In Search of Secure Mobility Solutions
Organizations have to face the fact that mobile computing is so much a part of modern culture, both at work and at play, that providing security against all threats is more of a dream than a reality. Businesses are adapting to a Bring Your Own Device (BYOD) world because it has the potential to raise productivity and because a millennial workforce demands it, but the dangers are just beginning to be understood.
Rapid integration of mobile devices introduces new concerns to executives and managers over mobile device management. BYOD has several related alternatives including CYOD (choose your own device), COPE (company-owned personally enabled), and other sanctioned or non-sanctioned employee use of mobile technologies. Balancing employee expectations and their need to access networks with effective security measures is not easy, especially given the growing sophistication of cyber thiefs and hackers. A few of the security issues that appear common to most organizations are offered below.
Common Mobile Security Concerns
1. Workforce Blind Spots – Many mobile users assume, whether IOS, Android, or another OS, that the default settings provide adequate security against most threats. In fact, it is the responsibility of the user to reconfigure their device to enable tighter security provisions. At close range, a mid-level hacker can break into a device and within seconds, copy everything on it (including important company info), or insert malware that enables them to steal the data later.
2. Careless Use – With mobile devices, size matters. The fact that they are lightweight and portable is part of what makes them so convenient and attractive to users. Because they are small, they are also easily lost – left in hotel rooms, the back of airline seats or taxicabs, etc. They are also easily stolen by thieves with sticky fingers who troll airports and other public places. To hackers, physical access is the holy grail of opportunity. Experienced cyber thieves can quickly circumvent passwords, break into encrypted data and even retrieve company information the owner has attempted to erase.
3. Sneak Attacks – Mobile devices are not immune to entry via malicious code. At present, spam, “weaponized links” on social networking sites, deceptive applications and “malvertising” (invasive mobile ads) can pose a threat.
4. Botched BOTS – Attacks can be directly targeted to a device. Mobile devices are vulnerable to browser-based attacks and buffer overflow exploitations, typically through a short message service (SMS) entry or through a multi-media message service (MMS) avenue.
5. Looking for the Man in the Middle – Smart phones and tablets can suffer from the same exposure as other Wi-Fi enabled devices. Wireless networks are easily hacked using technology readily available online. The result? Man in the Middle attacks (MITM) are barely a challenge to an experienced hacker. Using Wi-Fi and cellular data protocols, hackers can tune in to your data transmissions or web-based emails. Employees that use free Wi-Fi may inadvertently open the door to your entire company database.
6. Malicious Malcontents – Employees may intentionally open the door to hackers. Savvy miscreants can turn their smart phone into a device that diverts data to a secure digital flash memory card, downloads sensitive data and/or sends it to the competition or other unauthorized users.
The Productivity vs Security Tradeoff
The main technical challenge for organizations is figuring out how to allow convenient and secure mobility solutions on any device without hampering productivity or causing a big hassle for end users. While there is no blanket solution to cover all vulnerabilities, there are many technical solutions that can be used to protect against cyber attacks. From a strategy standpoint, a shift in procedures and policies can be the best way to enhance security. Recommended solutions include:
- Developing an organization-wide mobile device security policy that explicitly spells out the rules on how mobile devices are to be used
- Requiring all employees to receive mobile device security training
- Establishing a plan of implementation
- Conducting periodic revisions in risk assessment to match the changing attack climate
- Spot checking usage to insure that people are in compliance with the mobile device policy
As security issues for mobility continue to develop and take shape, the only lasting protection will be a proactive approach to finding vulnerabilities and addressing them before the worst happens.