CHAPTER 14
Information Governance for Mobile Devices

According to CTIA (The Wireless Association), “There are more than 400 million connections in America, equal to 1.2 wireless devices for every person in the country.”1 This is a more than 100% penetration rate, since many users have more than one mobile device. Citizens of China, India, and the European Union (EU) have even greater mobile phone usage than the United States.

Mobile computing has vastly accelerated in popularity over the last decade. Several factors have contributed to this: improved network coverage, physically smaller devices, improved processing power, better price points, a move to next-generation operating systems (OS) such as Google's Android and Apple's iOS, and a more mobile workforce have fueled the proliferation of mobile devices.

Mobile devices include laptops, netbooks, tablet PCs, personal digital assistants (PDAs) like BlackBerry, and smartphones, such as Apple's iPhone and those based on Google's Android platform. What used to be simple cell phones are now small computers with nearly complete functionality, and some unique communications capabilities. These devices all link to an entire spectrum of public and private networks.

A report by IDC noted that “By 2020 mobile workers will account for nearly three-quarters (72.3 percent) of the US workforce.” This significant shift to mobile workers has gained momentum as mobile computing capabilities have improved.2

With these new types of devices and operating environments come new demands for information governance (IG) policies and unknown security risks.3 “The plethora of mobile computing devices flooding into the market will be one of the biggest ongoing security challenges [moving forward] …” the Digital Systems Knowledge Transfer Network, a UK think tank, found. “With mobile devices connecting to Wi-Fi and Bluetooth networks, there are suddenly many more opportunities [for hackers] to get in and steal personal information.”4

The rapid shift toward mobile computing means that companies with mobile personnel like salespeople and service technicians need to be aware of, and vigilant toward, these impending security threats, which can compromise confidential information.

Securing mobile devices is critical: a 2018 study conducted by Ponemon Institute found that data breaches average $3.86 million in direct costs, a more than 6% increase from 2017.5

The reality is that most mobile devices are not designed with security in mind; in fact, some compromises have been made to enable new smartphone operating systems to run on a variety of hardware, such as the Android O/S from Google. This is analogous to the trade-offs Microsoft made when developing the Windows operating system to run across a variety of hardware designs from many PC manufacturers.

New techniques by rogue hackers include smishing, which is sending phishing text messages (Short Message Service [SMS], thus “smish”) to unwitting smartphone users, in an attempt to get them to reveal login credentials or to install malware. Smartphone virus infections are particularly difficult to detect and thorny to remove. A user may be unaware that all their data is being monitored and captured and that a hacker may be waiting for just the right time to use it. Businesses can suffer economic and other damage, such as erosion of information assets, or even negative goodwill from a damaged image.

The smartphone market is rapidly expanding with new developments almost daily, each providing criminals with a new opportunity. An International Data Corporation (IDC) report indicated that smartphone sales have outpaced PC sales since 2010, and in another report that nearly 1.5 billion smartphone devices were shipped in 2017.6 The growth in smartphone sales and new services from financial institutions—such as making deposits remotely by snapping a picture of a check—means that there are new and growing opportunities for fraud and identity theft.

Awareness and education are key. The first line of defense is for users to better understand cybercriminal techniques and to become savvier in their use of information and communications technologies. Holding regular security awareness training (SAT) sessions helps to reduce this risk. Using an entertaining, “gamified” approach, as some SAT suppliers have released, makes SAT training more engaging and fun, and helps employees to retain core concepts.

Biometric authentication technologies (those that use retina, voice, and fingerprint recognition) are mature enough to positively identify a user to ensure the correct person is accessing financial or confidential accounts. Biometric technologies for account access are much harder to hack than traditional passwords, but it is possible to, using sophisticated techniques.

Application suppliers for mobile devices are first concerned about functionality and widespread adoption, so security is not their top priority. Users must be aware and vigilant to protect themselves from theft and fraud. On a corporate level, organizations must step up their training efforts in addition to adding layers of security technology to safeguard critical electronic documents and data and to protect information assets.

