Mobile device
security in the
workplace:
five policies
you must have

Like laptops and printers, smartphones affect your organization's endpoint security. Any device connected to your network presents an opportunity for cyber criminals to gain access to your systems. More organizations are embracing bring-your-own-device (BYOD) policies and are transitioning to a hybrid work environment with some employees working remotely. However, employees' home networks may not be as secure as office networks. Plus, they may download various apps, use unsecured public Wi-Fi or leave their phones unlocked, increasing the risk for security incidents such as man-in-the-middle (MITM) attacks and data breach.  As found in the 2023 Data Breach Investigations Report, you don’t have to be a large organization to have a good chance that one of your members has received a malicious URL or even installed a malicious APK.

Research indicates that 1 in 3 organizations has experienced a data breach stemming from mobile devices. In one incident, hackers installed malware within a popular social media app, affecting 25 million smartphone users. These types of data breaches can cost organizations millions of dollars in remediation and recovery costs, not to mention lost time and operational efficiency. It also can erode trust between a business and its customers, which is why your organization should look to these five mobile device policy examples to bolster your overall workplace cybersecurity policy.

Shadow IT is an ongoing challenge for organizations. In order to reduce the risk of employees downloading unauthorized apps, you need to set clear policies for what is and isn't acceptable.

An acceptable use policy outlines when, where and why employees can connect their mobile device to your company's network. It also specifies responsibilities for bring your own device (BYOD) users, including ensuring that personal and business devices are not used interchangeably and that business exchanges are to be performed strictly on the company device. This can include prohibiting or discouraging connections to public Wi-Fi, providing a list of non-permitted apps and setting specific technical requirements for devices that connect to the network (such as requiring they run the latest version of Windows or iOS).

Your organization should establish a policy where confidential data can't be stored on unencrypted devices (or on any personal mobile device at all). You also can require users to encrypt data before they store it on their device. Most, if not all, smartphones allow users to do this by changing their security settings, which should take about a minute. If an employee's device is ever lost or stolen, these actions will be crucial to protect company data.

Improving password security is important to improve mobile device security in the workplace. One Google survey found some people use the same password across multiple websites. Others even share their passwords with friends or loved ones. All of these activities pose security risks.

To combat them, your organization should establish a policy where passwords expire every 60 to 90 days and must be changed, along with setting character length and combination requirements. Your IT team also should consider two-factor authentication to increase security. For example, to access an internal customer database, your employees would need to enter a password followed by a PIN sent to their email. In addition, make sure employees agree to the policy and agree to never share their password. This way, if employees violate the policy, you can take appropriate disciplinary action.

Cyber criminals can enter systems because devices haven't been updated with the latest security patches. To reduce these security vulnerabilities, your organization can adopt a threat protection solution like Lookout Mobile Endpoint Security that highlights out of date operating system (OS) versions to admins and offers 24/7 threat detection and monitoring. If your company has a BYOD policy, encourage employees to regularly update the software on their personal devices, explaining to them that these actions are a core part of your company's risk mitigation strategy.

Protecting valuable information assets against mobile security threats requires a firm commitment to training all users of mobile technology. The reality is that the consequences of device theft or misuse are too great, potentially including a breach of the corporate network, the loss or corruption of critical data, and the violation of applicable industry compliance regulations. Because a single security breach could very well exceed the cost of staff training, educating users on mobile security best practices should be viewed as an effective preventive measure and a prudent investment for the organization.

Applying emphasis to the consequences of mobile device misuse, loss or theft will give employees a greater incentive to follow corporate policy, but training these users on the specifics of the policy is also required. Among others things, an enterprise mobile training plan should address the following key topics:

• Protecting devices. Users should be instructed to follow proper procedures for storing and transporting devices, and they should specifically be instructed not to leave devices unattended in vulnerable locations such as offices, airports and hotels.
• Data encryption. A high-level overview of the data-safeguarding and remote-management technologies currently employed by the enterprise will drive more responsible usage. Users should be made aware that breaking enterprise policy by copying sensitive server-hosted data -- including confidential member information and company IP -- to unencrypted local device storage can have serious repercussions for the individual.
• Password management. Users should be educated on the help desk procedures to follow or alternative requirements for changing or setting passwords for mobile devices, in accordance with an existing enterprise password policy.