Mobile devices may not get updated as often as other devices that sit on the network. These devices are:
- patched by your staff (as BYOD devices)
- patched whenever they connect to your organisation's network or the internet.
Allowing staff to use their own personal devices is becoming more common over time. It's important to take steps to build a secure environment for those devices to operate in.
1. Understand the devices used in your organisation
Have a clear understanding of the devices used in your organisation, and who owns them. List any devices owned by the organisation on your asset inventory list.
If staff use personal devices, you should have a bring-your-own-device (BYOD) policy. This explains:
- what kind of devices staff can use, and
- how they can use them, and still protect the security of the information and systems they access.
Your organisation should also have a mobile device policy. This:
- explains how staff can secure their devices, and
- provides guidelines on how they can use them.
Your staff may use many different mobile devices, with different operating systems and software. It's important to understand what devices they have, so you know if they'll support the mobile device management systems you use.
For example, your organisation may use the Google Apps Device Policy to manage BYOD mobile phones. Some of your staff might use older phones or different phone operating systems that don’t support this app. If that's the case, they won’t be able to use their mobile devices for work. If your staff need mobile devices to do their work, your organisation may have to:
- revisit its policies, and
- decide if they need to buy and provide mobile devices to staff.
2. Understand how staff can access the organisation's systems
Have a clear understanding of how staff can access your organisation’s systems and data from their authorised mobile devices. A few key systems to consider are:
- document storage
- internet-facing systems, and
- internal network systems.
These systems may need specific software or conditions to access them. For example, to access:
- web mail on your mobile phone, you may need to download a mobile device management app to your device.
- an internal network application, you may need VPN software downloaded to your laptop.
- an internet-facing system, you may need to install a digital certificate on your device.
3. Configure a mobile device management system
Implement and configure a mobile device management system to track mobile device use. A correctly configured system will allow you to see:
- what operating system the device uses, and what version it is
- what type of authentication the device uses (passwords, PINs, or fingerprints)
- if the device has enabled encryption
- what software is on the device
- the data stored on the device (messages, photos, browsing history).
These systems may also allow the organisation to control part of the device. For example, the mobile device management system administrator could:
- prevent staff turning off security configurations (like a PIN to unlock the phone), or
- wipe a phone if it's reported as lost.
It's important to:
- have clear processes in place for how to use the system, and
- follow the principle of least privilege when it comes to access to the system.
If staff use personal devices for work, it should be very clear what the mobile device management system has access to do. Using a personal device for work is a security and privacy trade-off. Your staff need to give some permission to the organisation to preserve its information. If an organisation needs staff to use mobile devices, but they don’t want to use their own, the organisation should buy devices for staff to use.
TIP: If staff don’t use personal devices for work, make sure they know not to access personal accounts on organisation-owned mobile devices. These devices are monitored by the organisation and collect data about phone usage.
This can be a privacy concern, so it's better to keep personal accounts and work devices separate.
4. Update your incident and change processes
Update your processes so your team knows how to manage reports about mobile devices. This could include reports of:
- stolen or lost devices
- mobile devices behaving differently, or having suspicious new software or apps
- devices that are unable to access the systems they need.
Your team may also need to prepare for reports about BYOD devices. There may be reports on models and operating systems that they're unfamiliar with.
System administrators also need to understand when to make extreme changes to a device. For example, locking and wiping a mobile phone is an extreme change. If this happens by accident, it may stop a staff member from working for a few days while the device is replace or restored.
Tip: If your BYOD or mobile device policy changes, you must tell your staff. Choosing to use a personal device for work is an individual choice. Staff may change their mind about using personal devices if your policy changes.