5 Mobile Device Management Best Practices
As a result of the pandemic, IT administrators faced a whole host of new challenges. The rapid transition to remote work presented an entirely new set of security risks and threats that may have only been an afterthought before.
Now is the time to review your mobile device management practices. While many companies are bringing their employees back into the office, a significant number will still work from home entirely or in a "hybrid format." These new risks aren't going to disappear completely.
Your users are now logging in from their personal mobile devices to access company data, and you might not have the control over what and who's logging in that you had in a pre-pandemic world. So what should you do right now to adjust to this new reality? We recommend you focus first on the following five mobile device management best practices.
1. Make your solution seamless and unobtrusive to the user
Mobile users don't interact with their devices in the same way a desktop or laptop user would. A seamless and unobtrusive login solution will be expected.
If you bog down your user here with security measures that make logging in a pain, you're only setting yourself up for failure as users will look to delay adoption or circumvent the security system altogether. It can also create a potential support mess for your help desk employees. Adopting passwordless authentication is one of the easiest ways to accomplish a frictionless experience for users.
The best security solutions strengthen your security posture and dramatically simplify the login process. When selecting an MDM solution, you want any potential candidate to have both of these qualities. Don't create additional hoops for your users to jump through.
2. Have a BYOD policy
Bring your own device (BYOD) has exploded in our post-lockdown world. As a result, a strong BYOD policy is a must-have if you're looking to improve your mobile security posture. What makes the bones of a good policy? We suggest including or doing the following:
- Specify what types of mobile devices are permitted: BYOD doesn't mean that you allow any user device on the network: you still retain control over who and what can log in. Personal mobile devices should be up to date with all security and software updates and free of any potential modifications, like "rooting" or "jailbreaking." Modified devices are a haven for malware.
- Establish strong security policies: Some users might prefer to skip certain security features on their devices, such as a lock screen or biometric identification. The ideal MDM solution allows you to enforce this basic step, protecting sensitive data accessed during the user's session. Your security policy should also require updates to device operating systems prior to granting access, especially after critical security updates.
- Set expectations: Ensure employees understand the limitations you put on BYOD devices and understand what is acceptable when using their mobile devices to access company services. This includes what data, apps, cloud services, and third-party software they may use. It is also good to set expectations on support services you will provide (if any) for issues users run into while using the network.
- Integrate your BYOD and acceptable use policy: Employees will use their mobile devices for things they wouldn't or shouldn't access at work or from insecure places like public Wi-Fi hotspots. While they are connected to the corporate network, however, you call the shots. Be sure to clearly state in your policy what is and isn't permitted. Leaving a "gray area" is asking for trouble.
- Have an exit strategy: What happens when an employee who uses their own device leaves the company? Be sure to have a process that removes access upon resignation or termination. Not having or adhering to one leaves the door wide open for attacks from a disgruntled employee (ask Cisco). The ideal MDM solution will protect you by allowing you to address this in just a few clicks.
3. Enable risk-based access policies
Managing mobile devices in your organization that you don't have direct control over can be tricky. This is why it’s recommended you employ risk-based access policies, which grant and limit authorization based on not only who's logging in, but the device they're logging in from and the security posture of that device.
Each time a company employee or contractor attempts to log in, your authentication platform should be looking for potential security risks, such as:
- Is anything about the login unusual, perhaps from an entirely new location?
- Is the account accessing information it usually does not?
- Is the mobile device fully up-to-date?
A risk-based access policy factors this in and more before authorization.
Don't be afraid to deny authorization if a login doesn't meet your standards, either. It's always better to be safe than sorry: sensitive corporate data resides on your servers, and it only takes one intrusion to disclose it. Don't take that chance.
4. Never trust, always verify
Security threats are no longer only coming from the outside. And while BYOD presents a unique set of challenges, there's a possibility that malicious actors could launch an attack from corporate devices too. We recommend adopting zero trust security to address this reality.
At the core of zero trust is the concept of "never trust, always verify." This goes hand in hand with the idea of risk-based access policies. Regardless of who's logging in, you should continuously verify that they are who they say they are and that the device meets your stringent security policies. Access to sensitive information is limited to what is required for the task at hand.
User-owned mobile devices present a unique challenge, as we have stressed repeatedly above. Zero trust limits the number of ways an attacker can get in, and if they do, it limits their ability to move around and do real damage. In the traditional, perimeter-based approach, the attacker would have access to any data the account has the privileges for, with little if any pushback.
5. Implement strong passwordless authentication
The knee jerk reaction to securing mobile devices is to require that end-users select strong passwords or to turn to strategies like multi-factor authentication. This is nothing more than a band-aid. It adds unnecessary complexities to the login process and is still based on the inherently insecure password.
Abandon the idea of the password altogether, not only in your mobile device management practices, but across any device your organization's employees use, mobile or not. Passwordless authentication isn’t just for ease of use, it actually makes the entire system more secure.
By implementing passwordless authentication, you strengthen your multi-factor authentication from using an insecure factor (like passwords) and replace it with a better, more secure factor (biometrics). This removes the attacker's most commonly used entry-point and eliminates password-based attacks like rainbow table attacks, brute force attacks, and credential stuffing.
Now's the time to take mobile device security seriously
Beyond Identity enables your workforce to address the unique challenges BYOD and mobile device security present and serves as a base to implement zero trust principles that work to keep attackers out and protect your data.
Most importantly, Beyond Identity does away with passwords. Instead, we use cryptography that binds employees to the devices they use, making logging in as simple as a single click.
Our Secure Work product makes mobile security simple, allowing you to protect your business interests without creating unnecessary friction for users. See how easy it is to keep hackers out with just a few lines of code. Request a demo today.