Why Mobile Security is So Tough — and How to Make It Easier
There was a time when employees would receive a locked-down company laptop preloaded only with the software required for work — and few options to install anything. How times have changed.
Back in 2012, TechCrunch found that 66% of employees use two or more devices at work. Two-thirds is surprising only because it's not the 100% you'd expect. Six years later, employees are certainly using their mobile devices at work — perhaps even for business-related tasks.
Following this trend, companies are opening up their networks and their data to mobile devices, both personal and company-owned. It's not just about securing the company-issued laptop, anymore. Security professionals are increasingly concerned with the difficulty of protecting their networks and data against vectors targeting end users and their mobile devices.
In order to make mobile security easier, policies and management practices need to be implemented before security fire drills need to happen.
Barriers to Success
At a first glance, securing might seem like a lot of work. But specific aspects should be considered when implementing mobile security solutions for personal and company-issued devices:
All platforms need support. It'd be really nice if everyone had the same type of cell phone, but that's spoiling for a fight. Statistically, you probably have an even split between diehard iDevice users, and voracious Android fans. In the middle, there are even a few mobile Windows users who are not Microsoft employees. Thinking about convincing one camp to switch personal and work platforms to ease administration? You might as well try to convert Obi-Wan to the dark side, while you're at it. In reality, you'll have twice as many devices because they'll have their work phone and personal phone.
Commingling of business and personal activities. Privacy issues surface when an employer tries to assume full control over an employee's devices in any capacity. Considering the possible consequences, does any business want insight to their employees' personal (and potentially sensitive) data?
It's impossible to vet the full range of available apps. With over 3.3 million apps on the Google Play store alone, it's impossible to regulate what gets installed on a mobile device. We also can't trust app stores to vet all apps themselves, despite their assurances of safety. Ask users of Apple devices infected with XcodeGhost how well that worked out for them.
Physical security of the device. It's much easier for a thief to lift a cell phone than a laptop. To make matters worse, mobile users are often not the most diligent about their device security. How does IT deal with a lost or stolen device, knowing it's only a matter of time before a hacker could access its data?
Users connecting via insecure networks. The potential for network eavesdropping has never been higher. Public wifi hotspots and lax device settings combine to make a recipe for a security disaster. When confronted with hotspot options "Airport_Wifi" and "Airport_Wifi_1", who's to know which is legit and which one is the evil twin?
How severe are these challenges to information security? Check Point compiled statistics from leading corporations — and the results aren't encouraging. According to their research, 20 percent of companies have already experienced a mobile cyber attack. Worse, 24 percent of companies said that they are unsure if they have suffered a mobile breach. Ignorance is not bliss when it comes to mobile breaches.
Yet, organizations still expect IT pros to create a secure environment for mobile devices. They need to be cognizant of the layers of security in place between device and server. They also need to be able to take action against unauthorized access of devices.
With this new "anything goes" approach to tech in the office, throwing in the towel sounds pretty good. But solutions have emerged that manage most of the complexities. IT pros now can tame the mobile beast through a combination of policies and non-intrusive device management.
IT departments need to lay out expectations for employees to keep their devices secure. It's common to require employees to sign agreements that outline usage expectations before they connect to company networks. Specifics will vary by business, but there are general areas that all BYOD mobile policies should address:
Maintain physical security at all times. Users should always secure devices and keep them in a safe place when not in use. In other words, leaving their phone on the table when they go to the salad bar is not okay.
Digitally lock devices. Keep devices protected with a password, fingerprint, or pattern when not in use. Two-factor authentication is required by more organizations and can take digital locking to the next level. "Swipe To Unlock" doesn't cut it anymore.
Installing, enabling, and updating specific security management software. Bad things happen when you don't install security software. And not updating it regularly can be just as detrimental. Make this an expectation, not a recommendation.
Report lost or stolen devices to IT. Require users to report lost or stolen devices immediately. Prompt reporting gives IT pros opportunities to wipe company data and deauthorize devices. Hopefully, before hackers gain access to systems.
