BYOD? OMG! Things Move Fast in Mobile Security
Critical steps to secure your company’s data and information…
For most business leaders in 2016, our work is driven by the digital transformations taking place across the globe. Systems and processes are digitized, automated and made possible by computers, the cloud, and of course, mobile platforms. But for all of the good technology provides businesses of all sizes, a significant part of your business lies exposed and unprotected.
The surreptitious shift to a dependence on mobile devices to get our work done was shaped by the flood of “bring your own device” (BYOD) and an absence of proactive technology policies and practices. Even in companies that were forward-thinking enough to plan, procure and provision devices and systems for their employees, the myriad ways people would employ these technologies could not have been accurately forecasted. The mobile transformation has been very fluid, creating productivity where there was none, yet at the same time, shining a light on information risk and data leakage via the new apps, services and tools popping up every week.
The desktop computer’s rather lengthy ascendancy to become the dominant platform of workplace productivity in the 1990s was a more artificial construct because it allowed enterprise IT teams to plan for device and data security. Along with its slow adoption, the desktop computer was built on the premise that enterprise would secure and protect the devices—and of course, the precious data on them. This gave rise to many cottage industries: virtual private networks (VPN), antivirus, antimalware, firewalls and many more. This segment of technology, however, is mostly ineffectual at securing the new members—smartphones and tablets—of a company's technology portfolio. So how do we mitigate security risks with these devices?
Start with Education
Employing software and device configuration tools is one way businesses can protect their digital assets, but most businesses also have some amount of Internet security awareness (ISA) and safe computing practices training as part of their employee training programs. This is especially true with businesses that have high amounts of safety, compliance or regulatory obligations, such as healthcare organizations, NGOs, nonprofits and some manufacturing and food-production corporations. Among the types of regulations that drive the decision to provide or not provide ISA are HIPAA, Sarbox and PCI.
Medium and large businesses, especially, are common users of this type of curriculum, and because it’s not industry-specific, it’s possible to buy this content off the shelf for about $10 per user. This low cost is a no-brainer, in my opinion, and could lead to dramatic savings when you consider the risks associated with having uneducated users on internet-connected devices all the time during the workday. Typical topics in ISA courseware include the following:
- How to protect sensitive information on computer systems, including password policies;
- Broader security topics, such as spam, malware, phishing, social engineering and human factors; and
- Risks associated with failure to protect company data, including disciplinary action, financial consequences to the business, personal information damage and identity theft, and potential civil and criminal penalties with lack of compliance.
As common and valuable as these training tools are for desktop computers, the thought of deploying a similar set of training materials for mobile devices is virtually unheard of. This must change if companies are going to protect these mobile devices and the data that is on them. As important as ISA training is for your business, mobile security awareness (MSA) is just as important.
Tools Can Help Close the Gap
ZDnet reports that companies spend about nine percent of their IT budget on security. According to Gartner, businesses spent $76.9 billion on cybersecurity in 2015, or about $381 per employee. While mobile is a growing portion of that, it is still a very small chunk overall.
Some commonly purchased software and services in IT security include:
- Server-side security (authentication systems) and VPN;
- Antivirus and antimalware; and
- Firewalls and proxy servers.
How many of these systems in play at your organization are fully compatible with or support your mobile workforce? How many of your mobile users accessing company data on these devices use these systems frequently to ensure end-to-end security? The answer will probably be disheartening, but this can be remedied. Start by looking at usage patterns in your company and being honest with how your workforce employs mobile to get work done.
You must realize a few things before you can start to address the issues:
- Employees use their devices to access and use both company and personal resources.
- Personal and work sites and datasets often co-mingle on these devices.
- These devices are pocket computers and should be treated as such.
Educate your team on how to securely configure, use and maintain their devices. You must provide tools for your team that help them understand the threats they may be susceptible to, and assist them in reconfiguring their devices to increase the overall security profile of your organization.
Mobile Threats: Real and Growing
Many of today’s headlines about technology security issues are devoted to passwords and accounts being hacked and cracked amongst online services and ecommerce providers. Mobile users are not immune—the threats are real and growing. For instance, the 2016 Global State of Information Security Survey recently found a 38-percent increase in security incidents in 2015 compared to 2014. Many of these attack vectors are unique to mobile, and because so many of us are new to mobile, we may not be familiar with them. Such threats include hardware, software and human factors (also known as social engineering).