Social engineering—using various ways of fooling the user into providing private data—is the most common approach criminal hackers use, and it is on the rise. Machines do their job, and software performs exactly as it is programmed to do, but human beings are the weakest link in the security chain, and as usage trends in the direction of a more mobile and remote workforce, people need to be trained as to what threats exist, and constantly updated on new criminal schemes and approaches. This training is all part of an overall information governance (IG) effort, controlling who has access to what information, when, and from where.

With more and more sensitive business information being pushed out to mobile devices (e.g. financial spreadsheets, medical test results, business contracts, strategic plans, and the like) and advancing and evolving threats to the mobile realm, IG becomes an imperative; and the most important part of IG is that it is done on an ongoing basis, consistently and regularly. Policies must be reviewed when a new device starts to be utilized, when new threats are uncovered, as employees use unsecured public WiFi networks more and more, and as business operations change to include more and more mobile strategies. IT divisions must ensure their mobile devices are protected from the latest security risks, but users must regularly be apprised of changing security threats and new criminal approaches by hackers.

Mobile device management (MDM) is critical to secure confidential information assets and managing mobile devices. Some available MDM technologies can wipe devices free of confidential documents and data remotely, even after they are lost or stolen. They can also provide mass security patch updates. These types of utilities need to be deployed to protect an enterprise's information assets in the mobile environment.

Gartner expanded their definition of MDM, placing it under the umbrella of enterprise mobility management (EMM). While most IG and IT professionals focus mostly on finding robust MDM solutions, the supplier marketplace has started using the broader term of EMM.7 MDM solutions are more limited in scope; most EMM solutions include not only MDM but also Mobile App Management, Mobile Content Management, App Wrapping, Containerization, and other features. The focus is more on the information being secured rather than the device itself, as more and more information is stored in cloud services.

Current Trends in Mobile Computing

With the rapid pace of change in mobile computing, it is crucial to convey an understanding of trends, to better know what developments to anticipate and how to plan for them. When a new mobile device or operating system is released, the best thing may be to first wait to see what security threats pop up. It is important to understand the direction mobile computing usage and deployment are taking, in order to plan and develop IG policies to protect information assets.

From CIOZone.com, here are some top trends in mobile computing:

  1. Long-term evolution (LTE). The so-called fourth generation of mobile computing (4G) is expected to be continue to be rolled out across North America over the next several years, making it possible for corporate users to run business applications on their devices simultaneously with Voice over IP (VoIP) capabilities. Many areas offer full 4G capabilities.
  2. WiMax [Worldwide Interoperability for Microwave Access]. As LTE and WiMax networks are deployed in the US, expect to see more netbooks and laptops equipped with built-in radio frequency identification (RFID) and wireless support. [The Microsoft Surface tablet, for instance, does not allow for direct connection.] (WiMax is [a communications] protocol … that provides … much faster speeds than WiFi for fixed and mobile Internet access. The [2011] IEEE 802.16m update pushed the speed to up to 1 Giga bit/second fixed speeds.)
  3. 3G and 4G interoperability. [Various wireless providers have] developed a dual mode card that will enable mobile device users to work on both 3G and 4G networks.
  4. Smartphone applications. Third-party software vendors will increasingly make enterprise applications available for smartphones, including inventory management, electronic medical records management, warehousing, distribution, and even architectural and building inspection data for the construction industry.
  5. GPS. Global positioning systems (GPS) will increasingly be used to identify end users by their whereabouts and also to analyze route optimization for delivery workers and service technicians. [Without GPS, apps like Uber and Waze would not exist.]
  6. Security. As new and different types of mobile devices are introduced, corporate IT departments will find it increasingly challenging to identify and authenticate individual end users. As such, expect to see a combination of improvements in both virtual private network (VPN) software and hardware-based VPNs to support multiple device types.
  7. Anti-virus. As more third-party business applications are made available on smartphones and other mobile devices, CIOs will also have to be [more] cognizant about the potential for viruses and worms.
  8. Push-button applications. Let's say a waste disposal truck arrives at an industrial site and is unable to empty a dumpster because a vehicle is blocking its path. Smartphones will increasingly have applications built into them that would make it possible for the disposal truck driver to photograph the impeding object and route the picture to a dispatcher to document and time-stamp the obstruction.
  9. Supplemental broadband. As carriers implement LTE and WiMax networks, companies such as Sprint and Verizon are looking at potentially extending wireless broadband capabilities to small businesses that don't have fiber optic or copper connections on the ground….
  10. Solid state drives (SSD). Corporate customers should expect to see continued improvements in the controllers and firmware built into SSDs in order to improve the longevity of the write cycles in notebooks.8

