CISA Releases Guidance on Securing Enterprise Mobile Devices
The United States Cybersecurity and Infrastructure Security Agency (CISA) last week published a Capacity Enhancement Guide (CEG) to help organizations secure mobile devices and their access to enterprise resources.
The Enterprise Mobility Management (EMM) system checklist is meant to help businesses mitigate vulnerabilities and increase overall enterprise protections by implementing a series of best practices for securing enterprise-managed mobile devices.
In this regard, CISA recommends the use of devices that meet enterprise requirements, enabling automatic updates through a Mobile Device Management (MDM) system, implementing a trusted devices policy (for updated, unrooted, and EMM-configured devices), and denying access for untrusted devices.
Enforcing strong authentication (including PINs of at least 6 digits) on the enterprise-trusted devices is another easy-to-implement policy that boosts overall device security, the same as the use of two-factor authentication (2FA) when enabling access to enterprise networks.
CISA’s CEG also encourages enterprises to practice good app security, including the use of curated app stores, isolating enterprise applications, minimizing the amount of personally identifiable information (PII) in apps, disabling sensitive permissions, vetting enterprise-developed applications, and restricting OS/app synchronization, to prevent data leaks.
Furthermore, organizations are advised to disable radios such as Bluetooth, GPS, NFC, and Wi-Fi when they are not in use, as well as to disable user certificates and to employ secure communication apps and protocols, such as VPNs, when mobile devices connect to the enterprise network.
Ensuring that mobile devices are protected at all times is also essential to securing the enterprise network, CISA says. Thus, organizations are advised to use Mobile Threat Defense (MTD) systems, to ensure that only trusted chargers and cables are used for charging devices, and that the lost device function is enabled.
Ultimately, organizations of all types should also make sure that mobile devices do not connect to critical systems, as any infected device could lead to the compromise of business-critical ancillary systems.
Separately, CISA published a CEG for consumers looking to improve the security of their mobile devices, with recommendations that should be applied to any device, especially those that organizations allow employees to connect to enterprise networks.