Establish a screen timeout period as part of a BYOD security policy

Expert Michael Cobb provides advice on why and how enterprises should establish a screen timeout period as part of any BYOD security policy.

My enterprise already employs screen timeouts to help secure desktops, but should they also be implemented on mobile devices as part of a BYOD security policy? Or do mobile devices already have a sufficient timeout period?

Ask a question expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at [email protected].

Given the number of laptops and mobile devices that are lost each year, their security should be high on any priority list, particularly as it can save time, money, data and embarrassment. In general, smartphones, tablets and mobile devices should meet the same security standards as any computer. Otherwise they become unprotected access points to corporate data. A timeout period is the amount of time a device can be inactive before a password or PIN is required to unlock and access it again, and I recommend that you enforce screen timeouts as part of your BYOD policy.

Lost and stolen devices are among the most commonly reported incidents leading to data exposure. Enforcing automatic logouts after a period of inactivity is a sensible and simple security measure. It also prevents unauthorized access from the curious or malicious opportunist, as well as the office joker who likes to send embarrassing email and texts from other peoples' phones. From a compliance perspective, an organization may need to cover password length, complexity and expiry period in its BYOD policy, as well as the action to be taken if the threshold for failed attempts is exceeded (e.g., the phone requires an administrator to unlock it).

I'm always surprised how many people leave their laptops and phones active and completely unattended during meetings and conferences. Portable devices that are used in public should never be left unattended, but with a suitable timeout activated, at least passersby won't be able to see open emails and documents. While most smartphones timeout within a minute of inactivity, they don't require a passcode to unlock them by default. While laptops that require a password to login will require it to be reentered after it's timed out, laptop default timeout period tends to be too long from a security perspective.

ISO 27001 states that it is the user's responsibility to prevent unauthorized user access, and compromise or theft of information, and control A.11.5.5 Session timeout states, "Inactive sessions should be shut down after a defined period of inactivity." While shorter timeout periods are obviously more secure, they can annoy users. Any policy requirement for a timeout period needs to be strictly enforced, otherwise users will try to circumvent the rule. Screen timeout period requirements largely depend on an organization's tolerance for risk and adherence to other corporate policies or restrictions. If you want to insist on a short timeout period, consider laptops with fingerprint readers that provide a quick and easy way to log back in; some smartphones support fingerprint logins too.

This was last published in November 2012

Dig Deeper on BYOD and mobile device security best practices