Security Risks of Mobile Computing

Considering their small size, mobile computing devices store a tremendous amount of data, and storage capacities are increasing with the continued shrinking of circuits and advancement in SSD technologies. Add to that the fact that they are highly portable and often unsecured and you have a vulnerable mix that criminals can target. Considering how often people lose or misplace their mobile devices daily, and what valuable targets they are for physical theft (this author had a laptop stolen in the Barcelona airport, right from under his nose!), and the use of mobile devices represents an inherent security risk.

But they don't have to be lost or stolen to be compromised, according to Stanford University's guidelines, intended to help mobile computing device users protect the information the devices contain: “… intruders can sometimes gain all the access they need if the device is left alone and unprotected, or if data is ‘sniffed out of the air’ during wireless communications” (italics added).9 The devices can be compromised with the use of keystroke loggers, which capture every single entry a user makes. This can be done without the user having any knowledge of it. That means company passwords, confidential databases, and financial data (including personal and corporate credit card numbers) are all at risk.

Securing Mobile Data

The first and best way to protect confidential information assets is to remove confidential, unnecessary, or unneeded data from the mobile device. Confidential data should not be stored on the device unless explicit permission is given by the IT department, business unit head, or the IG Steering Committee to do so. This includes price lists, strategic plans, competitive information, photo images of corporate buildings or coworkers, protected heath information (PHI), and financial data such as tax identification numbers, company credit card or banking details, and other confidential information.

If it is necessary for confidential or sensitive data to be stored on mobile devices, there are options to secure the data more tightly, like USB drives, flash drives, and hard drives that have integrated digital identity and cryptographic (encryption) capabilities.

Mobile Device Management (MDM)

Mobile device management (MDM), now sometimes conflated with the broader term enterprise mobility management, is software that helps organizations to remotely monitor, secure, and manage devices such as smartphones and tablet PCs.10 MDM improves security and streamlines enterprise management of mobile devices by providing ways to contact the remote devices individually or en masse to add, upgrade, or delete software, change configuration settings, and “wipe” or erase data, and make other security-related changes and updates. More sophisticated MDM offerings can manage not only homogenous company-owned mobile devices, but also those that employees use in the workplace in a bring-your-own-device (BYOD) environment.

The ability to control configuration settings and secure data remotely allows organizations to better manage and control mobile devices, which reduces the risk of data leakage, and reduces support costs by providing more uniformity and the ability to monitor enforce company-dictated IG policy for mobile devices.

Key vendors in the MDM marketplace include VMWare AirWatch, Apple (Profile Manager) Ivanti, BoxTone, Centrify, Citrix, Good Technology (acquired by BlackBerry), IBM (Endpoint Manager for Mobile Devices), Microsoft, MobileIron, SAP Afaria, Sophos, SOTI, and Symantec (Mobile Suite).

Rapid growth is expected in the MDM marketplace, and broader EMM market, which is estimated to grow to $2.2 billion by 2022, according to a 2017 study by Strategy Analytics.11 According to Gina Luk, author of the report, “The two leaders in this space are VMware AirWatch, with 19 percent, and BlackBerry/Good Technology, with 18 percent. However, MobileIron, Citrix and Microsoft all displayed strong signs of growth…. Even SAP, IBM, SOTI, Sophos, and Symantec are challenging the top players in this space for market share.” Luk went on to say, “Mobile security and growth in BYOD (bring your own devices) are primary drivers behind EMM adoption.”

