Call now for cybersecurity help: 888-646-1616
Kate Bowie

SEC Cybersecurity Guidance: Mobile Device Management

Protecting Your Business’ Most Sensitive Mobile Data

Gone are the days of the rotary phone.  Data is immensely portable.  As we — individuals, consumers, corporate employees, investment advisors and financial investors — continue to rely on our mobile devices for everything, the level and amount of sensitive data that is stored on our mobile devices continues to increase.  All of this use leads to a rising need and demand for heightened mobile security via mobile device management (MDM).  Cybersecurity Risk Management MUST include Mobile Device Management. The SEC Cybersecurity Guidance points to this need.SEC Cybersecurity Guidance Mobile Device Management

The SEC Cybersecurity Guidance (as published by the OCIE) isn’t prescriptive about mobile use, or the specific tools that you need to keep mobile devices secure. We haven't seen any enforcement actions specifically around mobile devices either.

However, in the 2017 Risk Alert: Observations from Cybersecurity Examinations, the SEC very clearly calls out the need to have controls over mobile devices. As they observed a wide swathe of Registered Investment Advisor Cybersecurity Programs, they noted that the most secure investment advisors:

"Required and enforced restrictions and controls for mobile devices that connected to the firms’ systems, such as passwords and software that encrypted communications."

The goal of this article is to fill in some of the blanks about cybersecurity risks with mobile devices.  As you consider cybersecurity threats in your own firm, mobile device risk is definitely an area you need to consider.

What is MDM?

In order to meet the cybersecurity needs of the industry, many tech companies (including big names like Cisco, SAP, Microsoft, and Samsung) currently offer comprehensive MDM products and solutions that are designed to monitor, manage, and secure employees' mobile devices.

SEC_Cybersecurity_Guidance_Mobile_Device_Management_Gartner

via https://www.gartner.com/reviews/market/enterprise-mobility-management-suites

What Material Cybersecurity Risks do MDM Tools Address?

Wealth management firms who turn to MDM solutions typically do so for three reasons:

  1. MDM gives them tighter control over all of the companies’ portable Windows and Mac (e.g., laptops, Surface tablets)
  2. MDM gives them control over mobile devices (iPhone, iPads, Android)
  3. They are trying to meet the SEC guidance for cybersecurity.

Here’s a real world scenario. You give your employees access to your company email via their smartphones. If you’re like most companies, you probably let them use their personal devices.

But what happens if someone leaves? Worse yet, what if it’s a bad termination? How do you make sure that they can’t use the data on their phone to cause harm to the company?

Even in the rare case that employees are allotted separate personal and business devices, most companies know that it’s common for employees (and senior management!) to end up mixing their business and personal device use.  Employees check their work email on their personal device or send personal messages from their work devices. This continues to be a cybersecurity liability that should be avoided at all costs. Even company-owned phones need to be managed.

As the SEC cybersecurity guidance has not been prescriptive on specific measures, we’ve put together a number of recommendations for what to look for that should get you started on considering the risk factors and choosing your MDM solution.

It’s important to note that Mobile Device Management started as a solution focused on smartphones and tablets, but most major vendors now offer features to control mobile computers (e.g., Windows or Mac laptops) as well.

Must-Have Requirements & Features for Mobile and Laptops

How do you choose a Mobile Device Management solution that’s right for your business? There is much to consider.  (Remember, we're trying to meet the SEC Cybersecurity Guidance as a common sense route to ACTUALLY securing our firm's data and our customer's data.) What all of these solutions SHOULD be providing:

  • Encryption: All devices should be encrypted at all times.
  • Passwords:
    • Must require all inactive devices to be locked with a password
    • Must disable simple passwords (e.g. "password1" or “1234”)
    • Laptop / desktop passwords should be at least 10+ characters; for mobile, 6+ characters
    • Laptop / desktop passwords should be alphanumeric (with at least one alphanumeric character)
    • Mobile passwords should be fairly complex, but easy enough for users to remember
    • Should not let a user continually re-use passwords over 10 times
  • Operating System:
    • Restrict the OS version that can be used, with best practice being to support the current release and one release back
    • If you know that your entire company is using a specific OS that is outdated, then specify that and make sure all users are on the same OS, if possible.
  • Require all inactive devices to lock and require a password after 15 minutes for computers and 5 minutes for mobile devices. (You might want to put a longer timeout on computers that are used for sales presentations, so they don’t lock in the middle of an important customer meeting.)

Specific MDM Configuration Settings Based On Device

Different devices have different configuration options. Here are some of the most common:

  • Windows computers
    • Require BitLocker
    • Require Secure Boot, but test this first -- not all computers support it
    • Mandate that all computers have the firewall turned on, antivirus, and antispyware
    • If you use Windows Defender as your antivirus, require that it be turned on.
  • Mac computers
    • Investigate that system integrity protection is turned on (OS El Capitan or later)
    • Enable firewall
    • Only allow apps from Mac app store and identified developers to be downloaded
  • iOS devices
  • Android devices
    • Block rooted devices
    • Configure Google Play Services & enable all other Google security API's

What should you do when a device is out of compliance?

Be sure the system you select can:

  • Notify your IT team
  • Notify the end user
  • Give the end user a required action that needs to be taken ("contact IT") and a set deadline ("in 24 hours")
  • Once you've fine tuned your rules and your configuration settings, you may want to consider locking the workstation so it can't be used until it’s compliant, but depending on the circumstances, this is optional
  • Wipe the device if it’s lost or stolen, or at least break the connection between the device and your work systems (Microsoft calls this "Retiring" a device)

Additional Desirable Features

In addition to the list above, many Mobile Device Management systems now also offer a number of options that allow for remote control over devices.  Think of the ability to locate lost devices! There are geofencing capabilities and related automated alerts that can automatically provide alerts if/when company devices travel outside specified geographical boundaries. These can be especially helpful for companies that have a lot of employees that regularly travel for business and may have a higher level of cybersecurity risk and incidents with their mobile devices.

In Conclusion

The SEC cybersecurity guidance is clear that mobile data management needs to be prioritized as part of your cybersecurity risk management. The MDM solution that you choose for your business should depend on a number of factors including the level of control that you need to have over your devices, the types of devices that your company is using (Mac vs. Windows, iOS vs. Android), and how user-friendly the solution is for your system administrator/IT Team to set up and maintain.

In the end, your goal is to prevent mobile device-related cyber incidents. Of course, every firm should strive to be compliant with the guidance from the Securities and Exchange Commission, but the cyber threats posed by mobile devices pose a very real risk to your firm.

As you move forward, the one thing you have to be honest about is your bandwidth.

Do you actually have the time to handle this for your firm?

If you do, and want to dive deeper, learn more about our approach to delivering robust cybersecurity for registered investment advisers by downloading our whitepaper “How Successful RIAs Handle Cybersecurity.”

In the paper, you’ll learn about our 21 Pillars of Cybersecurity — 21 things that all registered investment advisors need to have in place to keep client data safe and to comply with cybersecurity guidance.

If you don't have the bandwidth,  then it is time to bring in a team who does…– AdeliaRisk.

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
About
Blog
Copyright 2024 Adelia Associates, LLC | All Rights Reserved