How to Set Up an Acceptable Use Policy for Mobile Security at Your Business (and Get Employees to Use It)

The Verizon Mobile Security Index 2020 asked business leaders to rate how crucial mobile was to their organization on a scale of 1-10, and 83% of respondents rated it 8 or higher. Clearly, devices like smartphones and tablets are important to businesses. However, 54% of companies are not confident about their mobile security practices. 

It’s important to feel that your critical business tools are secure, so this week we’re going to dive into how you can set up an Acceptable Use Policy for mobile device security that will help keep your business data secure. 

An Acceptable Use Policy governs a business’s mobile security by clarifying what employees can and can’t do with their mobile devices, including the ones they personally own. The top ways to protect devices are with Endpoint Detection and Response and mobile device management solutions like Intune. Interplay can help you find the right tools for your business. Learn more.  

What Is an Acceptable Use Policy for Mobile Security?

An Acceptable Use Policy (AUP) sets rules on what employees can and can’t do with their mobile devices. It uses crystal-clear language to ensure that all staff members understand important details like:

• Which websites are appropriate and inappropriate to visit
• Which apps are okay to download and where apps can be downloaded from
• How much data can be used and for what purpose
• What steps to follow to ensure compliance
• System requirements for accessing data
• Whether employees are allowed to use public Wi-Fi on their devices

How to Set Up Your Organization’s Acceptable Use Policy

Setting up an effective AUP is critical for mobile device security and, fortunately, it’s not too hard to craft a good one. You’ll have to spend some time thinking about where cyber risk can enter your organization (typically users, apps, devices, and networks) and you’ll want to have a clear grasp on your compliance requirements, but aside from that, the exercise is mostly common sense. 

For example, since phishing is a huge risk to your company and mobile users are 3x more likely to be susceptible to phishing, you may want to limit employees from checking their email on mobile. If that doesn’t sound realistic, you can also require them to attend extra anti-phishing training, so they will be better prepared to spot phishing attempts. 

As another example, since malware often runs rampant on sites for gambling, illegal content downloads, and adult entertainment, you may want to limit access to those types of sites entirely for employee devices. 

As a general rule, you will want to set clear rules that:

• Create mobile security training requirements
• Limit app downloads to approved sources 
• Enforce good password policies
• Require timely patching for operating systems and apps
• Encrypt data that could be accessed publicly
• Control shadow IT
• Determine volume limits on downloads and storage (limiting music, movie, and game downloads) 
• Ensure data and IT compliance
• Limit data access practices (like banning the use of public Wi-Fi)

So far, so good. Right? Of course, there’s a catch. 

Any good Acceptable Use Policy should apply to all devices that may access your company data, which means that if you allow employees to use their own devices to do their jobs, you will need to set limits on what your staff is allowed to do with their own phones and tablets. 

As you can imagine, this has the potential of going over like a lead balloon. 

How to Get Employees to Actually Follow Your AUP to Ensure Mobile Security

No one wants to be told what they can and can’t do with their own phone that they pay for – and that makes sense. Therefore, instead of setting a bunch of crystal-clear rules that every employee will break, it’s a better idea to set crystal-clear, automated policies that determine whether or not an employee should access your data on a device that they control. 

Mobile Device Management (MDM) solutions like Microsoft Intune can help you control and track access to your business’s data on employee personal devices, without infringing on their personal privacy or personal habits. You can get more details on Intune in our blog all about this killer service, but the general gist is that it helps you grant partitioned, secured access to company data on mobile devices. It doesn’t allow employees to download data to their personal devices, and it also blocks all data access for mobile devices that don’t meet your security standards. 

In short: Employees can choose to follow your Acceptable Use Policy rules or not, but if they don’t follow the rules to meet your minimum mobile security standards, they won’t be able to access business data on their mobile devices. 

Employees that are happy to meet phone security standards can choose to either maintain security themselves or let your company handle it for them, and their security grants them permission to access company data on their device. 

Another great solution that works in tandem with Intune is Endpoint Detection and Response (EDR), which can detect threats on mobile devices, quarantine the devices, and flag your IT team for follow up. This helps limit the ability of compromised devices to access your data or networks. 

Want to learn more about these solutions? Reach out to Interplay for answers. 

 

For 20 years, the friendly and knowledgeable IT team at Interplay has helped business leaders across a range of industries get more out of their tech, stress free. Not only are we always (and we mean always) happy to offer the best managed IT services, support, and advice, we’re also the team you can trust for the best cocktail recommendations here in Seattle or in Disney World – we’re versatile! All humor aside though, we’d love to help you get your IT running smoothly and securely, around the clock.

---

Photo by Frederik Lipfert from Unsplash