EMM platforms are transitioning from “tactical device management tools to broader unified end-user computing management (UEM) platforms, crossing mobile devices, apps, and data, as well as traditional computing platforms such as laptops and PCs,” according to the reports.

Trends in Enterprise Mobility Management

Some major trends are clearly emerging in mobility management, including:

  • IoT explosion—as more and more types of devices are connected to the Internet, the challenge to manage and secure the content on those devices will also grow.12 IoT devices can provide hackers an entryway into an organization, especially if default passwords are not changed and security updates are not applied. EMM software can assist in managing and controlling these new IoT devices;
  • Unified endpoint management—will help enterprises secure smartphones, laptops, remote printers, and IoT devices. IBM is a leader in this area and new players are entering the market;
  • Deploying AI—Artificial intelligence is increasingly being used to detect and quickly counter sophisticated malware attacks;
  • Improved BYOD management capabilities—a heterogeneous mobile environment presents greater challenges, and with the advent of new IoT devices, even more complicated security threats. New capabilities will have more privacy and security capabilities.13

IG for Mobile Computing

Stanford University's guidelines are a helpful foundation for IG of mobile devices. They are “relatively easy to implement and use and can protect your privacy” and safeguard data “in the event that the device becomes compromised, lost or stolen.”

Smartphones and Tablets

  • Encrypt communications. For phones that support encrypted communication (secure sockets layer [SSL], virtual private network [VPN], hypertext transfer protocol secure [https]), always configure defaults to use encryption.
  • Encrypt storage. Phones approved to access confidential information assets must encrypt their bulk storage with hardware encryption.
  • Password protection. Configure a password to gain access and or use the device. Passwords for devices that access confidential information assets should be at least seven characters in length, and use upper- and lowercase letters, as well as some numerical characters. Passcodes should be changed every 30 days.
  • Timeout. Set the device so that it is locked after a period of idleness or timeout, perhaps as short as a few minutes.
  • Update. Keep all system and application patches up to date, including mobile OS and installed applications. This allows for the latest security measures and patches to be installed to counter ongoing threats.
  • Protect from hacking. Phones approved to access confidential and restricted data must not be jailbroken (hacked to gain privileged access on a smartphone using the Apple iOS) or rooted (typically refers to jailbreaking on a smartphone running the Android operating system). The process of rooting varies widely by device. It usually includes exploiting a security weakness in the firmware shipped from the factory. “‘Jailbreaking’ and ‘rooting’ removes the manufacturer's protection against malware.”
  • Manage. Phones approved to gain access to confidential information assets must be operating in a managed environment to maintain the most current security and privacy settings and monitor use for possible attacks.14

Portable Storage Devices

  • These include thumb drives or memory sticks, removable hard drives, and even devices like iPods that are essentially mobile disk storage units with extra bells and whistles.
  • Create a user name and password to protect the device from unauthorized access—especially if lost or stolen.
  • Utilize encryption to protect data on devices used to store and/or transport confidential information assets.
  • Use additional levels of authentication and management for accessing the device, where possible.
  • Use biometric identification to authenticate users, where possible.

Laptops, Netbooks, Tablets, and Portable Computers

  • Password protect: This is the most basic protection, yet it is often not used. Create a user name and password to protect the device from unauthorized access; require that they are entered each time the computer is used.
  • Timeout: Require that the password is re-entered after a timeout period for the screensaver.
  • Encryption: Laptops, notebooks, or tablets used to access confidential information assets should be required to be encrypted with whole disk encryption (WDE).
  • Secure physically: Physical locks should be used “whenever the system is in a stationary location for extended periods of time.”15

Building Security into Mobile Applications

While it is a relatively new channel, mobile e-commerce is growing rapidly, and new software applications or apps are emerging for consumers as well as business and public sector enterprises. These apps are reducing business process cycle times and making the organizations more agile, more efficient, and more productive. There are some key strategies that can be used to build secure apps.

