Are Your Mobile Phones & Tablets Adequately Protected?

Mobile Security

By Dave Kinsey

Have you ever had to call your mobile phone from another phone to find where you misplaced it? What would happen if you couldn’t find it at all because your phone was lost or stolen? Is your company’s reputation at risk? Do you have an ethical responsibility to report a data breach and to whom?

If your company is like most companies I work with, just about everybody has an iPhone or Android phone. Many of these phones are connected to the company’s Microsoft Exchange server to sync email, calendar and contacts (which should be considered confidential information). Although connecting phones and tablets to your work email is fairly simple, these default setups will not provide adequate protection if you lose the device. Fortunately, implementing mobile device security does not have to be overly complicated or expensive, assuming your systems have reasonably current technology.

Configure Your Exchange Server to Enforce Minimum Security Requirements
Once enabled on your mail server, if a device attempts to connect that does not meet the minimum security requirements, it will be blocked until the security settings on the device are updated to meet or exceed the standard. I strongly recommend your company review both your written and system configuration policies on a regular basis to ensure that you are taking reasonable precautions to avoid the risk of data breach.

At a minimum, I recommend requiring that all phones that connect to your Exchange Server have:

  • PIN required to access phone: 4-digit minimum, longer is better.
  • PIN timeout: This is the amount of elapsed idle time before requiring the PIN to be re-entered. This can be set to between 0 and 60 minutes in one-minute increments, 0 means a PIN must be entered every time a phone is turned on – 15-minute minimum recommended, shorter is better.
  • Failed login attempts before wipe: This can currently be set to between 4 and 16 attempts – 10 failed attempts recommended. This means after 10 failed attempts, the phone would be wiped back to factory specifications.
  • Require encryption: Enabled (also recommend setting to require encryption on storage card, if any).

With this level of protection, you will have taken reasonable steps to protect confidential information. If you do not currently have this level of protection, and intend to make the changes required to better protect confidential information, I’d recommend the following:

  1. Communicate to everybody in the company exactly what changes you are making and why you are doing this. Consider having everyone in your company sign a mobile device security policy and include in new hire paperwork if you don’t have this already.
  2. Update all existing phones to meet the security specifications in advance. Regarding encryption, all modern iPhones (iOS7 and higher) should already be encrypted by default. It’s a fairly simple matter to encrypt Android phones.
  3. After you’ve confirmed all existing phones meet the minimum requirements, then change the settings on the Exchange Server to ensure that these settings will be enforced for all new phones. Individuals may have settings that are more secure (such as setting a longer PIN or a PIN timeout that is shorter than the minimum setting), but they will not be allowed to change the setting to something less secure.

Alternatively, there are third-party options like Good Technology and MaaS360 that can be used to create separate containers for firm data vs. personal data that can be useful to address these concerns. The largest advantage (and disadvantage) is that this allows you to create a clear distinction between personal and company data. In a world of bring-your-own-device (BYOD), this can be appealing. In practice, it is also the largest challenge, requiring the use of separate company apps to access email, contact, calendar that do not work exactly the same way as the native applications. There are also extra software costs and management involved with these tools.

If you have any questions on why you might want to use a third-party application or how to secure your Exchange Server, I’d be happy to help steer you in the right direction. I also have a sample mobile device security policy and communication to employees available upon request. Please feel free to email me. Happy and safe computing!

Dave Kinsey is the owner and president of Total Networks, the technology partner of many law firms throughout Arizona. For more information, email