Skip to main content

Risk Management Guidelines for Mobile Devices

The use of mobile devices including laptops, smart phones, tablets, and USB keys impose security concerns regarding the potential theft of equipment and sensitive data. In addition, mobile devices are subject to all the other loss exposures such as malware, file deletion, physical damage, etc. This blog provides some suggestions on safeguarding mobile devices against multiple types of risk. 

Physical Protection 

The following basic physical and environmental security procedures can help protect your mobile device from theft and damage: 

  • Never leave your laptop and other mobile devices unattended in public spaces or in a car.
  • Always lock or secure your device. Use compatible cable lock or lock your device in your desk at night. Cable locks can also be used in public places like libraries, schools, conventions, trade shows, and trading floors where site security may be limited. 
  • Use a sturdy, weatherproof, padded, and adequately sized inconspicuous laptop bag. When carrying a laptop in a case or luggage with a strap, walk with your hand on the strap.
  • Maintain an asset inventory list including current assignees, assigned equipment serial numbers, and software. Assignees should keep a separate record of the devices serial number.
  • Label the device with identification information such as an inventory tag or a phone number if it is lost and found. Choose a label which doesn’t allow identification of the owner or the organization, if possible. 
  • Do not leave devices in freezing weather — they likely do not tolerate extreme cold. 
  • When storing a laptop in your vehicle, it is advised that you keep it in out of sight in the back or trunk — ensure it is secured so it does not move around while you are driving. If you do choose to store the laptop up front, under no circumstances should you attempt to use it while operating your vehicle.
  • Use a surge protector when not operating on battery power.
  • Keep the safety cap on battery packs. Batteries tend to be either lithium ion or nickel metal hydride — both of which are capable of rapid disintegration.  

Data Security

The following controls can help protect your data stored on mobile devices: 

  • Enforce strong passwords like “passphrases” and run regular audits. Use biometrics for mobile phones, whenever possible. Do not use only patterns (to slide) to unlock devices like smart phones or tablets.
  • Provision security protection on endpoints and connected portable media devices. 
  • Provide Virtual Private Network (VPN) access and Multi-Factor Authentication (MFA). 
  • Use VPN to encrypt the session when connecting mobile devices to public Wi-Fi networks or when accessing sites that are less secure.
  • Update software to patch known vulnerabilities on your device.
  • Periodically review and implement secure configuration profiles for all mobile devices.
  • Back-up data to prevent data loss and to effectively identify and track sensitive data that may have been stored on the mobile device.
  • Use Mobile Device Management (MDM)/ Enterprise Mobility Management (EMM) solution and enforce security policy, baseline configurations, application installation control, and mandatory remote backups on select users or repositories.
  • Systematically encrypt devices when they contain confidential and sensitive data. In the event of theft, it protects from unauthorized access to your data.
  • Equip mobile devices with remote tracking or wiping tools. 

Education and Awareness

The education of users is essential to minimize losses. Data theft and espionage aimed specifically at personal computers, laptop computers, networks, and remote access ports is rampant. Employee training and awareness should include: 

  • Keeping work separate - Don’t use work mobile devices for personal matters unless this is authorized by the security policy — for example certain smart phones.
  • Not saving data locally to reduce the exposure to data theft. 
  • Using company pre-approved cloud services or data center storage particularly for sensitive information like Personally identifiable information (PII), Protected Health Information (PHI), trade secrets, etc.
  • Not using USB devices found lying around. 
  • By principle, avoiding the use of USB sticks and other removable storage, whenever possible, unless this is a company-provided secure removable storage.
  • Disabling automatic connections to open networks.
  • Avoiding connecting to unknown Wi-Fi networks.
  • Limiting the use of Bluetooth and Near Field Communication (NFC) for the exchange of sensitive information.
  • Turning off wireless connectivity (Wi-Fi and Bluetooth) when you are not using them.
  • Using corporate Wi-Fi or cellular data network connectivity rather than public Wi-Fi.
  • Downloading applications only from trusted sources (Apple App Store and Google Play for example) and trusted websites (renowned websites for which you verify the presence of the “lock” icon or “https://” on the website address which indicates certificate validity).
  • Properly disposing of portal media as per corporate policy:
    • Do not rely on deletion commands.
    • Have IT handle device disposal. 
    • Use approved disposal firms and obtain appropriate certificates. 

Policies and Procedures

Written policies and procedures should cover items such as: 

  • Responsibility and accountability for the safety and security of the assigned equipment such as assignees made responsible in the event of loss of unattended or unsecured equipment.  
  • A signed-off copy of the policy statement should be required of all mobile device assignees.  
  • Annual audits of policies, procedures, assigned equipment, and software lists.  
  • Escalation, notification, and reporting procedures in the event of lost/stolen mobile devices, suspected intrusions, and altered data. 
  • Investigation of lost or stolen mobile devices or suspected breaches. 
  • Assessing the risk of data breach considering existing controls. 
  • Incident logs and documentation of actions taken. 
  • Involvement of third party response support vendors such as breach coaches, external legal counsel, incident response contractors, and technical providers. 
  • Reporting incident to law enforcement, when warranted. As appropriate, also report the theft to management of the location of the incident such as hotel, airline, bus, rental car agency, etc. 

Good Travel Practices 

Theft of laptops is common at airports and in other travel facilities. When traveling with a computer watch for your luggage and laptop bag, especially when waiting at the conveyor belt to pick additional luggage. Other guidelines for protecting your laptop when traveling: 

  • Never leave equipment unattended or out of your sight.  
  • Never check a laptop as baggage.  
  • Let your laptop go through x-ray, never ask for hand inspection and keep your eyes on it at all times.  
  • If security wants to see it operate, you handle it. Try to never let them touch the computer.  
  • Report any losses immediately to authorities. 
  • Keep serial numbers, make, and model information of your laptop computers, or of any items of value, separate from the item so you can give precise information to authorities if the items are stolen.