As is the case with any new online delivery channel, security is at the forefront for organizations as they rush to deploy or enhance mobile business apps in the fast-growing smartphone market. Their priorities are different from those of the software developers churning out apps.

In the banking sector, initially many mobile apps limited customers to a walled off set of basic functions—checking account balances and transaction histories, finding a branch or ATM location, and initiating transfers—but “a new wave of apps is bringing person-to-person payments, remote deposit capture and bill pay to the mobile channel. Simply, the apps are getting smarter and more capable. But with those capabilities comes the potential for greater threats” (italics added).16

Security experts state that most of the challenges that could result from mobile fraud have not been seen before. Mobile e-commerce is relatively new and has not been heavily targeted—yet. But also industrial espionage and the theft of trade secrets by targeting mobile devices is going to be on the rise and the focus of rogue competitive intelligence-gathering organizations. So user organizations have to be even more proactive, systematic, and diligent in designing and deploying mobile apps than they did with web-based apps.

Software developers of mobile apps necessarily seek the widest audience possible, so they often deploy them across multiple platforms (e.g. Apple's iOS, Google's Android, TCL Communication's BlackBerry, and others) and this forces some security trade-offs: enterprises have to build apps for the “strengths and weaknesses intrinsic to every device, which adds to the security challenges” (italics added).17

A side effect of mobile app development efforts from the user perspective is that it can reshape the way they interact with core information management (IM) applications within the enterprise.

The back-office IM systems such as accounting, customer relationship management (CRM), human resources, and other enterprise apps that are driving online and mobile are the same as before, but the big difference comes in how stakeholders including employees, customers, and suppliers, are interacting with the enterprise. In the past, when deploying basic online applications for browser access, there was much more control over the operating environment; whereas with newer mobile applications running on smartphones and tablets, that functionality has been pushed out to the end-user device.

Real Threats Are Poorly Understood

The list of threats to mobile apps is growing, and existing threats are poorly understood, in general. They are just too new, because mobile commerce by downloadable app is still a relatively new phenomenon. So the current list of threats is not complete or well understood. This does not mean the threat is not real because it could be other aspects related to the app. For example, it could be the unsecure network users are on, or a device infection of some sort.

For mobile apps, antivirus protection is not the focus as it is in the PC world; the security effort mostly focuses on keeping malware off the device itself by addressing secure software development methods and network vulnerabilities. Surely, new types of attacks on mobile devices will continue to be introduced (like smishing). That is the one thing that can be counted on.

There have been some high-profile examples of mobile devices being compromised. In 2017, it was reported that White House Chief of Staff John Kelly had been using a comprised smartphone for several months. Wired magazine reported that, “The breach was apparently discovered over the summer, when Kelly gave the smartphone to White House tech support after having problems with it and struggling to successfully run software updates.”18 This is more common than one would think. We do not know our smartphones have been comprised until the device does not work anymore because of the hack.

Incidents like this and many others make it imperative to understand the mobile app marketplace itself in order that effective IG policies and controls may be developed, deployed, and enforced. Simply knowing how Google has approached soliciting app development is key to developing an IG strategy for Android devices. Their relative open-door approach initially meant that almost anyone could develop and deploy an app for Google Android. While the open-door policy has evolved somewhat to protect Android users, it is still quite easy for any app developer—well-intentioned or malicious—to release an app to the Android Marketplace. This can pose a risk to end users, who sometimes cannot tell the difference between a real app released by a bank and a banking app built by a third party, which may be fraudulent. Apple has taken a more prudent and measured approach by enforcing a quality-controlled approval process for all apps released to its iTunes App Store. Sure, it slows development, but it also means apps will be more thoroughly tested and secure.

Both approaches, Android and Apple, have their positives and negatives for Google and Apple, and for their users. But clearly, Apple's more curated and quality-controlled approach is better from a security risk standpoint.

