Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Small Devices Can Cause Big Problems: Improving Enterprise Mobile Device Security

Learning Series Blog Header

Mobile phones—those mini-computers in our pockets—are a permanent fixture in today’s workplace. Managing and securing them is no simple task. Gema Howell, computer scientist and mobile device project lead at the National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE), joined us for a recent Learning Series* webinar to discuss the challenges of enterprise mobile device security and privacy. She also shared tips for securing mobile devices. Below is a sneak peek into the discussion. You can watch the entire webinar here.  

Assess the Risks

Before designing and deploying mobile device solutions, organizations should conduct a risk assessment to determine what resources need protection, the threats to them, and their vulnerabilities. To facilitate the risk assessment process, our mobile device solutions explore common threats to mobile devices, such as network- and application-based attacks; risky device configurations, such as lack of a device passcode; phishing attacks through email and text message; and unpatched devices.

Threat identification tools, such as NIST’s Mobile Threat Catalogue, used in conjunction with a risk management process, such as the NIST Risk Management Framework, can help organizations identify security and privacy requirements and design mobile device solutions to meet those requirements.

Apply the Solution                                                                                             

How threats to mobile devices are secured and contained will differ depending on who owns the device.

Corporate-owned personally-enabled (COPE) devices are owned by the enterprise and issued to the employee. COPE devices provide the flexibility of allowing both enterprises and employees to install applications onto the enterprise-owned mobile device. An example solution for improving the security of COPE devices is demonstrated in NIST SP 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled.

Bring your own device (BYOD) programs allow employees to use their personal devices to perform work-related activities. Enabling access to corporate resources, with a requirement to separate personal and work-related information from each other on a BYOD device poses unique challenges for organizations. An example solution for improving the security of BYOD devices is demonstrated in NIST SP 1800-22, Mobile Device Security: Bring Your Own Device.

NIST SP 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise, is another great resource to help you get started.

Do Not Forget About Privacy 

Data about employees and devices can flow between various applications and analytical tools. The data can reveal private information to employers and third parties. Any mobile device security strategy should consider the privacy implications for both the employee and the organization. The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders and is intended to help organizations identify and manage privacy risk.

Reach Out

If you have any questions on mobile device cybersecurity, want to chat with the project team, or if you are interested in joining their Mobile Device Security Community of Interest, email mobile-device [at] nist.gov (mobile-device[at]nist[dot]gov).

*The NCCoE Learning Series is a monthly webinar offering a mix of foundational content for those who are new to cybersecurity and more technical deep dives into the work and outcomes at the NCCoE.

About the author

Barbara Ware

Barbara Ware is a lead outreach and communications specialist for the MITRE Corporation working alongside NIST staff at its National Cybersecurity Center of Excellence.  She is a communications and marketing professional with nearly 20 years of experience supporting various companies and non-profits in the healthcare and cybersecurity sectors. Prior to joining MITRE, she was director of communications for the Center for Internet Security, Inc.

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.