How to secure business mobile devices: a safety checklist

The rise of BYOD has opened up a whole host of security issues

According to the Cyberthreat report from the CyberEdge Group, mobile devices (smartphones and tablets) are perceived as IT security's 'weakest link,' followed by laptops and social media applications, with one in four security professionals doubting whether their organisation has invested adequately in cyberthreat defences.

The small business sector is particularly vulnerable with the Federation of Small Businesses (FSB) stating that the average SMB loses £4,000 (around $6,250, AU$7,500) a year from cybercrime attacks. The move to adopt more mobile and flexible working practices across the SMB sector has increased these risks. The wireless access of data across your business is a weakness, but one that you are not powerless to improve.

Follow this 10-point checklist to ensure your wireless data services are safe and secure:

1. Develop a security policy

SMBs need to develop a comprehensive security policy that everyone across the company adheres to. Think about the data that your business contains. How is this accessed? Which mobile devices are in use by your employees? Answering these questions is the foundation onto which a robust mobile security policy can be built.

2. What kind of data needs to be secured?

All data is not equal when it comes to mobile security. Assess the different types of data that mobile devices need to access, store and transport. Some data will be more sensitive than others. Perform a thorough data audit to place your data into security groups that can then have security protocols applied to them.

3. Do you allow BYOD?

The rise of BYOD (Bring Your Own Device) across the SMB community in particular opens your business to a potential raft of security issues. Think about how your business' security policy has to be designed to take into consideration the increasing use of BYOD across your organisation. Should your business only issue its own devices to employees?

4. Use data encryption

Whether or not encryption should be used when data is stored or transmitted between mobile devices needs to be carefully assessed. Encryption needs to be seamless if users are to adopt it. There are various encryption systems that can be used. Your threat assessment will reveal the risks your business data faces, which will then give you a guide for which encryption system to use.

5. Passwords for mobile devices

The password is at the heart of secure systems, yet is often the most overlooked element. Secure passwords should be used across all mobile devices to ensure their stored and transmitted data is secure. Read the TechRadar Pro guide to better password security.

6. Remote working

As mobile devices are used on the move by their nature, securing them is vital. Using VPNs (Virtual Private Networks) is fast to setup, as the market for these services has matured. Your business security policy should include VPNs that must be running at all times across every mobile device that is sending or receiving sensitive information.

7. Lost and stolen

SMBs must not become too focused on the protection of data across the mobile devices in use across their enterprises. Of course, if these devices themselves are lost or stolen, their data can also be compromised. Ensure that your business has considered how to physically secure its mobile devices.

8. Keep up-to-date

Data security on mobile devices is not a setup and forget exercise, as mobile devices change so often. It is vital that your mobile data security policy includes regular reviews that assess if your current security regime meets all the current threats that the data on these devices faces.

Sophos advises: "The mobile security market is moving very quickly. Mobile devices are being updated on practically a quarter-to-quarter basis versus the conventional slow-moving PC. IT teams should implement a shorter term strategy for mobile devices and then iterate it, rather than attempting to plan for three years in one go."

9. Managing devices

The use of mobile devices for work and personal use has a profound impact on the security of these devices. To help businesses manage this, Mobile Application Management (MAM) and Mobile Device Management (MDM) have developed.

Dell advises: "A wide range of MDM vendors offer tools for tracking and securing mobile devices, and many offer features like file synchronisation, app sandboxing and secure network tunnels for corporate data. The Gartner Magic Quadrant provides a good survey of the current major players. Over time, we expect to see more and more MDM features included in the major endpoint management solutions from Dell, Microsoft, Symantec and others."

10. Protect the cloud

Using mobile devices across your business will inevitably mean accessing cloud-based services. Your enterprise's security policy should ensure that cloud services are bought from reputable vendors and are designed for business use and not consumers, as it is a false economy to try and use these low cost services.

Sophos concludes: "We need a new attitude toward information security: embrace or die. This change of attitude also impacts the future of mobile security and applications. Information security presents us with the interesting challenge of managing risk of allowing devices that in some cases are less secure and more expensive to manage.

"Mobile security in general will continue to be a hot topic. The continuing adoption of emerging apps for personal and business communication widens the attack surface, particularly for social engineering scams and data exfiltration attempts. Your address book and your social connections graph is a treasure for cyber-crooks of all sorts, so be mindful of whom you entrust to access it and why. Mobile and web applications control for business users will help mitigate this risk."