Understanding the inherent strengths and, perhaps more important, weaknesses of specific mobile hardware devices and operating systems—and their interaction with each other—is key when entering the software design phase for mobile apps.

It's a different development environment altogether. Windows programmers will experience a learning curve. Mobile apps under Android or Apple operating systems operate in a more restricted and less transparent file management environment.

Bearing that in mind—regardless of the mobile OS—first ensure that data is secured, and then check the security of the application itself. That is, practice good information technology (IT) governance to ensure that the software source code is also secure. Malicious code can be inserted into the program and once it is deployed the hackers will have an easy time stealing confidential data or documents.

Innovation Versus Security: Choices and Trade-offs

As organizations deploy mobile apps, they must make choices, given the limited or confined software development environment and the need to make agile, intuitive apps that run fast so that users will adopt them. To ensure that a mobile offering is secure, many businesses are limiting their apps’ functionality. So stakeholder users get mobile access that they didn't have before, and a new interface with new functionality, but it is not possible to offer as much functionality as in web apps. And more security means some sacrifices and choices will need to be made versus speed and innovative new features.

Some of the lessons learned in the deployment of online Web apps still apply to mobile apps. Hackers are going to try social engineering like phishing (duping the user into providing access or private information), smishing, and assuming the identity of an account holder, bank, or business. They will also attempt man-in-the-middle attacks where data is “sniffed” out the air during wireless transmission.

With mobile applications, the most used mode of operation is operating the app directly on a mobile device such as a smartphone. This is a key difference between apps and traditional PC-based interfaces that rely on browser access or using basic mobile phone text messaging. Connecting to a business via app can be more secure than relying on a browser or texting platform, which require an additional layer of software (e.g. the browser, texting platform, or WiFi connection) to execute sensitive tasks. These security vulnerabilities can compromise the safety of information transmitted to a secure site. Thankfully, if the app is developed in a secure environment, it can be entirely self-contained, and the opportunity to keep mobile data secure is greatest when using the app as opposed to a browser-based platform.

This is because a mobile app provides a direct connection between the user's device and the business, governmental agency, or e-commerce provider. Some security experts believe that mobile apps potentially could be more secure because they can communicate on an app-to-app (or computer-to-computer) level, as opposed to browser-based access on a PC.

In fact, “a customer using a bank app on a mobile network might just be safer than a customer accessing online banking on a PC using an open Wi-Fi connection” that anyone can monitor.19

How do you combat this browser-based vulnerability if it is required to access an online interface? The most effective and simplest way to counter security threats in the PC-based browser environment and to eliminate man-in-the-browser or man-in-the-middle attacks is to use two different devices, rather than communicate over a standard Internet connection. This approach can be built into IG guidelines.

Consider this: mobile apps can render greater security. For example, do you receive alerts from your bank when hitting a low balance threshold? Or a courtesy e-mail when a transaction is posted? Just by utilizing these types of alerts—and they can be applied to any type of software application beyond banking—tech-savvy users can serve as an added layer of protection themselves. If they receive an alert of account activity regularly, they may be able to identify fraudulent activity immediately and act to counter it and stop it in its tracks, limiting the damage, and potential exposure of additional private data or confidential information assets.

Best Practices to Secure Mobile Applications

Mobile computing is not going away; it is only going to increase in the future. Most businesses and governments are going to be forced to deploy mobile apps to compete and provide services customers will require. There is the potential for exposure of confidential data and e-documents, but this does not mean that organizations must shy away from deploying mobile apps.20 There are some proven best practice approaches, which can help to ensure that mobile apps are secure.

