When it comes to bring-your-own-device (BYOD) and mobile security, organizations are often shortsighted, focusing only on protecting corporate data stored on mobile devices. This narrow view prevents information technology and security professionals from responding to incidents effectively.
Organizations need to expand their mobile worldview to include data leakage, insider threats, and mobile malware and develop incident response plans that consider mobile devices, according to the latest report from GigaOm Research, released Tuesday.
They need to be able to see what is happening across mobile devices, detect security incidents, and resolve incidents effectively, all things that mobile device managements systems are not designed to handle. Along with improved incident response, organizations need to beef up their forensics capabilities to extract valuable data from mobile devices in the case of a security incident, the report suggested.
“With the increase in mobile incidents, complicated by the sheer volume and diversity of devices and terabytes of data, security solutions with visibility and capabilities to detect and resolve incidents are in dire need,” wrote the report’s author Michael Finneran.
Some of the biggest challenges facing organizations center around the collection of data on mobile devices and analyzing the data, which can be time- and resource-consuming, Lee Reiber, vice-president of mobile forensics at AccessData, told SecurityWeek. The GigaOm Research report was commissioned by AccessData, who is working on a mobile forensics tool designed to help with incident response.
“Our advice is for companies to implement security plans and enterprise technologies that incorporate proactive mobile prevention, detection and response, to gain greater visibility and control of their mobile data and devices,” Reiber said.
Not Understanding the Risks
Information technology and security teams failed to grasp the extent of security exposure organizations face as employees moved away from using BlackBerry devices in favor of less secure mobile devices, the report found. And the actions they took because of that misunderstanding have proven insufficient to protect the organization in the case of an incident.
Many organizations are “taking virtually no steps” to ensure that mobile devices accessing corporate data are actually secure, according to the report. Even worse, few organizations have procedures and plans in place for a “meaningful response” in case of a security incident. The report cited a recent InformationWeek survey where 83 percent of respondents said their organizations supported BYOD, or were in the process of developing a program. That survey also found that less than half, or 46 percent, of those organizations required employees to run an MDM client. Even more worrying, 43 percent of those organizations trusted users to follow published guidelines and did not enforce the rules, a practice the report called, “a rather questionable approach to data security.”
Many organizations “rely too heavily” on MDM and MAM systems when MDM should only be one part of a comprehensive security plan, Finneran warned. A bigger issue is that MDM may be giving IT departments a false sense of security because they think they are taking all the necessary preparations to secure mobile devices and corporate data.
Focus on Incident Response
Data protection is never 100 percent effective, and security teams need to be able to detect and respond to incidents quickly, the report said. Even if mobile devices are involved, the incident may be detected through routine monitoring of system logs and intrusion detection systems, alerts from traditional endpoint threat detection mechanisms, or notifications from third parties such as law enforcement. This is why overall incident response plans have to be expanded to consider mobile, the report said.
“If one does not exist, organizations should immediately set about developing a written mobility policy that spells out the rules, roles and user responsibilities with regard to mobile devices that can access corporate systems,” Finneran wrote in the report. The underlying plan should cover security, prevention, detection, and response in relation to mobile devices. “Particular attention should be paid to preparing for rapid incident detection and response, as virtually any system, fixed or mobile, can be compromised or experience a data leakage incident.”
The incident response plans also need to be practiced so that when a real incident occurs, the teams involved know what to do and can act quickly to resolve the situation.
A steering committee consisting of IT, information security, legal, human resources, and key business units should have oversight over the mobility policy and the incident response plan. The committee is also responsible for keeping c-level executives informed about security threats, the report said.
The report acknowledged that preventing security incidents is important, but organizations can’t ignore the importance of incident response and planning. A “full featured integrated network and endpoint forensics, malware analysis, removable media monitoring, and endpoint event capture and replay capabilities are crucial to truly identify and resolve incidents fully and rapidly, thereby minimizing risk exposure,” the report concluded.