Mobile Security for Business in a Consumerized World
Are personal devices driving your business’ security policies and procedures? Working in data security used to be easy (no it wasn’t)…
but with employees supplying their own data-sharing devices, there is an increasing need for data security experts to move into a teaching role and shore up the weakest link: the employees themselves.
So you’ve implemented your security protocols and done the following:
- Tightened down your workstations, servers and firewalls.
- Installed and updated the latest and greatest antivirus enterprise-level anti-malware.
- Consistently checked your security systems to guard against attacks in real time.
You are ready for anything!
That’s when Mr. Corporative Executive CEO informs you that the entire marketing team needs access to their contact lists and email on their smartphones. He makes a valid point that employees can be more productive if they have access to their data on the fly, wherever they are, at any given moment. So now you face the single biggest threat to your security model: the user whose data you are trying to protect.
So what can you do? One employee has an iPhone, one has a Droid, one has a Blackberry, and at that point it doesn’t even matter what the rest have because you are going to have to know all of the security features and vulnerabilities of each phone. It can seem overwhelming, but as with any problem a solution exists if we can simplify it a bit.
Ultimately there are three primary threats to protect against:
- Device loss
- End-user workarounds
The obvious concern is, of course, malware. Overcoming this is not as easy as installing antivirus software on all workstations and blocking all emails that come with an attachment. End users now open their business emails on their personal smartphones and tablets—and even on their own laptop computers on non-secure wireless hotspots at coffee shops, hotels, etc.
Even if the enterprise has its antivirus software up to date, the threat of contracting a zero-day threat has just increased dramatically, due to the number of non-secure access points that have been created. Malware often comes in the form of mindless entertainment (games) or necessary upgrades, which can be especially pernicious because your end users have no idea that in downloading a security patch they invited the malware into the system.
Also, each device has its own unique vulnerability that makes it susceptible to a hack attack, and the opportunity for criminal activity increases when your end user syncs his or her data device with a home computer (which may already be compromised).
You’ll always have that coworker who stores his valuable contact list on his smartphone and drop it down a drainpipe or in the ocean… well, in those cases Jack Handy said it best, "If you ever drop your keys into a river of molten lava, let ‘em go, because man, they are gone." Luckily, a decent data recovery procedure could prevent this from being a catastrophe—provided your fellow employees are remembering to sync up regularly.
If the device is stolen there could be a larger problem, especially if it falls into the hands of an unscrupulous competitor. It’s not necessary to take the phone itself; if the data is stored on a memory card, it could be replaced with a blank one and many end users would not even know what hit them. They would probably chalk it up to passing too close to a magnet.
We all have the end user who sets up a rule to automatically forward every email to her Gmail account. Maybe there are some people who set up remote access software on their work computers so they can access them from home or out of town. Criminals are much more satisfied with finding a back door left open by an employee than going through the hassle of forcing a door open themselves. It’s also harder for IT to catch this type of exploit, because intentional or not it’s an "inside job."
The obvious solution to stop all of these threats would be to disallow any and all equipment that is not company approved, block all but the necessary web applications and routinely drop the Internet connection every five minutes. It comes down to the age-old security question, "Do you want functionality or security?" Because any security expert will tell you, you can’t have both.
So assume your end users do want both. There is a compromise that can be reached. There are a few things we can do with hardening the security on individual users devices, but for the most part it is going to come down to educating the end user on common sense security steps:
- Teach your employees to be aware of all possible threats—to not open a attachment unless they know what it is and where it is from, and to go directly to a website by typing in its URL rather than clicking on a link in an email or text message.
- Make sure to encrypt company data stored on employee-owned devices.
- Only allow employees to use mobile devices that can be erased remotely.
- Routinely check all devices connecting to the corporate network to make certain they meet standards regarding antivirus, software updates, service packs, firewall settings and so forth.
- Use virtual desktop software to help isolate the company data. Instead of downloading the data to the end user’s laptop, connect the end user’s laptop to the data and work on it on the server.
It would seem with the continuing trend of consumerization, employees have been placed in the driver’s seat. Now it’s time IT professionals taught them the rules of the road.
By Nathan Darling