Few employees are seen without their smartphone and, whether you have a Bring Your Own Device (BYOD) policy, or you supply company phones, you may not have a plan for securing the data on those mobile devices. Many mobile device management policies try to balance the need for corporate data security (mobile information) with employee data privacy, but striking that right balance can be difficult. Here’s how to manage mobile user privacy whilst remaining compliant.
GDPR has introduced the need for companies work to figure out what Personally Identifiable Information (PII) they hold and how to protect it. Securing data on smartphones, tablets and other remote devices is harder to track because, since they are often beyond the physical office and in the case of mobiles/tablets, also beyond the firewall.
What PII do you have and where is it stored?
All organisations will hold payroll information and HR records, but if your organisation holds any PII, even if this is handled by a 3rd-party, you need to audit how and where that data is stored.
18-20% of company data is usually stored in specific applications, databases, on CRMs, and on internally developed applications. To secure this type of data, you’ll need to find out how many copies of this data exist, where those copies are, as well as the people who have access to this data (and with what permissions). Any copies on mobile devices should be identified, and if it’s not needed on that device, it should be deleted and/or moved to a secure internal location.
What about your unstructured data?
For unstructured data, which usually comprises of about 80% of the data, the harder work begins. This data can be stored in emails, file sharing, content management applications, file systems, and more. Before you panic, first consider which of this data needs to be protected. If you’re simply emailing proposals, reports, and technical documentation to customers where there’s not much PII on the documents, then there’s limited risk of data loss. Normal security practices are suitable in these scenarios.
Once you’ve identified the data at risk, rank and segment your data according to sensitivity, risk profile, as well as user access requirements.
What does this mean for mobile users?
Ensure that you have a BYOD policy - if applicable - which means that any personal mobile device must adhere to the correct security and usage governance. Determine which apps are authorise and secure for use on those devices. Many data breaches of smartphones actually happen because the physical device is stolen and - sometimes - does not even have basic password protection. A mobile device management platform can enforce group security policies across both company and employee-owned (BYOD) devices.
Geotags are an important consideration too. increasingly, apps (and mobile carriers) monitor a device’s location, and mine for other data on the phone - which is now always essential to the core function of the app.
The Wi-Fi issue
Public and unsecured Wi-Fi should also be a real concern, as hackers can access devices - even down to seeing what a user types on mobile devices - through these connections. Make it part of the policy that users cannot use just any Wi-Fi connection for company phones, unless using a secure VPN, or cloud-based internet security service like Zscaler's Internet Access platform. Then you can securely connect from the coffee shop, or airport.
Users should also turn off Bluetooth when they aren’t using it - and make sure only trusted devices are connected.
So, what do I do now?
Understanding the risks and following a few key steps will help maintain compliance, without compromising user privacy. A data security audit to understand where information resides, the risk profile, as well as who has access (and requires access) will form an essential step in your strategy to remain compliant with the introduction of GDPR.
For your mobile workforce, a Mobile Device Management (MDM) platform such as IBM’s MaaS360 will dramatically simplify the mobile management headache, as well as protecting PII and defending against the rise in mobile malware - on all of your iOS, macOS, Android, and Windows devices - from a unified cloud platform. Seamless over-the-air (OTA) device enrolment means you can start managing your mobile devices in minutes.
Why not take a FREE 30-day trial of MaaS360, or learn from the experts and read about how to deploy a mobile device management platform? As the UK's leading IBM MaaS360 specialists, we've see all the common mistakes.
- Infographic: The 8 most common type of cyber attacks
- How to solve the biggest problem with SolarWinds
- How to create a BYOD Security Policy in 9 simple step
- Type of penetration test - what's the difference?
- Pros and cons of outsourcing your cyber security: In-house of Managed SOC?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK's leading organisations.