Getty Images/iStockphoto

Tip

8 key aspects of a mobile device security audit program

Auditing is a crucial part of mobile device security, but IT admins must ensure their approach is thorough and consistent. Learn what aspects make up a mobile device audit program.

To protect corporate data and prevent security incidents, IT must have a program in place to audit all of the devices in an organization.

What falls under the category of "mobile device" for auditing has evolved over the years. While smartphones and tablets might come to mind first, mobile device security audits today should encompass a broader landscape.

Laptops are integral but so are often-overlooked IoT devices. Any device that can move and connect to various networks -- a cellphone, laptop or even a smart appliance -- falls under this expanded definition. Strong security controls are crucial with the growing presence of these devices in the workplace. A comprehensive mobile device audit program is one of the most effective ways to safeguard these critical assets.

Why are mobile device security audits important?

Mobile devices store and transmit sensitive data on both managed and unmanaged networks. To mitigate risk, IT departments should conduct a mobile device security audit to systematically evaluate their organization's mobile device security measures.

A mobile device security audit assesses details such as the types of devices, OS versions, policies, access control, software updates and encryption. By examining these features, organizations can figure out how secure corporate resources are against potential data breaches.

Servers and desktops don't move around, but everything that can be mobile must be part of an audit.

Mobile auditing in the enterprise isn't just about cellphones. It should be smaller than a complete network audit but still include anything that connects to the internet and can move around. Servers and desktops don't move around, but everything that can be mobile must be part of an audit. Some devices might seem fixed to one place or only serve one purpose, but they could still pose issues if they connect to Wi-Fi or Bluetooth. There can be significant security risks with gadgets such as smart doorbells or even smart coffee machines.

For example, some organizations opt to use shared passkeys for network authentication over more secure certificate-based methods. If someone has that passkey and adds their smart device to the corporate network, IT admins need to know what that device is doing on the network. Is it sending data across the network? Where is that data going? Can bad actors exploit it?

It's important to consider factors such as the OS version, manufacturer support and network segmentation in a mobile audit. Because network security is a key component of mobile security, IT admins should air gap all IoT and network devices from critical corporate infrastructure.

An audit shouldn't be a one-and-done task; it should be a recurrent part of a broader program. Regular audits help IT strengthen cybersecurity measures and keep them up to date, while educating end users on best practices for mobile security.

Graphic showing the top mobile security threats: malware attacks, phishing, lost or stolen devices, cross-app data sharing and unpatched OSes.
A mobile device audit program should include measures to prevent and address common security threats.

8 key aspects of a mobile device security audit program

When conducting an audit, IT should pay attention to the riskier devices that employees bring into the organization and keep them up to date with patches and support. While MDM is important for managing access and data loss prevention, mobile threat defense (MTD) tools are also essential. These tools are now part of the new NIST guidelines for managing and securing devices.

There are several moving parts involved in a mobile device security audit program. To ensure that it's comprehensive and effective, admins should focus on the following key aspects:

  1. Policies and procedures. Organizations must provide clear, thorough mobile device policies. These policies should cover acceptable use, data handling, passwords and remote access. IT should also regularly review and update security policies.
  2. Access control. Strong authentication methods, such as multifactor authentication, should be in place, along with role-based access control for sensitive data. Additionally, monitor and log all access attempts.
  3. Software and updates. IT should follow a rigorous update schedule for OS versions and security patches, with updates for critical vulnerabilities taking priority. Use MDM tools to help automate updates and compliance as well.
  4. MDM. IT should use a comprehensive MDM platform for central management, policy enforcement, inventory tracking, remote wiping and app deployment. MDM logs should also undergo regular audits.
  5. Encryption. IT should implement complex encryption protocols for data at rest and in transit. There should also be encryption requirements for sensitive information on devices. Consider hardware-based encryption, such as Trusted Platform Module and Apple's Secure Enclave, for enhanced security and performance.
  6. Security awareness training. Users should receive education on mobile security and their role in maintaining it. This can include training on password hygiene, phishing, malware and other common threats, as well as instructions for what to do in the event of device loss or theft.
  7. Removable media. Organizations should define policies for using removable media with mobile devices. Enforce encryption for data transfer to and from removable media, and consider restricting access if it isn't essential.
  8. Compliance with NIST and other security standards. NIST guidelines and other relevant data security standards, such as Payment Card Industry Data Security Standard and HIPAA, must factor into audit programs. Evaluate password policies, encryption methods, incident response procedures, MDM, MTD and other factors against these standards.

Best practices for building an audit program

There isn't a one-size-fits-all audit program that all IT departments can adopt. The specific details to focus on for a mobile device security audit program depend on the following factors:

  • Organization size. A large organization with a diverse range of mobile devices might need a more comprehensive audit program than a smaller organization with limited devices.
  • Device types. The types of mobile devices in use within the organization can influence the audit approach. For example, IT might focus on encryption and physical security when auditing laptops, while auditing smartphones might require more focus on access control and app security.
  • OSes. Different OSes have varying security features and vulnerabilities, requiring tailored audit approaches.
  • Industry regulations. Organizations in regulated sectors, such as healthcare or finance, often need to follow industry-specific security standards. Their audit programs should reflect this.
  • Device ownership. Organizations with BYOD deployments must include some extra security and privacy considerations in their audit procedures.

Once admins determine the audit objectives and scope, they should create and follow an audit checklist, which should generally include the following steps:

  1. Audit mobile endpoints, including smartphones, laptops and IoT devices.
  2. Ensure network isolation and segmentation for IoT and mobile devices.
  3. Update IoT and mobile devices to the latest supported versions.
  4. Implement basic MDM tools.
  5. Implement advanced security tools, including MTD, especially for high-risk organizations.

Michael Goad is a freelance writer and solutions architect with experience handling mobility in an enterprise setting.

Dig Deeper on Mobile security