still risk associated with any MDM/BYOD solution, I do believe the controls we’ve implemented and those recommended in the article do reduce this risk.
Anthony Clayton Fecondo says
I think the lack of security for mobile phones is really ironic. Cell phones and even smart phones are essentially ubiquitous at this point. These devices have internet connection, cameras, microphones, CPUs, RAM, etc. They are literally miniature computers that most people have and most people store personal information on, yet the call for enhanced security is basically null. If the threat to mobile phones isn’t fully mature yet, I’m sure in the next few years, there will be a lot of buzz about compromises through cellphones and new security technologies for cell phones.