Do your employees receive work calls, texts, or emails on mobile devices? Do you have strategies in place to minimise the security gaps this can create?
As businesses, we’re online more than ever before. So are our employees. It’s a great opportunity to provide better service to customers. But there’s a dark side, too.
Blurred lines between business and personal devices have been a major factor in some of Australia’s high profile data breaches. We often relax our security protocols on personal devices for ease of use. That makes life simpler – but it can also provide attackers with access to your business data.
I’ve outlined 5 things that you can do to draw better boundaries between personal and work life – and secure your data.
1. Offering Work Devices vs Personal Devices
While it’s tempting to have employees use personal devices, fewer to carry, lower upfront costs, there are drawbacks:
- Apps that can view files can potentially access secure client information.
- People usually relax their guard with personal devices. They don’t use a screen lock, give it to children to play with, install games and mature content.
- Social media apps make it easy to use and share content from personal devices.
To avoid these problems, issue your employees with mobile devices that are for work use only. Once staff can access your systems with your work devices, disallow access from personal devices. No checking email from your own mobile phone – use the work device. Because the devices belong to you, you can be more specific about what people can and can’t do with them.
Learning points
- Provide work-specific devices to your employees.
- Limit access to your business content to only those devices.
- You can have more control over devices you provide to employees, compared to personal or BYOD.
2. Install endpoint security on mobile devices
We often hear that mobile devices are invulnerable to malicious software and viruses. That’s not true, though. Mobile devices are at just as much risk as desktops and laptops, if not more.
Endpoint security apps monitor devices for suspicious activity. They watch for intrusion attempts and malware activity. Use these apps to help prevent vulnerabilities being exploited. Where possible, use the same endpoint app on your staff laptops, desktops, and mobile devices. This improves usability for staff. More importantly, it’s simpler for your IT team to monitor all devices if they have a ‘single pane of glass’ dashboard rather than multiple logs to watch.
Learning points
- Use the same protective apps across all devices in your organisation.
- If you can’t use the same apps on every device, ensure they can all work with a single monitoring system. This lets you keep an eye on the security status across all devices.
3. Set rules for apps that can be installed
Mobile devices can do just about anything today that we can imagine. That doesn’t mean it’s always a good idea. Apps can be great tools, but even non-malicious, useful apps can open security gaps in your network. And bait apps – often packaged as games or mature entertainment – are designed to be malicious and take advantage of any security weaknesses.
To limit the dangers of mobile apps accessing your data, ensure that only approved ones can be used. Create a safe list of apps that the devices can install.
Learning points
- Put together a list of approved apps that pass a security audit.
- Restrict work mobile devices to this list. Users can’t install their own apps without specific permission.
4. Impose screen lock times and unlock requirements
Employees can take mobile devices with them anywhere they go. It’s handy for staying in touch; not so great from a security point of view. Extra mobility can put your data within reach of a lot of strangers. For some industries, even idle curiosity can cause a breach of confidentiality.
While you can give your team rules about always keeping their device in sight or locked up, it’s smart to be prepared for simple mistakes. People can’t always protect against devices being stolen or lost, either. Set strong automatic locking, notification, and unlock authentication to prevent unauthorised people from accessing it.
Learning points
- Make sure the device locks and displays only the lock screen if it has not been used for a few minutes.
- Limit what shows in the notifications on the lock screen, so that there is no sensitive or private information displayed.
- Use passwords or biometric options like fingerprint or facial recognition to unlock.
5. Teach your employees how to keep their mobile devices secure
The first 4 steps can improve your organisation’s mobile device security. However, they work best when the people using the devices understand:
- Why the restrictions exist.
- How to use their devices safely.
- What benefits mobile device security brings to you and your team.
Learning points
- Teach your team to adopt good practices with high quality and engaging cyber security awareness training.
Need help?
Improving your cyber security can feel like a daunting task. Prioritising cyber security awareness training is key to effectively mitigate threats and protect your organisation.
About PhishNet
PhishNet trains people to recognise everyday scams and cyber threats through our Cyber Security Awareness Training platform. With clear measurable results, orgnaisations can meet compliance requirements and proactively reduce the risk of cyber incidents. Talk to us about how awareness training can help protect your people and business.