There are sample mobile policy documents available on the web. One of the most comprehensive is the Wisegate IT Sample Corporate Mobile Device Acceptable Use and Security Policy. See pages 5-9 for the end-user policy, and simplify as necessary for non-technical employees. In addition to making sure they read the policy, you want your employees to understand it, too.
All About Mobile Device Management
The go-to solution for many companies is providing company-issued phones. But giving employees devices they are expected to carry and use along with their personal devices introduces a host of personal rights and privacy issues. Which types of data can employers monitor? Can employers brick a device or wipe it clean without warning? The possibilities lead many employees to fear the worst.
However, new tools allow for secure work usage on personal devices. Mobile Device Management (MDM) software cuts through the platform and personal rights quagmires. The softwares provide policy- and configuration management tools that are coupled with a management overlay for applications. With MDM software in their pockets, IT pros can now focus on secure information delivery without getting bogged down in trivialities.
MDM optimizes the functionality and security of mobile communications on a network while minimizing cost and downtime. Vendors have been quick to spot this new opportunity, and today there at least 20 mature MDM systems on the market. Even phone manufacturers are getting in on the action with the introduction of Samsung Knox. And while Knox serves as a great starting point, most businesses likely need to add something more robust and cross-platform.
Which solution you choose will depend on your current vendor affiliations. Most MDM solutions out there tick the same list of necessities. Some of the most recommended MDM systems at the enterprise level include VMware AirWatch, Citrix XenMobile, IBM MaaS360, and Microsoft Intune.
What Does MDM Do For Us?
MDM is not just about company-issued devices. It's also more than BYOD. MDM software is for all mobile devices, personal or work. It even encompasses devices owned by consumers used on the network.
Most MDM solutions complete a similar set of tasks to keep all mobile devices safe. Here's a look at the most common ones and how they work:
Simple activation for new devices on the corporate network. MDM certificates allow only enrolled devices access to company systems. The employee must read and agree to the company BYOD Policy before activating a certificate for a personal device. Many system policies can be checked before activation, as well.
Containerize work apps from the private use of a device. Containerization manages the work use aspects of the device without accessing private apps. This function protects workers' privacy. You can emphasize this in a BYOD policy and clarify it to employees who are reluctant to install the MDM client.
Encrypt company data stored on the device. Corporations with sensitive business data should really mandate encryption on all devices used for company work to help protect data from espionage. Attackers will have a very tough time accessing data (including email accounts and sensitive phone contacts) without your encryption key.
Installing only vetted apps within the work environment. Many MDM solutions ship with a suite of reputable and trusted business applications to maintain a more secure environment.
Per-app VPN. Rather than force all device data to route through the corporate virtual private network, configure devices to only use the VPN for business applications. Personal use of the device utilizes standard network connections.
Secure single sign-on (SSO) for all company apps. Reduce phishing hacks and password fatigue with the use of single sign-on solutions such as LastPass. Single sign-on solutions allow organizational logins to access required data, giving verified employees easier access to the accounts they need.
Dealing with lost or stolen devices. Many MDM systems allow employees to access a self-help system that enables them to locate their lost device (without involving IT). Remote locking or company data and application wiping can also be useful if an employee reports a missing device that is showing unauthorized access.
You can oversee a set of devices with transparent support for all common platforms and OS versions from a single management console. You can manage device-specific security features such as encryption on the device or SD Card, password policies, or Samsung Knox from the console. You can now breathe a sigh of relief!
Companies often learn the hard way that implementing comprehensive mobile device security is far more affordable than dealing with the aftermath of breaches. Currently, the average firm is losing more than $15 million per year to cyber attacks.
With a 40 percent year-to-year rise in cyber attacks targeting mobile devices, it makes sense to explore the latest methods of securing access from mobile devices before a reputation-tarnishing breach affects your organization. Securing mobile devices is not simple, and that's why a lot of companies don't do it or don't enforce policies. But preventative measures will save your organization in the long run and are much easier to get ahead on considering the potentially dangerous alternative.