Company e-mails, personal SMSes, family photos, confidential company documents, customer contact details – today’s consumer stores huge volumes of information on their mobile devices. And, the line between what’s yours and what’s mine are blurred.
“Whether company-issued or an employee’s own, mobile devices are pumped full of information, both business and personal in nature,” warns Richard Broeke, sales manager from Securicom. “This means that important business information, e-mails and sometimes mission critical applications are inter-mixed with companies’ employees’ personal data and media.

“Typically, mobile devices lack security features such as encryption and access control. When security on mobile devices, from laptops to smartphones and tablets, is not up to scratch, critical business information could be at risk.

“The majority of South African companies allow employees to use their own devices for work purpose,” he adds. “For the most part these are unmanaged, unprotected, and there are no measures in place to enforce security policies around the storage and use of company data. Also, if a device is lost or stolen, all the information on there goes with it. Any company data housed on them is therefore vulnerable.”

Mobile devices, like corporate networks and PCs, are increasingly becoming targets for criminals. In the past two years, attacks on mobile devices have increased substantially as criminals adapt their strategies for mobile. Statistics from a leading global IT security software vendor shows that mobile malware has increased by 58%. 32% of mobile malware is designed to steal information from compromised devices.

Against this backdrop, Broeke says all companies that allow employees to use mobile devices for work purposes should enforce the installation of security software on them. This goes for both company-issued devices as well as in a “bring your own device” environment. Security is just a component of effective mobile device management though.

With a credible mobile device management platform, he says companies can do more than just enforce device security installations and upgrades to mitigate malware.

They can also perform device compliance checks; monitor network traffic and user behaviour; block disallowed apps; identify mobile threats, and block devices that are unmanaged, lost or don’t adhere to company blacklist or whitelist policy; and security rules. A good MDM solution also enables companies to effectively enforce a security policy for mobile devices.

Just as corporate e-mail usage policies have become the norm for restricting how, for what and when employees can use company e-mail, so security policies around the use of mobile devices have become necessary.

Enforcing a security policy enables companies to define and limit the activities that employees are allowed to perform on mobile devices when it comes to their work.

Policies should detail the security requirements for each type of device that is used in the workplace and allowed to connect to the corporate network. This could include the way that passwords are configured, prohibit specific types of applications from being installed on the device, and enforce the encryption of data stored on devices.

Of course, employee education and buy-in are key. Users need to be educated about the risks of mobile malware, downloading rogue applications, accessing the corporate network from unprotected devices, and storing critical business data on unsecured smartphones. They should also be shown how to use their privacy and permission settings.

Broeke concludes that organisations need to clearly inform their employees about the security implications of using mobile devices for work purposes. “Ground rules should also be established to ensure that their security requirements are being met while acknowledging employees’ right to privacy.”