alphaspirit - Fotolia
How's the security of your mobile messaging environment? Can you quantify where things stand? It's not easy because of all the moving parts, not to mention the politics involved -- especially when supporting bring your own device policies.
Many executives and business professionals will tell you they have nothing of value on their phones and tablets. Secure mobile devices aren't a problem in their minds, so they believe mobile messaging security doesn't need to be addressed at a corporate level. But it does.
From the largest corporation to the smallest non-profit, too many individuals are nonchalant about mobile messaging security. If you're in charge of managing and securing Exchange, it's much better to understand what's going on with mobile messaging than to have to react to a security breach after the fact.
Whether you have an internal Exchange configuration, use Office 365, or take an internal/cloud hybrid approach, address the following three areas to ensure secure mobile messaging environments.
You can't secure what you don't acknowledge. Many organizations, even large and midsize enterprises, have yet to perform a proper security review of operational and technical vulnerabilities. If you dig into your mobile messaging security, you'll find that culture and politics play a huge role.
Look at what sensitive information is accessed and stored via email on phones and tablets. Given the business dependence on email, there's probably more stored there than you think. Look at any Web applications and mobile apps used to access email and store or share files. Look across unique mobile platforms -- this includes Android, iOS, Windows and BlackBerry. Look at all of the data sets, including disparate data that only a small number of departments or people accesses. Even if you're using mobile device management (MDM), you'll likely find certain devices and data are more vulnerable than others.
A risk assessment is not a one-time deal; it's something you do thoroughly once and then periodically and consistently update, perhaps once every 6 to 12 months.
Policy development and awareness
Once you determine what's at risk, you can document the necessary policies that outline how your organization does things. Assuming management is on board with what's at stake, you should be able to successfully get the word out to end users regarding what's expected and what's acceptable.
These very policies may go against what some executives believe to be true. I've seen corporate messaging and BYOD policies that apply to everyone except the executive team, which is completely backwards, as these are often the people, devices and data that need the most security control.
Ensure your policies are well thought out and consistently applied to everything associated with your Exchange environment. Otherwise, you're fooling yourself.
Ongoing oversight and accountability
The most important step for ensuring success in your mobile message security initiatives is to do what's necessary and reasonable to enforce the policies you put in place. This is where most organizations are deficient, even big corporations that are compliant with numerous regulations. In many cases, all of the proper steps are taken just before the point of actually doing something about mobile messaging security.
Ongoing oversight and accountability is often the hardest part, but you can accomplish it with the help of good management and technologies. If you're going to have an ongoing system to minimize your mobile messaging risks, you're going to need the proper visibility and control. That visibility and control can only be accomplished by using proven security technologies, such as basic Active Directory Group Policy Objects for passwords and audit logging, email content filtering, MDM and even data loss protection.
Every mobile device -- and especially the data processed and stored on it -- is considered secure until you discover it's not. Even if it's "just email," it's one of the core elements of your business you can't afford to have compromised. Be proactive with your approach. Even if you can't fully implement every facet of mobile messaging security, doing some of them well right now and aiming to improve the others in the long haul can buy you a lot of security. Just as importantly, it can buy you peace of mind knowing you're reasonably doing what you can to keep things in check.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management, and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.
Quiz: Essential practices for securing mobile devices
Mobile device security in six simple steps