Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: [email protected].
A 2011 McAfee survey entitled “Mobility and Security: Dazzling Opportunities, Profound Challenges” found that 63% of mobile devices accessing corporate networks are also used for personal activities. Thirty-two percent of respondents reported storing work-related address books, presentations, proposals, contracts, non-disclosure agreements and business plans on their personal smartphones. Given that these information assets are your business, what your employees do on their own time clearly is your business. This is particularly the case if that behavior opens the enterprise up to attack, theft, legal liabilities, regulatory fines or corporate espionage. While questions of security are certainly nothing new to the “consumerization of IT” conversation, the last few years have taught us much about how employees overlap these two worlds. We understand which behavior patterns present the greatest threats, and what management capabilities enterprise IT security teams need most to manage them. Unless these teams have a mobile security framework that easily asserts control over devices and vulnerabilities, mobile employee behavior and the schemes of cybercriminals could put the great potential of the mobile enterprise out of reach.
Consider the secret lives of Gina, Ted and Doug as examples of prominent behavior patterns that expose the enterprise to potential attacks.
Gina’s secret: Fun and games, dangerous downloads
Gina downloads a wide variety of personal mobile apps from a wide variety of sources. She also possesses the unfortunate habit of clicking on practically every link sent to her in e-mails and text messages. Worse, she disables her phone’s security features – a practice known as jail-breaking – to sidestep the annoying warnings about untrusted sites and unusual app behavior. When coupled with the need to juggle personal and work-related apps on the same device, this reckless behavior could put her company at risk. If infected with malware, her phone could allow the theft of sensitive information relating to business meetings, provide access to her professional email, or compromise any corporate documents stored on the device.
Gina’s reckless behavior is all the more dangerous considering the increasing sophistication of the threats targeting her phone. For example, the recently discovered Android/Stiniter.A uses a root exploit to take control of a device, download additional malware, send premium text messages to accumulate phone charges and send potentially sensitive information to attackers. Research from McAfee Labs found that such Android threats grew by 600% between July and December 2011.In just the first quarter of 2012, Android threats reached almost 7,000, with more than 8,000 overall in the McAfee Labs database.
Ted’s secret: When the professional is stored in the personal
Ted uses his personal tablet for both work and play. After hours, he visits high-traffic, semi-legitimate content sites and downloads pirated content. By frequenting such sites, he opens himself up to malware threats similar to those facing Gina. During business hours, Ted uses the same tablet to access company contracts and go-to-market plans through a drop-box service. If Ted were to use his laptop to access these company documents, his IT team could manage the exposure of company property through security policies that forbid and prevent dangerous behavior. They could also implement strong user authentication and encryption solutions to secure the access to and transfer of sensitive material.
But when Ted accesses company documents through his tablet, IT lacks the ability to assert these security measures or block any reckless behavior. His “work” files will be stored in the personal space in the device’s memory – next to his weekend photos, birthday videos and favorite music. These documents will be vulnerable to theft if his tablet is infected by malware or if he attempts to access or send documents through a rogue network connection.
Doug’s secret: Lost and unlocked
Doug has a poor track record with IT – he tends lose his phone during business trips. If he were to lose his phone during an industry tradeshow, the device and company data stored on it could fall into the hands of any number of competitors. But even if he loses it elsewhere, the mere exposure of employee, customer or partner information could place his organization in violation of any number of regulations, privacy contracts or confidentiality agreements. In most cases today, there is no way for IT teams to know what is on a lost device and no way to erase information from it.
It should come as no surprise that the McAfee “Mobility and Security” report also found that the greatest mobile security concerns among IT managers are indeed loss and theft. The research found that one in five devices is lost each year. Worse, more than half of all users surveyed admitted to not locking the devices. Simply put, beyond security, these factors are a compliance nightmare for IT and risk managers.
Building a mobile security management framework
Organizations can implement any number of security policies to inform and educate employees. Beyond policies and education, organizations would do well to implement a mobile security management framework that provides the following:
–Malware prevention: Given the wide variety of places offering downloads, measures for blocking and removing malicious applications are a critical component for protecting mobile devices from dangerous downloads.
–Data protection: Users and their IT teams should be able to know which data are being accessed by which applications; what they are doing with it; and to whom they might be sending it outside of the organization. Solutions must be in place to enable the company to monitor and limit such activity. Policy-based mobile security can provide protection for stored corporate data, and two-factor authentication and public key infrastructure can secure the access to and transfer and storage of sensitive information.
–Device protection: Features such as lock and wipe can reduce the risk of valuable information being captured from lost or stolen devices. This addresses both the security and compliance concerns around missing phones and tablets.
–Automation and simplification: Ideally, organizations should enable users to self-service provision, as well as offer an enterprise app store with a list of approved and recommended applications that they can download easily.
–Policy enforcement: The right enterprise security implementations will support corporate security policies by allowing IT to block unauthorized, unsecured, and modified devices – such as Gina’s jail-broken smartphone – and help meet audit and reporting demands.
Mobile employees will continue to demand more and more from their professional and personal mobile lives. Devices will continue to present vulnerabilities along with a wealth of opportunities. What IT security professionals need is a mobile security management framework that provides a baseline degree of control over the real and potential chaos facing them. Such a framework should ideally integrate with existing management frameworks and support the organizational effort to maximize the productivity of employees while minimizing the risks they create. Keeping the fear of security threats at bay allows your IT staff to spend more time pondering what the mobile enterprise can truly do for your business.
