Finders Keepers. Depending on your place in the pecking order, you either heard or recited that adage at recess. It was written somewhere in the playground Magna Carta. Usually, the “lost” item wasn’t really lost at all, but more likely lifted by an instigator during a moment of opportunity.
So, fast forward. Now that we’re all grown up, the list of things we lose or misplace has changed. For me, in no particular order, they include my car keys, sunglasses, umbrella, smartphone, etc. Though I often accuse my spouse, it’s usually my poor memory that is to blame. Hey, it’s human nature, with some of us being a lot more “human” than others.
Unfortunately, when it comes to items like smartphones, laptops, and tablets that have access to, or contain data belonging to our employers and/or their customers, patients, etc., the stakes are a good bit higher. While it’s true in terms of the total number of breached records, on-line breaches still account for the majority of the risk. The ease with which a laptop or cell phone can go missing is a big cause for concern.
Reporting a data breach due to laptop loss or theft can be a big blow to the organization’s reputation.
Start talking about banning these devices however and you get the look that says you can have it, but you will have to pry this iPad from my cold dead hands! There are a number of technical solutions that provide varying degrees of protection for mobile devices.
Let’s discuss establishing a good set of organizational policies related to mobile computing devices.
Why worry about a mobile device security policy?
Ask your IT staff and they will tell you that without one, it’s a free for all. Many organizations allow their employees to connect to corporate networks (especially for email) with their personally owned laptops and cell phones. This creates huge issues in terms of managing and securing the corporate data that ultimately can find its way onto these devices.
A good policy serves to educate the workforce and set boundaries for what is acceptable in terms of equipment and behavior.
One of the first questions to be answered is, “Are we going to allow our employees to access corporate systems with their personal laptops and/or smartphones?” Every business is different as are the risks. However, there are some significant benefits to allowing only corporately issued devices to connect. They include:
- Device tracking and monitoring including retrieval of the device upon termination.
- The ability to have standard configurations that include security controls such as encryption, passwords, etc. (you can sometimes enforce these with non-corporate devices, but it ’s easier if they are provisioned by the IT group).
- Fewer compatibility issues.
- Reduced support burden for the help desk.
Regardless of your decision related to the use of personal equipment, there are some universal considerations. If your organization houses sensitive data or data that is “protected” such as patient records, personal financial information, or information that could be used by identity thieves, you will want to take a more proactive approach to secure mobile devices.
For laptop computers, this means at a minimum the use of unique user IDs and strong passwords. With the ubiquity of the technology, full disk encryption should also be strongly considered. While not necessarily a regulatory requirement, encryption provides a “safe harbor” from having to report a breach under some data breach laws, including HIPAA/HITECH. For smartphones, consider mandating the following technical security controls in your policies:
- Encryption of data stored on the device
- A requirement for a password for access to corporate systems (e.g. email, VPN, etc)
- Screen timeout with password required to re-access the device
- Remote wipe feature enabled after a specified number of failed login attempts
- Remote wipe feature if the phone is lost/stolen
From an administrative standpoint, there are also things that are important to include or reference in your mobile device policy. Some of these include:
- Appropriate use
- Download of unauthorized software
- Procedures to report a lost/stolen/found device
- Use in public Bluetooth and wireless environments
It is worth saying that it’s not if someone will lose their laptop or phone, but when. Since we know at some point we’ll be on the losing end of the old playground adage, with a little work we can cut out the weeping. Contact us today to learn more!Data Security: Business IT Policy for Mobile Devices
Read more about IT policies for mobile devices and download our checklist to start your business conversation.