< Back to listing

Posted 24 mai 2019

Since May 25, 2018, the implementation of the GDPR (General Data Protection Regulation) has changed the way personal data is collected, organized, managed and protected by all organizations. Using smartphones, employees are able to access their company’s customer or prospect database. Data that is tightly regulated by the GDPR. Compliance with the new European regulation is a substantive work on both PCs and smartphones, since the latter, just like computers, are more and more connected to company servers. While the GDPR brings new rights and protections for consumers, it also affects mobile data security. Mobile risk management must become a priority for IT.

Image removed.

 

Securing mobile data is no longer an option

And yet, what’s more difficult to secure than a device that can be connected to multiple networks, with many applications both personal and professional, and where communications (voice, SMS, email, instant messaging) can be intercepted?

 

Read also: What cyber threats are targeting your organization’s mobile communications and data? – Act I

 

The GDPR makes businesses accountable: Protecting data and their usage must be real and effective. In case of audit or data leak, it will be necessary to prove that everything has been done to protect and secure personal data stored on company smartphones. This usually requires a robust solution well beyond the features of a simple MDM (Mobile Device Management) solution.

 

How to better understand risk management?

The GDPR mandates impact analysis for data protection. That is, each organization must take the time to map all information flows and data stored on company servers and devices, including mobile devices. Who has access to what data? For what purpose? What are the fences and safeguards in place? Who manages access rights?

 

Read also: Are the smartphones of your organization secure?

 

So many questions that must be anticipated, with a “privacy-by-design” approach that makes security an absolute obligation when creating a digital project.

Risk management must therefore drive organizations to secure business phones with the highest standards.

 

A few examples:

  • Access to phones: Are all smartphones locked by default? With what type of code? Who can change it?
  • Update Management: Are all mobile OS updates deployed massively by default? Do you know what OS versions are deployed across your fleet?
  • Downloading applications: What are the procedures in place to prevent intrusions into a smartphone? Who can install new applications? Which applications are allowed/prohibited? Are downloads initiated from a whitelist, an official marketplace or from any source?
  • Loss and theft: What are the policies in place in case of loss or theft of a mobile device? Can you locate smartphones? Can you erase them remotely?
  • Securing communications: Are all your communications encrypted to avoid interceptions? How do you prove your information is correctly protected?
  • Protecting access to the information system: Can a business smartphone breach your information systems and jeopardize the confidentiality of their data?

 

This effort goes beyond IT, and should involve HR (education and internal policies), Legal (legal advice and legal risk management), Communications (internal communications) and the executive management (to drive activities and place security front and center).

 

Read also: Destabilization, espionage, sabotage: raising awareness at the management level

 

Because it requires new, stricter and more protective standards, the GDPR should be seen as a chance for organizations to turn an obligation into an opportunity. Because the fundamental issue is not so much about expending efforts to comply with the GDPR and secure mobile data, but to measure time and money saved compared to the very real consequences of an attack on one or several smartphones in your fleet.

link