Hardware attacks in the mobile world are unique due to the new and non-computer-like ways the devices interact with the world around them. “Juice jacking,” for example, is an attack in which users plug their device into a power outlet, but instead of getting enough power to make it through their next meeting, they pick up a virus through a fake or modified power adapter that delivers malware in addition to electricity. To protect yourself, always bring your own charging devices. If you must use an outlet or strange USB port to charge, do not trust that outlet or allow your phone to be used as a USB storage device if prompted.
Besides random USB connections, your devices are subject to connectivity threats of all kinds, from unsecure Wi-Fi to Bluetooth attacks, as well as a recent—and dangerous—development in which messaging platforms like MMS or similar apps deliver malware encoded in media sent on the network and embedded in images, GIFs or videos. Voice calls spoofing virus scans or asking for return text messages or visits to emails have also emerged (though they probably fit more under the social engineering banner than hardware attacks). Don’t tap on links or use any promo codes provided to you by unknown senders.
Remember that these devices are computers, and they run software… apps! These apps depend on Internet services to function and deliver value. But not all apps are created equal, and some may inadvertently harm your devices. One way to ensure a secure device is to only install apps from trusted sources: app stores you know, developers that are reputable, apps that are reviewed and tested. Unfortunately, Android devices lag behind Apple in this department. In 2012, 99 percent of all mobile malware detected by Kaspersky Lab targeted the Android user.
Apps aren’t the only dangerous software out there. Websites have also been known to distribute malware, and the common method of cross-site scripting (XSS) may still be a threat on phones as well. At a lower level, the operating systems themselves can be compromised if you choose to install a different variant, sometimes referred to as a “rootkit” on Android or “jailbreaking” on iOS. Bottom line with those paths: don’t do it!
It doesn’t stop with technology. The weakest link in security is—and always has been—the humans using the devices. Bad usage practices and poor choices lead to the biggest gaps in security in desktops, and the same is true in mobile, perhaps even more so.
Using mobile devices in public spaces where people can snoop on your screen and sniff your usage details over false or insecure Wi-Fi is a surefire way to make yourself prone to identity theft. A good way to protect yourself is to use the rule: “Would I be willing to have anyone in this room/space look at my screen and see what I’m doing, what passwords I’m typing in, what financial details I am disclosing?” If the answer is no, refrain from your activity until you are in an environment where you can answer yes to proceed paying your bills, buying that pair of shoes online, or sending those address details to a friend. Another dimension to consider is your social footprint and the details you share when updating statuses, posting photos or tweeting about your dinners. When doing this, you are likely disclosing location data and timestamp information that could allow someone to know quite a bit about you, where you are, and who you know and talk to.
The easiest thing of all to put yourself into a safe place? Enable the passcode features for your device and set a lock timeout so if it is lost or misplaced, an unknown individual cannot access your device’s data. Related to that, most devices now have some form of a location service that allows you to not only find your lost device, but disable it or even wipe it so the only thing you lose is the device, and not your identity data. Further, only allow apps on your device to have the absolute lowest level of permissions needed for you to find value in the services they provide. Don’t need to share your location data with a photo-sharing app? Then don’t give it away to the app in the first place.
Mobile Threats are Manageable
This may all sound like doom and gloom, but don’t turn that phone off and put it in a drawer just yet. Mobile threats are manageable through corporate education programs and some simple configuration choices that users can make to help keep their data safe.
There are emerging software tools out there to help your company keep your BYOD’ers out of trouble, and even shore up the security landscape for company-purchased devices. Start looking for educational options and reviewing the apps and tools out there. It’s likely you’ll find something that slots into your mobile strategy with a minimum amount of friction. The goal is to keep on going mobile, but do so safely! iBi
Chad Udell is Managing Director at Float, located in Morton, Illinois. Float’s Security Assistant application educates and assists with secure device usage and configuration, and it is available for iOS and Android devices. Call 877-90-FLOAT for more information on securing mobile users at your business.