Chances are good that the mobile devices your employees use at work and while on the road are less secure than you think. To get some tips on how to make all those smart phones less vulnerable, business writer Susan Caminiti recently spoke with Jeffrey Bernstein, executive vice president of Critical Defence, a leading global provider of security assurance, response, intelligence, and training services based in Washington, D.C.
SC: Let’s start with the premise that most smart phones are built with “ease of use” and not security in mind. Where does that leave a small business owner whose employees use their phone for work?
JB: If you look at small businesses there really is no segment that is as vulnerable when it comes to mobile devices. Most small companies have a sort of unwritten policy for employees that let them bring their own mobile devices to work. The reason? Most small businesses lack the financial resources to issue company-owned mobile phones.
SC: If that’s the case, where does a small business owner begin when trying to increase mobile security?
JB: Everything in security comes down to three things: people, process, and technology. Let me explain the issues with each one. People are typically very promiscuous when it comes to their phones. That means the phones are on all the time and allowed to roam and connect anywhere there is an open Internet connection. The process part means that many company security policies were written and implemented prior to mobile phones being a big part of the equation. The technology piece is that if you look at the company itself, most have anti-virus solutions and firewalls in place for their computer systems. They can pretty much see what employees are doing. That’s not the case with mobile phones. There’s no easy way to issue software updates if everyone is using a different device.
SC: What can be done to address mobile security?
JB: The fundamental goal for a small business owner is to increase awareness about mobile security issues and encourage people to speak up. It has to be an ongoing topic. You have to bake security into the fabric of everything that the organization does.
SC: How does a small business owner do that?
JB: You need to talk about it, educate people. Adopt policies that are reasonable and make sense. For example, start by asking: Who has access to your data and where is your data going? Ask employees to routinely lock their devices. A phone should lock after 10 minutes or 15 minutes of inactivity. Encourage the use of a strong password and change it every 30 days. Use encryption and password-protect company documents in all instances. And probably the biggest one for me is to be selective about where you connect. Don’t leave your mobile device open to connect to any roaming network.
JB: Correct. Be careful and selective. If you’re not familiar with the network and it’s open, that doesn’t make it okay to connect to. Also, encourage employees to segregate data on their phones. Try to keep sensitive data separate so that your son’s homework, for instance, isn’t sitting with your HR spreadsheets.
SC: What are some of the most effective ways a small business owner can educate employees about mobile security?
JB: It’s not really complicated. Encourage them to know who they’re communicating with. If they get an email that looks suspicious and they’re accessing it on their phone—don’t open it. And then get them in the habit of contacting whatever IT resource you might have for your company. Also, when something like that happens, you want people to speak up about it so others in the organization know it too. Maybe reward that person with a small gift card or something to encourage that behavior and action. Something that stimulates conversation and raises awareness among employees is what a small business owner should be aiming for.
SC: Should a business owner put restrictions on when and how an employee should use their mobile phone for work?
JB: There are tremendous advantages to using mobile devices for a small business. Your salespeople can attach a point of sale device that allows them to accept credit cards. You can respond to issues at any time if a customer needs you. So it’s a tremendous and convenient tool for a small business. But what goes along with that is the expectation that there are going to be security policies in place that include acceptable usage and data retention policies. Let’s say an employee leaves the company and has company data on their phone. It should be very clearly indicated what’s expected of the employee when he or she leaves.
SC: How does a small business owner ensure that a former employee has removed sensitive company data from their mobile device or is not accessing it anymore?
JB: There really is no surefire way to ensure that you would know it’s happening. But in your company agreements you need to state clearly what is expected of employees. The problem is people don’t pay attention to this information, or if there’s an employee policy manual, they don’t read it. They sign it and they’re done. It really does fall back on the owner to communicate verbally with employees and not to do it just when they join the company. Have an ongoing dialogue with the entire company about mobile security issues.
This interview has been condensed and edited.