Hello! Welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today’s discussion involves mobile device management. Seems like a pretty self-explanatory term, yes? That all depends on the organization and the needs of the business, as many things typically do.
What does your workforce use for communications? Think about this and don’t forget to consider what the umbrella term of communications covers. Does your organization communicate primarily through telephones/mobile phones?
Do they communicate through collaboration platforms like Skype, Teams, Slack, or something similar? Or do they primarily communicate through email? I am thinking that the answer would typically be a mix of each of those solutions.
So, to break this down into various components, think about the possible security impacts from use of these different pieces of technology. Your phone, to start as an example. Do you take work calls on your personal phone? Do you text or email work-related information from your phone (provided it is a smart phone with a data plan)? If your answer is yes, consider the security aspects of those answers.
If you are transmitting work-related information on a personal device, that is theoretically leaking company information from a personal location. You could also be storing company information on your personal asset. Some organizations do not have stringent requirements with regards to their data protection policies, so that type of scenario does not raise any flags.
Organizations that deal with sensitive data, personally identifiable information (or, PII), health related information, and other sensitive types cannot have that info stored on personal devices, as that is a major security risk. Have you ever accidentally texted or emailed the wrong person by a simple typing mistake? What if that mistaken text or email was from your doctor and it contained your health information?
Jump over to your personal computer or laptop. Your company uses a collaboration application to stay in contact, and you use it frequently. Is the information you are transmitting being stored anywhere on that personal laptop?
Have you downloaded company information from chat sessions, or have you saved company resource links to your personal computer? How is your security posture at home with regards to your own home network and such? If someone broke in (either physically or logically) and accessed your personal laptop, would company information be compromised?
There are quite a few questions to be answered here, but I think you are understanding the larger picture of how maintaining security with mobile devices can be challenging. This is where mobile device management comes in. Mobile device management according to NIST (the National Institute of Standards and Technology) is the administration of mobile devices such as smartphones, tablets, computers, laptops, and desktop computers.
The administration of. What encompasses the term administration? Sounds like big brother, doesn’t it? Well, in some ways it is, but this is a necessary big brother scenario that is in place to protect organizational data from being compromised. Mobile device management is key to organizational security when the company has a mobile workforce.
While the possibility of someone watching everything you do on your mobile device is possible (and probable, depending on the type of organization you work for), typically administration is simply for the managing of the devices with regards to security policies and software updates. As another example, devices that are a few to several versions behind the latest operating system version are security risks to the organization, so mobile device management solutions can track that versioning information and ensure visibility is made to keep those risks from occurring.
There are several vendors that provide mobile device management solutions, and each one differs in their approach. Some are security policy based, some are user experience based, and others are parts of larger solutions, so they are more affordable than others, etc. The organization needs to determine what they want their mobile devices used for in order to meet core business objectives, then determine the requirements surrounding the securing of the devices so they can meet those requirements while removing, reducing, or avoiding security risks associated with their use.
Once those requirements are determined the organization can then engage mobile device management vendors to see who or what will best meet those requirements. Security policies are then built and tested; security policies may secure the data on the endpoint (phone, laptop, tablet, or other), but if the security policy prevents you from using the device, then there is no point, hence the testing.
This is getting a bit more into the weeds of how mobile device management works, but that’s why we try to explain it out. Some of you may never encounter an organization that utilizes mobile device management, and some of you may only work for organizations that employ it. The purpose of this discussion was to paint a more understandable picture of what mobile device management (otherwise known as MDM) is and how it is used.
We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!