3 Best Practices for Improving Mobile Device Security on Your Network
With hybrid and fully remote work becoming more mainstream, more employees than ever are using both personal and corporate mobiles to access company data. This leaves security teams scrambling to implement best practices for mobile device security. Fortunately, Duo makes implementing mobile security policies simple.
In this post, we’ll talk about some impactful policies Duo Access and Beyond organizations can start enforcing today with minimal effort and high value to increase security posture. These policies are geared to protect your organization when access devices don't meet your security needs. We can help block those authentications and provide remediation steps that your users can use to make their devices much more secure before accessing your sensitive applications and data.
1. Require screen lock
Policies Available in: Duo Access and Duo Beyond
One of the more prevalent best practices for securing your mobile devices, whether it is a corporate device or a personal device, is to enable a screen lock in order to gain access to the device. However, we continue to see people not taking these steps to secure their devices either due to wanting more ease of use without having to enter a screen lock or some users forgetting or unknowingly skipping this step to secure their device.
In previous years, we’ve seen research groups like Pew Research Center report that 28% of smartphone owners say they do not use a screen lock or other security features to access their device. In our own findings with a subset dataset, we found that 1 in 3 Android devices don't use passcodes on their lock screens, compared to 1 in 20 on Apple devices. Over the past two years, Duo has found that 5% of users do not have screenlock enabled and configured on their devices.
With the increase in development of more secure protocols and improved user experience with biometrics and pattern locks for devices is changing things. Consumers now have an avenue of a less scary and easy setup and usage regarding screen locks. Yet findings from Statista, a research company surveying 1,146 people globally, 1.6% or 18 people from this small group still have no screen lock enabled for their devices.
You can increase your security posture by enabling Screen Lock on your Duo Policy which will block these devices trying to access your applications until the user remediates their device by securing their device with a screen lock.
2. Shut out tampered devices
Policies Available in: Duo Access and Duo Beyond
People jailbreak their devices for different reasons, some legitimately due to research and development reasons and some due to ill intent. Part of a bad actor's goal is to go through their attack undetected and unidentified. Having a jailbroken or rooted device helps bad actors conceal their identity and information about their device with false data. Regardless of the reason, once the device is jailbroken it means that the security model of the mobile device OS can no longer be acceptably trusted.
Just like with screen lock, this is common with users around the world having a tampered device. It is difficult to determine an exact number of jailbroken devices. However, Pingdom reports a rough estimate of as many as 8.5% of all iOS devices are jailbroken. We know that jailbreaking iOS is also a very popular topic among users, as a subreddit for jailbreak consists of 658,000 members who provide tips and discussions on their jailbroken devices.
For android devices, security experts from Verimatrix reported data that shows 36 out of every 1000 Android devices are rooted globally. That’s 3.6% Android devices being rooted but does not calculate all other types of tampered methods like code and memory tampering.
By enabling Tampered Devices policy, Duo can help verify if a device is jailbroken or rooted and prevent these devices from accessing your applications. Duo has developed a unique detection and algorithm to determine a jailbroken iOS device and also utilizes Google's SafetyNet device attestation to identify tampered-with Android devices.
3. Enable full-disk encryption
Policies Available in: Duo Access and Duo Beyond
Why should you care if mobile devices are full disk encrypted and why should you care if non-encrypted devices are accessing your applications?
Data gets saved onto a device’s hard drive, whether automatically from apps or manually by a user. This means some of your organization's data could be stored on a device's hard drive. Leaving the device unencrypted opens the door for potential bad actors to gain access easily to that critical data if the device were to fall into the wrong hands.
With the growing number of devices being used in organizations, there is now more risk as your critical data becomes more mobilized. More mobile devices lead to more security vulnerabilities occurring like lost or stolen devices which could go unreported. Verizon’s 2022 Data Breach Investigation reported that 82% of breaches involved the Human Element and there has been an increase in ransomware by 13% – more than in the last 5 years combined.
When a device has full-disk encryption enabled, it automatically encrypts the data on that hard drive to something that cannot be deciphered without the right authentication key. Instantly protecting the data on that device.
By turning on Full-Disk Encryption in your policy checks, you’re ensuring that only devices with full-disk encryption enabled are accessing your applications protecting your critical data.
More information on best practices for mobile device security
To review more policies to help protect your users, endpoints, and data even further please review our Duo Administration Policy & Control guide or read our series.
Duo also provides dashboards that allow customers to monitor the status of mobile devices on their networks.
For interested customers who would like to continue the conversation with a trusted advisor, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.