Should Mobile Devices be in my Organization's Security Policy?

If your employees are accessing your network from their mobile device in any way, shape, or form, the answer is absolutely, 100%, unequivocally, positively, “yes.”
 
No organization out there can afford to believe that their data is not worth protecting. Far too often, however, security policies stop at the door; while server rooms are on lock-down, the smartphones that tap into them are left completely vulnerable and unmanaged.
 
If you spend thousands of dollars to protect your servers and workstations from intrusion, why would you leave the safety of every employee’s mobile device to their discretion?
 
Far too often we walk into a security audit to find that an organization either completely lacks a mobile device policy, or is making no effort to enforce the policy that is in place. Meanwhile, confidential client information is being transmitted via email and various file-sharing solutions (Dropbox, anyone?).
 
As we mentioned in our previous blog, 75 million smartphones were either lost or stolen last year. Combine that with the fact that almost half of the phones in iScan Online’s security analysis didn’t even have an onscreen password. Getting nervous?
 
The fact of the matter is that if any employee’s device gets a Trojan or has any other sort of vulnerability exploited, your company’s sensitive data is at risk.
 
If you’re subject to HIPAA, PII, or Sarbanes-Oxley compliance, you could be risking more than the loss of data.
 
So what are some elements that your mobile device policy should have?
 
For one, you can require your employees to subscribe to the three safety measures that we outlined last week.
 
Most of the responsibility to protect the devices, however, falls on the organization itself. Many businesses have instated a policy that allows them to wipe a user’s device should it be compromised. While this is good practice, it’s also critical to take proactive measures to prevent any intrusion to begin with.
 
One of the most effective ways to do this is to scan these devices; whenever your users work off of your organization’s wireless internet or connect to company email, you can scan them for updates, and scan the data that is uploaded or downloaded for any red flags.
 
Put very simply, you must give mobile devices the same amount of attention as your workstations and your servers. Better safe than sorry.
 
[xyz-ihs snippet="1"]What is your organizations mobile security policy? How is it enforced? What’s the value of the data you’re allowing your employees to carry with them? Email me to work through it![xyz-ihs snippet="2"]