Employees at virtually every business, regardless of size, are increasing their use of smartphones for work. More mobility is almost always good for business, but companies need to take control of mobile usage to manage risk and maximize productivity. Every business should have sensible mobile device policies, and most should deploy a mobile device management (MDM) solution that provides control over operating systems, apps and device access.
The first policy bridge to cross is whether you provide the devices yourself or manage a bring-your-own-device (BYOD) policy. Some businesses choose BYOD for economic reasons, although rigorous analysis suggests corporate-liable devices actually cost less.
What to include in your mobile device policy
Regardless of which path you choose, it is essential to put a firm policy in place. For example, you should require employees to update operating systems promptly. If you own the devices and operate an MDM, this is easy. If you choose BYOD, you can at least create a policy requirement stating that employees must apply OS updates as soon as they are available. This will reduce the risk of device compromise and demonstrate that you are making a reasonable effort to protect customer data.
Be clear with your staff about your intention to protect company data while also honoring their privacy. Without transparency on these points, employees might assume the worst and work against you. Set rules about what sorts of work can be done on personal devices and what sorts of work should be done only on company-owned devices. This should extend to what sort of personal use can happen on corporate technology, including what sorts of media and apps are considered inappropriate for the workplace or a threat to mobile security.
If you are BYOD, be sure to monitor your compliance with state and federal rules involving compensation, reimbursements and benefits for corporate usage of employee-owned devices. This is an area where BYOD can become problematic.
Elements of a sound mobile device policy
Implementing the following requirements in your device policy will help to address your greatest risks.
- Any device that is used to access information associated with your business must meet minimum security and management standards, as outlined in the policy.
- Security and management standards should be subject to change and managed by an automated MDM tool that will restrict device access or remove company information in response to perceived threats.
- Devices should be locked when not in use, with encryption enabled.
- If a device is lost, stolen or misplaced, management must be notified immediately. Part of making this policy work is (1) making certain information is stored off the device in the cloud and (2) communicating that in the event the device is wiped, the data will be saved. If people believe their information will be preserved during a remote wipe, they will be quicker to admit when they have misplaced it.
- Policy should be spelled out in a document from HR or top management that makes it clear that compliance is a condition of employment.
If you are rolling out a policy for the first time, be aware that you will likely be making updates as your usage matures, the devices evolve and the threat landscape changes. Assure employees that you will re-evaluate the policy as you go, especially if you expect some people to be wary of increased device control.
How to manage your policy with MDM
With your policy written and communicated, you will need a toolset to monitor and enforce your policy. MDM packages have matured over the past decade to include a wide range of controls, content management functions (to share documents or restrict their distribution) and mobile app and website management capabilities.
The following common MDM controls can help you choose the right solution.
- Require a passcode: The most basic security feature of smartphones, on-board encryption, doesn’t happen until there is a passcode on the device. Fingerprint scans and facial recognition are easy to use and reliable, so it isn’t really that much to ask of users.
- Enforce OS updates: Security vulnerabilities are discovered on a regular basis and then fixed by the makers of the devices and operating systems. Devices running old versions of operating systems remain vulnerable to new threats.
- Restrict rooted devices: MDM can immediately report devices that have been compromised and block them from accessing company information.
- Allow only approved apps: Allowlist apps for use on your phones, and prohibit downloading of all other apps.
- Force regular backups of files and configurations: Take advantage of cloud backup to store data created and collected on devices.
- Require the use of location services: All devices should be able to be located and managed at all times.
- Control usage: By specifying Wi-Fi networks and using geofencing, you can disable devices and generate administrator notifications when a device is removed from a designated area. You can also force devices to reconfigure between shifts or go into a single app or kiosk mode during certain hours.
There are many MDM software packages on the market, mostly offered on a subscription basis. Samsung Knox Manage is a great example of a full-featured but straightforward MDM. It offers consistent management support for all the major operating systems, including iOS, Android, Windows 10 and Tizen, so you can include wearable devices and traditional computers in your policy.
Enforcing all these rules is easier when you own the devices. If your plan is to have mobile devices as part of your operation, it is most certainly easier to purchase devices that you know comply with your minimum requirements, are uniformly manageable by your tools to your policies and can provide a consistent user experience to your users.
If you have sensitive information to manage and reason to use it on the go, buy devices for your employees, use an MDM to make employees very productive while limiting nonbusiness usage, and then sleep well at night.
Small businesses can purchase Knox solutions and devices from approved resellers.