The best practices and technologies involved with data loss prevention (DLP) on mobile devices aim to protect data that leaves the security of the corporate network. Data can be compromised or leaked for a variety of reasons: Device theft, accidental sharing by an authorized user or outright pilferage via malware or malicious apps.
The problems associated with mobile data loss have been compounded by the uptick in employees bringing their own devices to work, whether they have permission from IT or not. In a BYOD situation, the user owns the device, not the organization, and makes security somewhat trickier for IT to establish and maintain.
At a minimum, any mobile device that accesses or stores business information should be configured for user identification and strong authentication, should run current anti-malware software and must use virtual private networking (VPN) links to access the corporate network.
In addition, the IT department should implement the following strategies to offer the best protection of corporate information in a mobile environment:
Each of these strategies will be discussed below.
1. Data Backups: You Know the Drill
We don't have to go into much detail on the issue of data backups. Simply put, they're necessary, they must be performed regularly and the resulting backup files must be tested to ensure they can be recovered if necessary.
2. User Education: The More They Know, the Safer Your Data Is
Educating your users on the dangers of data leakage is a useful and valuable process for the majority of users. Whether you get the word out through annual security training, brown-bag lunch seminars or a monthly newsletter, teach your employees about security. Tell them what sensitive information is and show them what it looks like.
Most employees will help protect an organisation's assets once they understand what constitutes "confidential" information. They must also understand the consequences to the organisation if such information goes public - damaged reputation, corporate espionage, loss of revenue, regulatory fines and penalties, and even a risk to the personal safety of certain employees. Share some actual instances of data leakage encountered by the organisation (if possible) and dissect security breaches that made headlines.
3. Data Classification: For Whose Eyes Only?
The ever-increasing use of mobile devices for work, more than almost any technology in the last few years, has brought the importance of data classification to the forefront. Most mobile DLP technologies (see below) rely on some form of data classification to prevent data leakage. Your organization should begin by creating a data classification standard, if one isn't already in place, and then implementing that standard as soon as possible.
A classification scheme consists of broad categories that define how to treat information. The U.S. military classification scheme, as defined in National Security Information document Executive Order 12356, consists of three classification levels: Top Secret, Secret and Confidential. A business or educational scheme might use Highly Sensitive, Sensitive, Internal and Public categories. (If your organization must adhere to specific laws and regulations that govern certain types of data, incorporate appropriate language and measures into your data classification standard.)