Seven considerations for developing a security strategy for your mobile estate.
If the events of this year have taught us anything, it’s that when it comes to organisations handling data, consumer distrust is at an all-time high. End users have become increasingly wary of where their information goes, how it’s being used and who is accessing it.
In response to this, the EU introduced the General Data Protection Regulations (GDPR) back in May, aiming to improve the way data is handled across Europe and putting more control in the hands of individuals. But perhaps the effects have been felt most significantly by businesses across the globe, as the provisions also extend to non-EU businesses processing the data of EU citizens.
Why is mobile at risk?
The majority of internet traffic now happens on mobile. And in business terms, this translates to employees regularly accessing sensitive employee and customer data from their smartphones.
Unfortunately, most businesses lack the visibility needed to asses this traffic and are therefore left in the dark when it comes to understanding what data is being shared, and where it’s being stored.
Furthermore, there are a number of factors that make mobile devices easy to exploit. From the smaller screen size and on-the-go nature of the platform making it harder inspect malicious pages, to the lack of privacy and security built into many mobile applications, hackers capitalise on the fact that mobile devices are inherently personal and their users therefore are less cautious with the information they give away.
There is no ‘one size fits all’ approach when it comes to the GDPR, and no such thing as a silver bullet for compliance. However, as is the case with other areas of your organisation, there are a number of criteria that must be considered when developing your GDPR strategy for mobile devices.
1) Prepare a data inventory across your fleet
GDPR guidelines require organisations to have a full understanding of which applications are installed across their fleet, what data these apps are processing and where geographically this data is being transferred. Running an app inventory that allows you to thoroughly analyse the applications across your fleet will help you identify where weak spots may lie within your organisation.
2) Implement appropriate security measures
A good enterprise mobility management (EMM) solution is a good place to start in achieving this. Features such as allowing IT managers to white- or blacklist apps according to the needs of your corporate network or the ability to remotely wipe devices that are lost can prove especially useful under the GDPR’s requirements for “privacy by design” and “privacy by default”.
3) Perform regular vulnerability assessments
Vulnerabilities are the ‘lurking culprits’ within any mobile fleet. You would likely never know they were there until one was specifically exploited. So, in order to achieve compliance on mobile, you will need to identify risk areas each time you conduct an audit – from users that have enabled third party installs, to devices running out-of-date operating systems that may be harbouring bugs that have since been fixed. On top of this, your organisation will need to follow up on known breaches within the community to show you’re alerting your employees if their credentials may be exposed.
4) Be consistent in your acceptable use policy
Having devices in your IT infrastructure that can connect to all areas of the web connects your business to all types of risk. Mitigate this risk by setting up a mobile policy that communicates your company views on things like file sharing and social media use that mirrors your internal policy. For example: are you blocking gambling applications that may be accessed via their mobile site through the browser? Filtering content for preventative security is an effective way of reducing the risk of a breach.
5) Know your data breach and notification protocols
Under the new legislation, companies must disclose data breaches to regulators and in certain circumstances to affected individuals, within 72 hours of their occurrence.
The longer it takes for you to detect and respond to the threat, the higher the risk and costs are to remediate. Integrate your mobile threat alert systems into your wider security network, ensuring the right notifications get to the right people in the quickest and most digestible way possible.
6) Educate your employees
GDPR is not just an issue for your IT team, it’s one that affects and needs consideration for every person within your organisation. Familiarise your team with the fundamentals of data protection and how they can help secure their mobile devices. Provide relevant training on topics like mobile phishing and malware, and encourage an open policy that rewards honesty if potential security incidents are escalated to your compliance team.
The right protection
Mobile is a lucrative gateway for businesses and as such, attackers now tailor their phishing campaigns and design malicious software especially for mobile platforms. In order to both mitigate and reduce the risk of a breach you need to be confident that you’re proactively protecting against mobile threats by investing in a technology that affords full visibility across your mobile estate.