Are Your Mobile Phones & Tablets Adequately Protected?

Digital enterprise

By Dave Kinsey

Have you ever had to call your mobile phone from another phone to find where you misplaced it? What would happen if you couldn’t find it at all because your phone was lost or stolen? Is your firm’s reputation at risk? Do you have a legal and/ or ethical responsibility to report a data breach and to whom?

If your firm is like most firms I work with, just about everybody has an iPhone or Android phone. Many of these phones are connected to the firm’s Microsoft Exchange server to sync email, calendar and contacts (which should be considered confidential information). Although connecting phones and tablets to your work email is fairly simple, these default setups will not provide adequate protection if you lose the device. Fortunately, implementing mobile device security does not have to be overly complicated or expensive, assuming your systems have reasonably current technology.

Configure Your Exchange Server to Enforce Minimum Security Requirements
Once enabled on your mail server, if a device attempts to connect that does not meet the minimum security requirements, it will be blocked until the security settings on the device are updated to meet or exceed the standard. I strongly recommend your firm review both your written and system configuration policies on a regular basis to ensure that you are taking reasonable precautions to avoid the risk of data breach.

At a minimum, I recommend requiring that all phones that connect to your Exchange Server have:

  1. PIN required to access phone: 4-digit minimum, longer is better.
  2. PIN timeout: This is the amount of elapsed idle time before requiring the PIN to be re-entered. This can be set to between 0 and 60 minutes in one-minute increments, 0 means a PIN must be entered every time a phone is turned on – 15-minute minimum recommended, shorter is better.
  3. Failed login attempts before wipe: This can currently be set to between 4 and 16 attempts – 10 failed attempts recommended. This means after 10 failed attempts, the phone would be wiped back to factory specifications.
    Require encryption: Enabled (also recommend setting to require encryption on storage card, if any).

With this level of protection, you will have taken reasonable steps to protect confidential information. If you do not currently have this level of protection, and intend to make the changes required to better protect confidential information, I’d recommend the following:

  1. Communicate to everybody in the firm exactly what changes you are making and why you are doing this. Consider having everyone in your firm sign a mobile device security policy and include in new hire paperwork if you don’t have this already.
  2. Update all existing phones to meet the security specifications in advance. Regarding encryption, all modern iPhones (iOS7 and higher) should already be encrypted by default. It’s a fairly simple matter to encrypt Android phones.
  3. After you’ve confirmed all existing phones meet the minimum requirements, then change the settings on the Exchange Server to ensure that these settings will be enforced for all new phones. Individuals may have settings that are more secure (such as setting a longer PIN or a PIN timeout that is shorter than the minimum setting), but they will not be allowed to change the setting to something less secure.

Alternatively, there are third-party options like Good Technology and MaaS360 that can be used to create separate containers for firm data vs. personal data that can be useful to address these concerns. The largest advantage (and disadvantage) is that this allows you to create a clear distinction between personal and firm data. In a world of Bring- Your-Own-Device (BYOD), this can be appealing. In practice, it is also the largest challenge, requiring the use of separate “firm apps” to access email, contact, calendar that do not work exactly the same way as the native applications. There are also extra software costs and management involved with these tools.

If you have any questions on why you might want to use a third-party application or how to secure your Exchange Server, I’d be happy to help steer you in the right direction. I also have a sample mobile device security policy and communication to employees available upon request. Please feel free to email me. Happy and safe computing!


Dave Kinsey is the owner and president of Total Networks. Total Networks is the tech­nology partner to many law firms through­out Arizona. Services include document management, backup and disaster recov­ery, business communications, and general IT support (for firms with or without in­house technical staff). Have a question for the IT Expert? Emaildkinsey@totalnetworks.com.