Mobile Device Security

Publication: VACB (Virginia Association of Community Banks)The Community Banker, Spring 2020

May 15, 2020, 10:00 AM -05:00

As technology has advanced, it has grown to a place where employees are able to stay connected to their work, even after clocking out for the day. Employees can use their laptops, phones, and tablets to continue working or to respond to emails. This is a great aspect for better communication and increasing productivity; however, the security of these devices can get overlooked.

A small percentage of companies supply mobile devices for their employees, but a vast majority of employees bring their own devices. The challenge many companies face is how to secure those devices to protect the sensitive information that is stored on the device or is accessible on it.

The key to ensuring security on these devices is to use a mobile device management solution. When employees need to have access to sensitive information, adding the device to the mobile device manager will require certain security policies to be enforced.

There are several solutions that can be used to enforce security settings. The most common is Microsoft Exchange ActiveSync. A few others include IBM MaaS360, Cisco Meraki Systems Manager, and VMware AirWatch. At a minimum, a mobile device management solution should enforce these settings:

Require a PIN

It is vital to prevent unauthorized access to devices that have sensitive or confidential company information on them. The simplest way to enforce unauthorized access is through a personal identification number (PIN).

PINs should be four characters at minimum, but six or more is even better. Many mobile device management solutions can prevent users from using simple passcodes (e.g., 1234, 0000). Most mobile devices can also use biometrics, which are an even stronger control than a PIN number.

Set an Automatic Timeout

Mobile devices should be set to automatically lock after a maximum of five minutes of inactivity. This will help secure devices that are left unattended.

Encrypt Devices

Some mobile devices come with built-in encryption, but some do not. It is best practice to encrypt all mobile devices and storage cards so that if it is lost or stolen, the information on them will not be accessible.

Implement Remote Wipe Capabilities

Another important feature that most mobile device management solutions support is the ability to remotely wipe a device. This is an important feature in the situation where a device is lost or stolen. The feature will allow you to delete the phone's memory, which helps ensure confidential information is not disclosed. Wiping the device will also delete any personal information, such as pictures and text messages, so ensure all employees are made aware that if they misplace a device, it will be wiped.

When implementing a mobile device management solution in a bring your own device environment, inform employees of the requirements for bringing their own mobile device. This can be done in the on-boarding process and through acceptable use policies. Train employees to promptly report lost or stolen mobile devices so that they can be remotely wiped in a timely manner.

Due to the nature of people staying connected to their work even when they are out of the office, the security aspect of using mobile devices cannot be neglected. Using a mobile device management solution will help greatly to ensure that security controls are implemented and that they are enforced consistently across devices.

Written By

Andrew Hettick

Andrew Hettick is a Security and Compliance Consultant for CoNetrix. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cyber security needs of community banks. Offerings include: information security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and tandem software, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Programs. Visit our website at www.CoNetrix.com.