There are some steps that can be taken to improve security—although there can never be any guarantees—and some of these should be folded into IG guidelines in the policy development process. BankTech magazine identified six best practices that can shape an organization's app development process:

  1. Make sure your organization or outside development firm uses seasoned application developers who have had secure-coding training and use a secure software development life cycle (SDLC).
  2. [Developed for banking apps, this approach can be applied to other vertical apps, too.] Follow the guidance suggested by the Federal Deposit Insurance Corp. (FDIC FIL-103-2005) regarding authentication in an Internet banking environment. The guidance describes enhanced authentication methods, such as multifactor authentication, that regulators expect banks to use when authenticating the identity of customers using the bank's online products and services.
  3. Make sure that the customer (or employee) is required to re-enter his or her credentials after a certain time period to prevent someone other than the mobile device's owner from obtaining access to private account information.
  4. Hire an information security expert to assess the security around your mobile application servers. Unfortunately, an organization's servers are often overlooked during a risk assessment, as they require a specialized skill set to test them.
  5. Encrypt sensitive data that is stored on a mobile device and account data that travels from the handset across the Internet. Ensure that the encryption is implemented properly.
  6. Hire a security expert to test the security of a mobile application before you implement it across your customer base. (all italics added)21

Developing Mobile Device Policies

Where do you start? Developing a comprehensive mobile strategy is key before you craft your mobile device policies. You will need input from a variety of stakeholders, and you will need to understand where mobile devices fit in your overall technology infrastructure and strategy. Here are some best practices for developing your mobile device policies:22

  1. Form a cross-functional mobility strategy team—you will need the input of primary stakeholder groups including IT, field business units, and human resources (HR, for policy creation and distribution). Your strategy development process should also tap into the expertise of your risk management, compliance, records management, and legal departments. The aim will be to balance risks and benefits to improve employee productivity and guard against risk while focusing on the goals and business objectives of the organization.
  2. Clarify goals for your mobile strategy—start your discussion with the big picture, the broader view of the business drivers, challenges, threats, and opportunities that mobile computing provides in today's technology context and your business context. Draw a direct line from your mobile business needs to your planned mobile support strategy and infrastructure. Keep your business goals in mind and link them to the discussion.
  3. Drill down into policy requirement details—you may want to survey other existing mobile device policies to inform your mobility strategy team. Those from peer organizations and competitors will be most relevant. Then start with the basics: which types of devices and operating systems make sense for your organization to support, what changes and trends are occurring in the technology marketplace, which sensitive e-documents and data you must protect (or disallow) on mobile devices, and what available security technologies (e.g. EMM, MDM, mobile virtual private networks, or VPNs, encryption, information rights management, or IRM) you might deploy. It may be helpful to segment your mobile users into broad categories and break out a list of their specific business needs related to mobile computing. Your strategy and policies for executives will be somewhat different than for users in field business units. And you will need BYOD policies if your organization opts to go this route.
  4. Budgeting and expense control—Is the organization going to buy devices and pay all mobile expenses through direct billing each month? What cost controls need to be in place? Or will mobile device use expenses be reimbursed by a flat rate or by processing expense reports? What about BYOD? Roaming charges limits? Decisions on the financial and cost control aspects of mobile computing use must be made by your mobility policy team, under the guidance of an executive sponsor.
  5. Consider legal aspects and liability issues—Consult your legal counsel on this. What key laws and regulations apply to mobile use? Where could users run afoul? What privacy and security issues are most prominent to consider? What about the private data that users may hold on their own (BYOD) devices? An overarching consideration is to maintain security for private information, and to have a policy in place for data leaks and lost or stolen devices. That includes your policy on remote “wipes” of sensitive data or perhaps all data.
  6. Weigh device and data security issues—since most mobile devices—especially smartphones—were not designed with security as a foremost consideration, you must take steps to protect your sensitive data, and to secure the devices themselves, without impeding business or making operation too difficult for the end user. The world of mobile computing presents new challenges that were not present when IT had full control of endpoint devices and your internal network. So clear mobile security policies and controls must be in place.
  7. Develop your communications and training plan—users must be apprised and reminded of your mobile device policy if they are going to adhere to it. They also need to know the consequences of violating your policies. Your communications and training plan should be creative—from wall posters to text and e-mail messages, from corporate newsletters to group training sessions. You may want to first pilot your new policy with a small group of users. But communication and training are key: a perfect mobile device policy won't work if it is not communicated properly and users are not trained properly.
  8. Update and fine-tune—There will be some misses, some places where after you deploy your mobile policy that you find room for improvement. You will receive user feedback which should be considered too. And there will be changes in the technology marketplace and user trends. A program must be in place to periodically (every six months, perhaps) review your mobile device policy and any audit information to make improvements in the policy.

