Ransomware, Adware, Spyware, Trojans, Rooting, Malware – it can be overwhelming to keep your mobile environment protected and secure mobile data from all the different threats affecting devices today and finding the time to keep up with every new threat is simply not practical. Good news – there are configurations and settings you can enable to provide proactive protection for your devices regardless of your schedule.
Here are 4 steps to secure mobile data
1. Detect and deal with compromised devices
It is recommended you have a Mobile Device Management solution (MDM) deployed – if you don’t already have MDM in place, then make this a priority in 2018! It’s your best option for managing and securing mobile data and offers literally hundreds of policies but at the minimum;
- Ensure Jailbreak and Rooting detection is enabled during and post enrollment – a device that is rooted will allow malicious apps to have elevated rights on a device and can compromise any data – personal or corporate. Your MDM has an option to automatically block a jailbroken or rooted device from enrolling and gaining access to email or intranet.
- Configure automated actions – out of the box your MDM will have the ability to notify, wipe and block compromised devices. These automated actions can detect when a device is rooted, jailbroken or has a blacklisted app installed and can send a command to the device or message to the user without any admin intervention.
2. Secure your corporate email
Even in 2018, I am still amazed how many companies still allow open access to corporate e-mail via Exchange ActiveSync.
- Every MDM solution offers a secure e-mail gateway or PowerShell connector option that sits in front of on-premise Exchange or cloud hosted Exchange Online. These police Active-Sync access to ensure only devices that are enrolled and known to be safe can access corporate email. Conversely, all unknown devices, unapproved device makes and models and devices that are known to be compromised are blocked from accessing your email server.
- Where possible, leverage Data Loss Protection (DLP) settings – it might be a simple as enabling a policy to block the copy/paste of data from work apps to non-work apps or you might opt for a secure container for email and intranet browsing apps or leverage Azure Information Protection to contain data.
If you use Office Online and have Microsoft P1 or E3 licensing, enable Multi-Factor Authentication (MFA). Two customers have recently notified us about a sophisticated breach where an employee’s account had been compromised, the intruder had accessed and intercepted emails and was able to re-route billing transactions to a foreign bank account. Multi-factor authentication enables a second factor for authentication e.g. a PIN code (via SMS or app) to be required when accessing email off the corporate network – so in this case, without the PIN code the hacker would not have the ability to authenticate to email. If you are using Intune as your MDM you can layer MFA with Conditional Access for contextual security providing a better user experience.
3. Know your apps
Most mobile devices have 60 – 90 public apps and each one is updated monthly. Each app update introduces new vulnerabilities and often tricks the user into accepting elevated privileges which means that app data may be saved on overseas servers or the user’s contacts and calendar information could be accessed by the developer. These risks are generally not quantified and managed until it is too late.
- Deploy a Mobile Threat Management (MTM) service to provide visibility on the malicious or leaky apps deployed on your devices. We recently enabled MTM for a customer and after the first scan we were able to detect over 60 ‘leaky’ apps installed on their mobile devices – apps that were sending data from the device off-shore – sometimes to six or more different servers around the world! Getting a handle on what data is being sent and the intention is going to be of critical importance for understanding how secure mobile data is on these devices.
- Mobile Threat Management solutions such as Proofpoint or Lookout are cloud hosted so are quick to set up and integrate seamlessly with your MDM tooling so you can automatically send a command to a device or message to a user if a malicious app is installed or detected.
4. Keep your devices updated
Make sure your mobile fleet is always running the latest OS updates and security patches. This could be one of the simplest ways you can keep your fleet secure. In addition to new features and bug fixes, OS updates usually contain fixes for the latest critical vulnerabilities. Consider running an internal marketing campaign with posters on notice boards or your intranet to remind employees to keep their devices updated. If your employees are using Android OS, make sure they properly secure their phone.
Find out how Mobile Mentor can secure mobile data with our Mobile Threat Management services.