11 Guidelines for a Useful Mobile Security Policy

Chances are, you’re reading this blog on your phone or tablet. We reached the tipping point for mobile use in the US in the past year. While studies vary slightly, most report approximately 66% of email is opened and read on smartphones (versus 34% on desktop), and time spent engaged with digital media is 51% for mobile (compared to 42% for desktop). And while these reports are specific to media consumption, many others provide evidence that we are a truly connected population, using tablets and smartphones in every corner of life, from communicating to helping with homework, to paying bills, to teleworking. 

For most personal needs, mobile security systems are generally adequate. If your bank allows its employees to access company networks, email, and data remotely, however, security becomes a thornier and more pressing issue. Regardless of the size of your organization, if you have data and a connection to the Internet, you are at risk for cyber attack. In this connected era, it’s absolutely imperative to balance IT risk with the reward of convenience. 

The team at HORNE recommends creating a written policy concerning the use of mobile devices. The policy specifies what is and is not allowed, and communicates that it may be necessary to wipe a personal device clean if it’s lost, stolen, or if the employee leaves the company. Any employee who uses a personal mobile device should sign an acknowledgment of the policy.

Your mobile security policy should establish a host of important guidelines, including the following 11 guidelines.

1. Specify whether corporate or client data can be stored on the device.
2. Require use of encryption for mobile devices storing corporate or client data.
3. Require installation of mobile device management software on devices that store company or client data and are used offsite.
4. Require password security that adheres to a certain level of complexity and gets changed regularly.
5. Specify device review procedures for employees using mobile devices to process or transmit corporate data. Employees should permit the company to review the devices to ensure sensitive data is not stored or transmitted inappropriately.
6. Specify whether employees are allowed to use their own devices (“bring your own device” or “BYOD”).
7. Specify whether devices that have been altered in a process known as “jail breaking” are allowed.[1]
8. Require mobile devices to have settings enabled to prevent the device from automatically connecting to WI-FI hotspots at places such as coffee shops, restaurants or hotels.
9. Require the “auto join” feature for wireless networks is disabled.[2]
10. Specify the parameters for use of iCloud sync or other comparable services. Include whether iCloud sync is allowed and if it is, specify the types of information and data the phone is allowed to auto-sync to the iCloud.[3]
11. Specify how email is to be removed from the device, and require installation of MDM software on all mobile devices used by your employees.[4]

This list of considerations for creating a mobile device policy certainly isn’t exhaustive, but it provides a good start for securing your data. As you customize these policies for your bank, we recommend that you consult your legal counsel. Once you have finalized it, it is crucial to educate your employees about its specifics, communicate the importance of the policy, and monitor ongoing compliance.

Is your bank unwittingly trading convenience for security? HORNE can help you perform risk assessments and development of your financial and security policies.

Join the conversation and receive updates of new posts

[1] Jail breaking provides users with unrestricted access to the entire file system of their mobile devices, allowing them to circumvent limitations imposed by wireless carriers or phone manufacturers. Problems arise because it is difficult to tell if these devices have previously installed software that would allow a hacker unauthorized access to the business network or files. We recommend prohibiting these devices.

[2] Hackers can use the mobile device history to create their own wireless access points that mimic access points a device previously accessed. If an employee has the mobile device set to join a wireless network automatically, the device could connect to the rogue access point without the user knowing. We recommend instructing users to enable the “Ask to Join Networks” feature to prevent this from happening.

[3] If auto-sync settings are not properly configured, sensitive, unencrypted corporate and client files could be sent to the cloud without an employee’s knowledge.

[4] Most MDM software can perform either a container wipe, deleting only the emails themselves, or a full wipe of the device. If you adhere to previous recommendations in this list, it may not be necessary to perform a full wipe. If you don’t adhere to suggested policies and only perform a container wipe, you may leave sensitive information stored in other files on the device, such as text messages, third-party applications or directly on the device’s hard drive.