Mobile phones—those mini-computers in our pockets—are a permanent fixture in today’s workplace. Managing and securing them is no simple task. Gema Howell, computer scientist and mobile device project lead at the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE), joined us for a recent Learning Series* webinar to discuss the challenges of enterprise mobile device security and privacy. She also shared tips for securing mobile devices. Below is a sneak peek into the discussion. You can watch the entire webinar here.
Before designing and deploying mobile device solutions, organizations should conduct a risk assessment to determine what resources need protection, the threats to them, and their vulnerabilities. To facilitate the risk assessment process, our mobile device solutions explore common threats to mobile devices, such as network- and application-based attacks; risky device configurations, such as lack of a device passcode; phishing attacks through email and text message; and unpatched devices.
Threat identification tools, such as NIST’s Mobile Threat Catalogue, used in conjunction with a risk management process, such as the NIST Risk Management Framework, can help organizations identify security and privacy requirements and design mobile device solutions to meet those requirements.
How threats to mobile devices are secured and contained will differ depending on who owns the device.
Corporate-owned personally-enabled (COPE) devices are owned by the enterprise and issued to the employee. COPE devices provide the flexibility of allowing both enterprises and employees to install applications onto the enterprise-owned mobile device. An example solution for improving the security of COPE devices is demonstrated in NIST SP 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled.
Bring your own device (BYOD) programs allow employees to use their personal devices to perform work-related activities. Enabling access to corporate resources, with a requirement to separate personal and work-related information from each other on a BYOD device poses unique challenges for organizations. An example solution for improving the security of BYOD devices is demonstrated in NIST SP 1800-22, Mobile Device Security: Bring Your Own Device.
NIST SP 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise, is another great resource to help you get started.
Data about employees and devices can flow between various applications and analytical tools. The data can reveal private information to employers and third parties. Any mobile device security strategy should consider the privacy implications for both the employee and the organization. The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders and is intended to help organizations identify and manage privacy risk.
If you have any questions on mobile device cybersecurity, want to chat with the project team, or if you are interested in joining their Mobile Device Security Community of Interest, email mobile-device [at] nist.gov.
*The NCCoE Learning Series is a monthly webinar offering a mix of foundational content for those who are new to cybersecurity and more technical deep dives into the work and outcomes at the NCCoE.