This post is the eighth in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the eighth topic I like to focus on mobile devices. This category is proving to be one of the most challenging for organizations. The problem with these devices is not only do they have the power and functionality of a computer, but they are much simpler to loose. In addition, many organizations now allow employees to use their personal mobile devices for work. Finally, these technologies are changing so fast that it has become almost a moving target for policies and controls. So where should an organization start?
- The first step is to define what mobile device are in your organization (tablets, smartphones, mp3 player, ?). One idea is to define the devices that have similar capabilities to computers, such as the ability to download and install apps or connect to a network. Then decide if personal mobile devices can be used for work, and what your organization's definition of a person device is. I have found organizations to have very different definitions and policies on personal devices, it can often be one of the toughest decisions an organization has to make. If you allow personal devices you may want to ensure you can enforce the controls I recommended below. However, the key point for your awareness program is to make sure you clearly communicate what your organization's definitions and policies are on mobile devices.
- The second point I like to focus on is to treat these devices just like you would a computer. In other words make sure both operating system and apps are always current, that a firewall and anti-virus is enabled (if that is an option). In addition, just like your computer you want to ensure end users install apps only from trusted sources, and only those you need.
- Finally, mobile devices are very easy to lose. I've lost at least one mobile phone myself. With lost devices a tremendous amount of confidential data can be compromised. Recommend strong PIN/Passphrases to protect access and potentially require employees to encrypt mobile devices. Also, you may want to consider remote wiping for lost devices. If employees are using personal devices, make sure the know and understand their personnal device may be wiped if it is lost and has work related information.