Mobile devices offer well-established benefits in terms of productivity and efficiency gains for employees and enhanced services for consumers. But there’s a catch: The ways smart phones, laptops and tablets interconnect work life and personal life raise serious security challenges for organizations—and the stakes are high.
Consider a recent survey by Intel and the Ponemon Institute of 300 U.S. organizations that revealed the loss of an estimated 86,000 laptops. This caused $2.1 billion in damages in terms of data breaches, lost intellectual property, reduction in productivity, and legal and regulatory charges.
Smart phones, now accounting for nearly one in five mobile phone sales, contain more personal details than probably any other device. In addition to being prone to loss or theft, customized hardware and open source operating systems mean patches aren’t centrally managed and anti-virus software isn’t often deployed resulting in an inconsistent security posture. As a result, the multiple security risks posed by mobile devices need to be carefully managed.
Managing the Risks
Mobile devices and networks differ from standard enterprise computer systems in several ways. In addition to intrusions for the purpose of theft, there exists the possibility of disruption, such as unauthorized traffic that clogs wireless networks or circumvents unauthorized access to spy on private data. Since smart phones connect to networks through multiple channels like SMS or Wi-Fi that allow interoperability with other devices, an infection on one device can be used to exploit another. Meanwhile, tablets, while they act as laptops in how they access corporate resources, often lack the same security controls, such as full-disk encryption, personal firewalls, network access control, and spyware or malware protection.
Concerns over security will only intensify in the future, as other types of mobile technologies emerge for business and personal use, bringing new benefits and also new risks. The market for mobile downloadable apps, for example, lacks a robust security standard to protect users, as platform owners do not actively police the behavior or security vulnerabilities of these apps.
Simply strengthening encryption and infrastructure, or adding mobile technologies to existing security policies and processes, may not suffice. While IT security has traditionally focused on protecting the perimeter, this strategy loses its effectiveness in an increasingly mobile environment marked by a proliferation of wireless connections and uncontrolled apps.
Still, many organizations continue to do little to secure these devices, failing to take advantage of even basic security practices like encryption, back-up and anti-theft technologies. Many view mobile security as less worthy of company resources than infrastructure security because the risks appear lower. This can be a serious mistake, as the risks have not for the most part been accurately identified or the potential negative impact entirely assessed.
To effectively guide development of a security strategy or initiative for mobile technologies, we suggest the following:
1. Begin addressing the four main layers of security – the network, device, application and back-end system. Since wireless networks are relatively open and can be used as a door through which an attack can be mounted, CIOs need to take a hard look at the organization’s wireless local area network and remote access policies. They must demand that their network service providers demonstrate the same rigor, and are aligned with the company’s own policies. Similarly, organizations should consider urging network providers to sign up for one of the various “clean pipes” initiatives, which analyze traffic over the network or perform intelligence sweeps to identify bonnets (software agents that run autonomously and automatically) and other problems that can prevent traffic from moving through the network that affects legitimate use.
In terms of the device, basic anti-theft, encryption and remote wiping technologies need to be activated to protect sensitive data and user credentials. Organizations can expect that many employees who want the latest technology will probably acquire it on their own and use it for both personal and company activities. This means bypassing company controls and forwarding corporate emails and information to their personal email accounts so they can access it on their personal smart phone. Technology alone will not comprise a security solution, but it can help enforce corporate policy. The best approach is to put in place policies that explain what devices and platforms are supported and what security-conscious behavior looks like.
Since most mobile apps are not engineered with security in mind, organizations need to protect against application-level weaknesses. In building a mobile app for company use, make sure the design does not allow it to expose sensitive data to other apps. The ideal approach is to provide security layers so if someone bypasses one security measure there is additional security in place to protect the data. Again, organizations need to remind end-users of risky behaviors. With elements of the back end increasingly migrating to the cloud, mobile users can be roaming anywhere in the world. Prior to selecting a cloud provider, requirements for the application, platform, data and infrastructure on which selection is based need to be established. Among the questions that need to be asked are: What level of security must be placed on each of these layers? Can the data reside elsewhere in the world? Are there specific regulatory requirements that govern store, access and transmission of information? What kind of governance, monitoring, alert and response systems need to be in place?
2. Build a hard nosed “culture of security.” Strong policies and processes to protect data need to be in place. Processes cover the means by which users can access mobile technologies and have them properly configured. Security measures should be transparent to the end user while not restricting their productivity. User training on the use of devices and security tools – and it can be as simple as instructing users on how to avoid having devices stolen while traveling or how to choose secure passwords – and administrator training on how to effectively manage, monitor and audit the tools and devices, must be implemented.
3. Use carrots, not just sticks, to motivate behavior. It can be a good idea for an organization to offer incentives – rather than punishment – to promote secure behavior and a willingness to distinguish accidents from malicious intent. Employees, for example, could receive a discount to purchase approved devices, and IT organizations or business units could be rewarded for reducing the number of security breaches. The workplace environment should be such that employees can feel comfortable knowing they can report the loss of a device or a security lapse with impunity.
4. Know your enemy. Resources need to be focused on areas that are most vulnerable and where the impact of a successful cyber attack has the potential to cause the most damage. Organizations, in fact, need to start thinking like the “bad boys,” looking at the technologies from their standpoint and probing for all the possible ways someone can steal data or disrupt the network.
Organizations, in short, must take a holistic rather than a piecemeal approach when addressing their mobile solutions. This includes implementing multiple layers of security to provide redundancy in case any single security layer becomes compromised. Developing and implementing such an approach won’t happen overnight. That’s why the sooner such an initiative begins, the greater the odds that a disaster can be minimized or prevented.
