Tactical Advice

Best Practices to Protect Your Mobile Assets

Ten sure-fire methods to protect your mobile device assets.
This story appears in the June 2007 issue of BizTech Magazine.

Mobile devices such as notebooks, personal digital assistants, smartphones and USB storage drives have become ubiquitous in the business world. Companies keep adding these devices to their employees’ arsenals to reap the benefits of enhanced productivity, convenience and mobility. Some jobs today would be impossible without the mobility provided by these devices.

Nevertheless, poorly managed mobile devices greatly increase the potential for security failures and information compromise. Stolen, lost or sold notebooks, BlackBerrys, USB sticks and other devices loaded with sensitive information such as confidential e-mails, customer data and financial figures fall into the wrong hands. The loss of highly sensitive information and the potential associated media scandal is a huge problem in itself, but the impact might be greater — failure to protect certain information can be construed as a violation of business regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. The consequences range from fines to prison sentences for executives.

Apart from the loss of sensitive information, a stolen or hacked device is one of the easiest ways for malware or a human attacker to infiltrate a company’s internal network.

Unique challenges make it relatively more difficult for companies to secure their mobile device assets than to protect their wired devices. Because of their nature, mobile devices connect not only to the secure internal network but also to insecure external networks. This exposes them to various threats that are not seen in the internal company networks, which normally have multilayered security environments.

Many smaller devices do not contain centralized management features found in most enterprise software. Administrators find it difficult to enforce corporate IT policies on these devices. Normal security-related tasks such as software upgrades and security patch distribution are a nightmare.

Here are some best practices for protecting your mobile assets:  

  • Educate Users: Naive or misinformed users can bring down elaborate security measures. Hence, user education is one of the most crucial success factors for security setups. Create an IT policy for mobile device use and make sure that it is communicated to all employees who use such devices.
  • Use Antivirus Software: Most desktop antivirus vendors now have antivirus software for common mobile platforms. It’s just as important to use a good — and regularly updated — antivirus solution on mobile devices as it is to use it on the desktop. Although the number of traditional viruses and worms targeting mobile devices is still tiny, it could grow into a much bigger problem in the future.

    Currently, the real threat comes from so-called crimeware — applications designed to steal personal information or perform some other illegal task that will benefit the perpetrator. Some applications in this category surreptitiously send text messages from infected phones to premium phone numbers. However, the most dangerous applications in this category are probably the ones that are designed to spy on the voice and text communication of a user. A disgruntled employee or a competitor can install these on a device.

  • Install a Personal Firewall: As mentioned previously, mobile devices that connect to networks other than the internal company network are exposed to threats that do not penetrate the multilayered security of the internal network. So-called personal firewalls, similar to the ones seen on the desktop, are an effective way to protect against many of these threats. These applications reduce the potential attack surface by restricting access to services available on the devices.
  • Patch Religiously: Monitor security patches released by the manufacturers of the software installed on your mobile devices. Just like on the desktop, discovering and installing security patches as soon as possible can significantly reduce the number of security incidents. 
  • Use Encryption for Data Storage and Transmission: Encrypting the entire disk or other storage is probably the most important thing you can do to prevent the theft of confidential information from a mobile device. An encrypted disk will be the final layer of defense in case a device falls into the wrong hands. Good encryption makes the data inaccessible to illegitimate users. Many commercial software applications that do this automatically while remaining completely transparent to the user. Another, albeit weaker, approach is to encrypt individual sensitive files and folders instead of encrypting the entire disk. This tactic can be used in situations where encrypting the entire disk is not an option.

    Configure the devices to always use the highest available encryption standard for wireless connections. All connections to the internal company network must be over a virtual private network.

  • Manage Connectivity Mechanisms: Turn off Bluetooth when you are not using it. Do the same with other connectivity mechanisms. Use the highest possible security settings for wireless connections.
  • Password-Protect the Device: Most devices come with basic password protection for device use. Turn it on. If possible, install third-party applications that implement stronger authorization mechanisms than basic login passwords.
  • Use Physical Locks for Notebooks: Physical locks will prevent miscreants from just picking up your notebooks and walking away with them. Provide physical locks to your employees, and instruct them to use the locks whenever they use the notebooks outside company premises.
  • Securely Wipe Devices Before Retiring Them: Confidential information has been recovered from mobile devices sold through online auction sites. Needless to say, most of those cases have been media disasters for the organizations involved. It is not enough to just delete the files before retiring devices — deleted files can be recovered easily. Destroying data completely from disks and making it unrecoverable is a difficult job. Use enterprise-grade disk-wiping software for all mobile devices before retiring them.
  • Use Software Designed to Recover or Destroy Lost or Stolen Devices: Software applications are available that “phone home” or connect to monitoring services and report their location whenever they are connected to the Internet. Such applications can help in tracking, locating and recovering stolen or lost notebooks.

    Some devices have a remote wipe feature that lets you remotely delete all data or perform a hard reset if they are lost or stolen. Research in Motion, the maker of the BlackBerry, for example, provides such a service to businesses.

IT Takeaway
• Does your company have a comprehensive IT policy for mobile device usage? Is it communicated clearly to all the employees?
• Does your IT department have a mechanism to centrally manage and take inventory of your mobile assets?
• Does your IT policy make it mandatory for the storage media on all mobile devices to be encrypted?


S.G. Masood is a Web security researcher for F-Secure (www.f-secure.com), a network security services provider with headquarters in Helsinki, Finland.
Sign up for our e-newsletter


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.