Originally published April, 2017. Updated October, 2021.
Mobile device management (MDM) is one of the most forgotten aspects of cybersecurity, even in today’s work-from-anywhere economy. Mobile device management is much more than managing people’s personal cell phones. It encompasses most of the devices people today are working from: laptops, tablets, smartphones and even e-readers. Because of the breadth of technology it includes, it is a critical part of cybersecurity.
Mobile device use has steadily risen in the workforce over the past 15 years, arguably peaking during the onset of the pandemic and the year that followed. Workers are relying on cell phones, tablets, personal laptops and work laptops. These devices are often unmanaged, unknown and unsecured, accessing sensitive company or client data, file storage, and systems.
With the Biden administration putting national cybersecurity under a microscope and tech giants scrambling to make good on their promises of billions of dollars invested in solutions, it is clear that the threat should be a top priority for every company. And no matter how many billions tech companies like Microsoft, Google, IBM and Amazon pour into solutions, we will never rid ourselves of the need for small companies to take measures to protect their systems from intrusion.
Consider this: In 2020, on the heels of the pandemic outbreak, ransomware rose 700% from 2019 levels. The primary method for it to reach companies is through phishing emails, which can be accessed from any device – unsecured devices to infect email headline-splashing cybersecurity breaches and the global shift to work from home, it’s time to stop and reassess how essential mobile device security really is.
Not only that, but mobile security isn’t even all about hackers and cybercrime. Yes, that’s an important threat to protect against. The bigger risk is that a laptop or cell phone gets lost or left behind. Imagine someone in your accounting department for a second. They use their personal cell phone to check email, but they don’t have their automatic lock screen enabled because it’s annoying. They leave their phone in the back of an Uber and the next passenger finds it. They can now access your entire company, and any financial files that your employee emailed.
Need stronger mobile device security?
The security implications are significant and explain why every government regulation controlling the sharing of data and privacy include policies for managing access to data via mobile devices. Some simply provision that a company should have appropriate MDM policies, others specifically call for remote device management through Office 365 or other software.
Whether or not you are in a regulated industry, it’s important to know how mobile device usage can impact your security. Looking at the regulations that do exist is a great place to develop understanding around what you need to be protecting within your own company if you want to stay protected.
This will allow you to better protect customer information, keep your critical data safe from leaks or loss, accommodate the “mobile office” in a safe and forward-thinking way, and, finally, to better grasp the impact that smart devices will have on how your company does business.
Here are a few mobile security regulations that you need to know:
If you’re in the health care industry, then the Health Insurance Portability and Accountability Act of 1996 directly impacts your business. You’re required to take serious IT measures to ensure that your patient information is protected.
If you’re not in the health care industry, you still need to be aware of HIPAA requirements. Likely, you manage employee health insurance coverage and communications with the insurance company , which your company is required to safeguard.
HIPAA infractions can lead to massive penalties and fines. Mobile device usage is a primary culprit of HIPAA penalties. If you have HIPAA requirements, your best bet is to use MDM software or MDM services to avoid embarrassing publicity and fines.
The Payment Card Industry Data Security Standard impacts any company that processes major credit cards. The standards are designed to protect consumer information from credit card fraud.
The latest 3.2 update was released in April of 2016. All businesses are encouraged to adopt these standards to prevent cyber breaches that can lead to a PCI infraction. However, businesses officially have until February 2018 before they are required to implement these new regulations.
Some of these new regulations include continual enforcement of compliance instead of a once yearly exercise, detection and reporting on failures of critical security control systems, penetration testing on segmentation controls every six months, and multi-factor authentication amongst others. Mobile Device Management is critical to ensure PCI standards are met.
The Sarbanes-Oxley Act of 2002 protects investors from the possibility of fraudulent accounting activities by corporations.
This impacts mobile device usage. The SOX Act has mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud. Mobile applications security, such as what you access with Office 365 MDM, is critical to ensuring that the SOX Act regulations are met.
The Gramm–Leach–Bliley Act of 1999 legalized the mergers of commercial banks, investment banks, securities firms, and insurance companies. However, the act also served to address concerns related to consumer financial privacy.
All companies are handling consumer money in some form or another, typically in the form of credit card information. Any organization that receives customer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.
While this act largely applies to financial institutions, a lot of organizations fail to realize this applies to the mobile devices they are using to conduct business, whether they are in financial services or not. For that reason, we recommend stringent MDM policy and remote device management to ensure lost devices aren’t a vessel for unintentional disclosure.
The Cybersecurity Maturity Model Certification (CMMC) creates a security standard controlling the sensitive and classified information that data contractors and subcontractors may handle or encounter in their work with the Department of Defense (DoD). The guidelines, which include specific rules for the mobile device security aim to ensure that hackers can’t get into DoD systems or access sensitive, secret or classified information via contractors. Considering that state-sponsored hacking incidents are on the rise, such as the SolarWinds breach, which did compromise the Pentagon among other federal agencies, its easy to see the need for CMMC.
Eventually, all contractors who work with the DoD or sub-contract for a DoD contractor will need to comply with CMMC, which includes establishing guidelines and configuration of mobile devices, identification of mobile devices accessing data or the network and encryption of mobile devices. As rigorous and daunting as it might sound, CMMC is surprisingly accessible for even small companies.
There are 5 levels of CMMC, each progressively more secure. Level 1 covers the basics of cybersecurity and serves as a strong model for any organization wanting to improve their cybersecurity. To meet the requirements, companies should work with a CMMC Registered Practitioner (which we have at Nortec) to prepare for an audit and then complete the audit for certification of the appropriate level.
Mobile Device Management solutions help businesses in all industries stay protected and ensure they meet regulation and compliance requirements, without the headache of having to learn the ins and outs of each regulation. And whether you’re regulated or not, protecting customer and company data is critical to avoiding serious unexpected costs, downtime, and damage to your reputation.