Mobile Security Best Practices

Most people in IT pick the wrong tool And it costs them Here's the problem: MDM (Mobile Device Management) controls the entire device. MAM (Mobile Application Management) controls just the apps and data. They're not interchangeable. But most people treat them like they are. They both manage mobile access, so people assume they're the same. They're not. Here's what happens when you get it wrong: • MDM invades BYOD personal privacy • Employees push back and disengage • IT teams face constant friction • MAM leaves corporate devices exposed • No wipe, encryption, or compliance That's not a policy gap. That's a security incident waiting to happen. So here's how to get it right: Use MDM for corporate devices. • Full device encryption • Remote wipe capabilities • Complete compliance enforcement • You own the house, you set the rules Use MAM for BYOD. • Protect Outlook, Teams, and OneDrive • Leave personal apps and photos untouched • Less invasive, more trust, less friction • You rent the room, not the whole house And for a modern Zero Trust architecture? Use both. MDM gives you power. MAM gives you balance. Together, they give you control without crossing the line.

Italian regulators just gave legal teams a very useful case study. Poste Italiane and Postepay were fined after the BancoPosta and Postepay apps allegedly required users to allow monitoring of data from their phones, including installed and running apps, to access core services. The companies said it was for fraud prevention and payment security. The regulator said the collection went too far and was not necessary for that purpose. What matters to legal and compliance leaders is not the headline fine. It is how this kind of decision gets made inside a product. A control is added in the name of security. Engineering enables broad device telemetry. The business signs off because it reduces risk. Legal reviews the purpose statement. Almost nobody reviews the actual technical behavior with enough depth. That is how invasive processing becomes normal. This case also included the problems you would expect once that happens: weak user information, an inadequate DPIA, security shortcomings, poor retention controls, and processor governance issues. This is the part privacy teams need to take seriously. Most privacy programmes still govern documents better than they govern systems. That is a bad trade. If your team cannot see what the app collects, what the SDKs expose, what gets stored, and who can access it, then your privacy posture is built on explanations from other teams. Not evidence. For DPOs, privacy lawyers, and compliance leaders, the better questions are operational: - What data is the app actually reading from the device? - Which fields are truly necessary for the control to work? - What evidence supports necessity, not just usefulness? - Did the DPIA test the implementation, or did it just restate the intended purpose? - Who operates the processing in practice. The controller, the processor, or some vendor chain nobody has mapped properly? A lot of privacy failures do not start with bad intent. They start with technical collection expanding faster than legal oversight. That is why legal accountability without technical visibility keeps breaking under scrutiny. #Privacy #Compliance #GDPR #App #DPO

I've been spending a decent amount of time working on/updating a BYOD (Bring Your Own Device) policy. Many companies seem to embrace BYOD as they are able to see cost savings on equipment and increase employee morale by letting them use their own equipment. However, BYOD comes at a cost. A BYOD policy is crucial for cybersecurity for several reasons: 1. 𝗜𝗻𝗰𝗿𝗲𝗮𝘀𝗲𝗱 𝗧𝗵𝗿𝗲𝗮𝘁 𝗦𝘂𝗿𝗳𝗮𝗰e: Unmanaged personal devices can introduce a whole host of security risks:    𝗨𝗻𝗸𝗻𝗼𝘄𝗻 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀: Personal devices might have outdated software, unpatched vulnerabilities, or inadequate security settings compared to company-managed assets.    𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲 𝘁𝗼 𝗠𝗮𝗹𝘄𝗮𝗿𝗲: Devices used for personal browsing and app downloads can become infected, compromising data when connected to the corporate network.    𝗗𝗮𝘁𝗮 𝗠𝗶𝘀𝗵𝗮𝗻𝗱𝗹𝗶𝗻𝗴: Employees might store sensitive company data on devices without proper protection measures, creating risks of loss or theft. 2. 𝗟𝗮𝗰𝗸 𝗼𝗳 𝗖𝗲𝗻𝘁𝗿𝗮𝗹𝗶𝘇𝗲𝗱 𝗖𝗼𝗻𝘁𝗿𝗼𝗹: IT lacks direct control over the security of personal devices, making it harder to:    𝗘𝗻𝗳𝗼𝗿𝗰𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗦𝘁𝗮𝗻𝗱𝗮𝗿𝗱𝘀: Can't guarantee devices meet the company's encryption, password, and software patch policies.    𝗥𝗲𝗺𝗼𝘁𝗲 𝗪𝗶𝗽𝗲: If a device is lost or stolen, IT won't be able to remotely wipe sensitive company data.    𝗠𝗼𝗻𝗶𝘁𝗼𝗿 𝗳𝗼𝗿 𝗧𝗵𝗿𝗲𝗮𝘁𝘀: Difficult to detect unusual activity or malware infections on non-company-managed devices. 3. 𝗥𝗲𝗴𝘂𝗹𝗮𝘁𝗼𝗿𝘆 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗜𝘀𝘀𝘂𝗲𝘀: Many regulations like HIPAA, PCI DSS, and GDPR mandate data protection measures that BYOD can make difficult to enforce:    𝗗𝗮𝘁𝗮 𝗛𝗮𝗻𝗱𝗹𝗶𝗻𝗴: BYOD blurs the lines of where company and personal data reside, complicating regulations around appropriate handling.    𝗕𝗿𝗲𝗮𝗰𝗵 𝗡𝗼𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀: If a personal device containing company data is involved in a breach, the reporting requirements become more complicated. 𝗪𝗵𝗮𝘁 𝗮 𝗚𝗼𝗼𝗱 𝗕𝗬𝗢𝗗 𝗣𝗼𝗹𝗶𝗰𝘆 𝗗𝗼𝗲𝘀 𝗦𝗲𝘁𝘀 𝗖𝗹𝗲𝗮𝗿 𝗘𝘅𝗽𝗲𝗰𝘁𝗮𝘁𝗶𝗼𝗻𝘀: Outlines permitted devices, security requirements (password complexity, encryption), and acceptable use. 𝗔𝗱𝗱𝗿𝗲𝘀𝘀𝗲𝘀 𝗣𝗿𝗶𝘃𝗮𝗰𝘆: Balances security needs with employee privacy, establishing which data IT can monitor and/or wipe. 𝗗𝗲𝗳𝗶𝗻𝗲𝘀 𝗔𝗰𝗰𝗲𝗽𝘁𝗮𝗯𝗹𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗠𝗲𝗮𝘀𝘂𝗿𝗲𝘀: Might require mobile device management (MDM) software, app restrictions, VPN use, and more. 𝗜𝗻𝗰𝗹𝘂𝗱𝗲𝘀 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲: Outlines procedures for reporting malware infections, lost/stolen devices, and data breaches. 𝗞𝗲𝘆 𝗣𝗼𝗶𝗻𝘁: A BYOD policy is not about outright banning or fully controlling personal devices. It's about establishing a framework to balance employee flexibility with corporate data security and legal obligations. What am I missing? What else should be in a good BYOD policy?