Mobile is the new endpoint in IT. Here is how to protect mobile devices and data.
Getting the job done using mobile devices as you move around has brought in its wake many benefits and improved productivity to organisations in the Middle East. However, at the same, it has also exposed these organisations to a wide range of exposures and risks.
Every year, millions of mobile devices lost, stolen or discarded with personal information still in device memory. Loss of a mobile device, which has personal identity and network access credentials, puts an organisation at the risk of unauthorised network access and data breach.
The results from the Cisco Connected World-International Mobile Security survey show that while most employees are aware of the risks that mobility presents to enterprise security, most still report engaging in risky behaviour when using their mobile devices.
In fact, 26 percent of respondents from the total survey sample said they take more risks with company-issued devices than their personal devices. The reason, according to those who reported being bolder with online behaviour when using a company-issued device, is the belief that IT will provide support if something goes wrong. This attitude likely includes the belief that current threat defense software will help to provide protection.
“As employees demand more freedom and flexibility with regard to mobile device use at work and consumer devices provide an increasingly cost-effective and attractive way to keep employees engaged and productive, IT must remain vigilant about ensuring an appropriate experience and protecting the network and corporate intellectual property,” says Scott Manson, Cyber Security Leader, Cisco.
To develop an effective mobile security strategy, it is essential to understand an organisation’s mobile security risk profile and the new type of threats.
“Mobile devices continue to emerge as new threat vector. It’s been 10 years since the arrival of the first mobile malware in 2004, but it is only within the past few years that it has become a true threat to end users. Indeed, the rapid growth in smartphone and tablet usage over the past two years has led to the inevitable rise in targeting of these devices by cybercriminals. In just the first six months of 2015, Sophos Labs discovered 610,389 new Android malware samples, bringing the total to approximately 1.9 million,” says Harish Chib, VP, Middle East and Africa, Sophos.
Bilal Baig, System Engineering Manager, Trend Micro, says cybercriminals globally have ramped up their attack on mobile devices, and ransomware is one of the main threats.
“We did see a similar trend a few years back, but that was basic and simple, today the attacks on mobile devices has really intensified, given its wide spread use, in homes, government, and the corporate environment. There is also a rise in compromised/malware applications, which are showing up in trusted vendor app stores. We are definitely seeing a very large increase in malicious and high-risk mobile apps, mainly within the Android ecosystem,” he says.
Mathivanan Venkatachalam, Director, Product Management, ManageEngine, agrees that infiltration through apps is one of the key threats that we need to consider this year. Loosely built or vulnerable apps sometimes behave as backdoors for hackers who can enter devices or even network and take control. As most apps store some amount of the device owners’ personal or official information, this gives attackers access to enterprise data, leading to infamous “man in the middle” enterprise attacks.
To fully determine an organisation’s mobile security posture, a comprehensive security assessment against an organisation’s specific business environment is needed. The fundamental questions include:
- What are the corporate mobile data assets that require protection?
- What, how and where the corporate data systems are accessed by mobile employees?
- How mobile devices are being used, protected and managed?
- Do employees know the procedures in responding to an incident?
“Firstly, educate users on mobile security risks and ask them to exercise caution and ensure responsible mobile usage. A lot of users are often found missing out on even most basic tips like using stronger passwords. Secondly, users should be careful while accessing corporate data from free over-the-air networks like the ones you get at an airport or in a coffee-shop. This runs the risk of exposing company data to malicious users sniffing the wireless traffic on the same access point. It is advisable to enforce acceptable mobile usage policies, such as providing VPN technology, which requires that users connect through these secure tunnels,” says Chib from Sophos.
Manson from enterprises need comprehensive visibility over their entire mobile data ecosystem – the device, the app, the network, etc. – and not just a device-level solution.
“Data on the device is only half of the mobile security challenge – data migration to the cloud being the other half. Enterprises need a mobile security platform that not only protects data everywhere, but also empowers users with the apps and devices that they want to use. With a comprehensive solution organisations will have the necessary visibility, control and threat intelligence to deliver on a comprehensive mobile security strategy,” he adds.
Besides, enforcing the baseline security configuration for all devices, industry experts say companies should extend encryption and authentication to mobile devices as well.
“Organisations must have a way to enforce sound security policies, like strong passwords, authentication procedures and lockouts. When a device is forced to lockout the data must be encrypted. The data on mobile devices is unencrypted (and absolutely unprotected) when the device is successfully authenticated,” says Amit Parbhucharan, General Manager, Beachhead Solutions.
Sophos also promotes the idea of extending encryption to mobile devices, to enable a more holistic mobile security strategy. “The task of enterprise mobile security really boils down to three basic needs. Firstly, it’s about protecting the user and device; secondly, it’s about protecting access to the enterprise network and finally, defending enterprise data,” says Chib.
Ghareeb Saad, Senior Security Researcher, Kaspersky Lab, says Mobile Device Management (MDM) should also be the cornerstone of a mobile security strategy, supported by employee education.
‘To reduce the complexities that arise from BYOD, Mobile Device Management (MDM) needs to be one of the pillars of a mobile security strategy implemented by organisations. By enabling MDM functions, it is easier to deploy unified mobile security policies and grasp more visibility through a single management console and ensure the security of an organisation isn’t compromised,” he says.
Dimitris Raekos, General Manager, ESET Middle East, agrees, “MDM provides deploying, securing, monitoring and managing mobile devices from smartphones, tablets and laptops used in the workplace. Simultaneously protecting the corporate network, MDM also optimises the functionality and security of mobile devices within the enterprise as well as controls and protects the data and configuration settings for all mobile devices in a network. It also supports costs and business security risks are lowered.”
With the rise of unsecured applications across mobile devices, MDM is very important in managing apps that are on each device. Through MDM, you can also block and remove rogue apps on devices to reduce the risk of dangerous mobile malwares.
Marc Hanne, Director of Sales, Identity Assurance, HID Global, adds that security administrators and IT directors will need to review which technologies allow them to best engage with their employees to create an optimal access experience, while ensuring security is maintained. IT managers looking for a solution to these security risks need to examine the prospect of implementing a strong two, or multi-factor authentication solution for mobile access networks and data. “These techniques significantly reduce the risk of data breaches, while also giving employees complete flexibility to be as productive as possible, by utilising additional factors to establish a user’s identity,” he says.
Increased mobility may have led to some incredible advances for businesses, but if you don’t take proper steps and put in place risk control processes it could lead to catastrophic security issues. It is also important to remember that it doesn’t end with the organisation. The business and employees both need to do their part to ensure best practices are followed and education is provided to spread the awareness.