Notes

  1. 1.   CTIA, “Industry Data,” https://www.ctia.org/the-wireless-industry/infographics-library (accessed September 16, 2018).
  2. 2.   Andrew Burger, “IDC: Mobile Workers Will Make Up Nearly 75 Percent of U.S. Workforce,” June 23, 2015, https://www.telecompetitor.com/idc-mobile-workers-will-make-up-nearly-75-percent-of-u-s-workforce.
  3. 3.   Stacy Collett, “Five New Threats to Your Mobile Security,” CSO, August 1, 2017, https://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-security.html.
  4. 4.   Warwick Ashford, “Mobility among the Top IT Security Threats in 2011, Says UK Think Tank,” Computer Weekly, January 7, 2011, www.computerweekly.com/Articles/2011/01/07/244797/Mobility-among-the-top-IT-security-threats-in-2011-says-UK-think.htm.
  5. 5.   “IBM Study: Hidden Costs of Data Breaches Increase Expenses for Businesses,” July 11, 2018, https://newsroom.ibm.com/2018-07-11-IBM-Study-Hidden-Costs-of-Data-Breaches-Increase-Expenses-for-Businesses.
  6. 6.   “Smartphone Vendor,” https://www.idc.com/promo/smartphone-market-share/vendor (accessed September 16, 2018).
  7. 7.   Tess Hanna, “What's the Difference Between EMM and MDM Anyway?” Solutions Review, May 7, 2018, https://solutionsreview.com/mobile-device-management/whats-the-difference-between-emm-and-mdm-anyway/.
  8. 8.   Bill Gerneglia, “Top Ten Trends in Mobile Computing,” CIO Zone, http://mycioview.com/entry/top-ten-trends-in-mobile-computing (accessed September 16, 2018).
  9. 9.   Stanford University, “Guidelines for Securing Mobile Computing Devices,” www.stanford.edu/group/security/securecomputing/mobile_devices.html#Risks (accessed September 16, 2018).
  10. 10. Markus Pierer, “Mobile Device Management (MDM).” In: Mobile Device Management (Wiesbaden: Springer Vieweg), 10.1007/978-3-658-15046-4_2
  11. 11. Ashley Troutman, “Enterprise Mobility Management Market to Reach $2.2B by 2022,” Solutions Review, November 15, 2017, https://solutionsreview.com/mobile-device-management/enterprise-mobility-management-market-reach-2-2b-2022/.
  12. 12. Rahul Sharma, “Enterprise Mobility Management: Know These Key Trends or Be Left Behind,” TechGenix, June 4, 2018, http://techgenix.com/enterprise-mobility-management-trends/.
  13. 13. Ibid.
  14. 14. Stanford University, “Guidelines for Securing Mobile Computing Devices.”
  15. 15. Ibid.
  16. 16. Ibid.
  17. 17. Ibid.
  18. 18. Lily Hay Newman, “The Worst Case Scenario for John Kelly's Hacked Phone,” Wired, October 6, 2017, https://www.wired.com/story/john-kelly-hacked-phone/.
  19. 19. AU: Please provide text for note 19
  20. 20. Beau Woods, “6 Ways to Secure Mobile Apps,” Bank Systems and Technology, May 26, 2011, www.banktech.com/architecture-infrastructure/229700033..
  21. 21. Ibid.
  22. 22. Alan Joch, “How to Create an Effective Mobile Device Policy,” BizTech, March 26, 2013, http://www.biztechmagazine.com/article/2013/03/how-create-effective-mobile-device-policy.
  23. 23. Markus Pierer, “Mobile Device Management (MDM).”
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.15.218.103