This month, many organizations will face an influx of employees looking to access the enterprise network with their new iPads, BlackBerrys, 4G LTE smartphones and more. With these new devices come more opportunities for data breaches — and the compliance violations that go with them.
Will a mobile device security policy be able to handle it?
“It often starts with a CEO getting a holiday gift from the kids, then [he] walks into the IT manager’s office and says, ‘Hey I got this new cool device — put it on the network,’” said Dan Croft, CEO of Mission Critical Wireless LLC. “There seems to be some expectation that just because it’s a wireless device that IT is under some obligation to allow its connectivity to the enterprise data network, and clearly there are issues associated with that.”
“Securing Mobile Devices: Present and Future,” a whitepaper from McAfee Labs written by Igor Muttik, noted that there are many potential security issues related to mobile devices, due to their capabilities. These devices often carry personal data and are equipped with cameras, microphones and positioning devices — making them susceptible and attractive to hackers.
These traits create a variety of potential compliance violations, including the adherence to the Payment Card Industry Data Security Standard and the Sarbanes-Oxley and HIPAA acts, to name a few. Failing to protect your network against these potential compliance violations could lead to huge costs in the long run.
And don’t expect help from manufacturers: Due to the competitive pressure of the market, they frequently prioritize time-to-market concerns over security and may add core drivers and applications that are insufficiently tested, Muttik said.
“There will always be risks from just having a smartphone in your pocket, even if it is not connected,” Muttik said. “An example would be a smartphone’s ability to record and transmit audio — certain malicious programs can be used to silently snoop on sensitive conversations.”
Hackers could also potentially tap into corporate email and download corporate communications via these personal devices. More hackers are targeting specific organizations via this practice, and protecting the sensitive information available in these communications is a major factor in staying compliant.
As a result, a solid mobile device security and management program is necessary. Croft said a good place to start is simply knowing exactly what devices employees are using to connect to company networks.
“Clients have to know what’s on their network, and you’d be amazed how many times we talk to a potential client and they don’t even have a clue as to what devices have connectivity to their data network,” Croft said. “Just having that basic information is some of the first steps to take instead of it being the Wild West, where you have these devices roaming around the world connected to the data network.”
Croft insists that the biggest threats mobile devices pose to a company are not so much the James Bond espionage-type scenarios, but instead the fact that they’re mobile devices that fall out of pockets and briefcases all the time. If the wrong person finds a mobile device, a company is in a world of trouble if processes aren’t place to protect it.
Strictly enforcing minimal security requirements such as basic password protection is essential, Croft said, as is the ability to kill, wipe or lock a device at all times.
“The longer your device goes without a kill command being issued, the greater risk you have out there,” Croft said. “If you can’t do that with a certain device, that device should not be allowed on your network.”
Muttik suggests administrators take control over security settings of the mobile devices being used on the network, such as prohibiting devices without PINs or forcing the use of passwords.
But even then, employees need to be made aware of low-tech attacks like “shoulder-surfing” that can reveal four-digit PINs with “amazing ease,” Muttik said.
“Providing employees with company phones, or having some shared contribution arrangement, would make enforced security policies more acceptable for employees,” Muttik added.
CYOD rather than BYOD?
To assist with mobile device security, many companies are implementing “bring your own device” policies that establish a set of rules governing the IT department’s level of support for employee-owned PCs, smartphones and tablets. But instead of bringing your own device, Croft suggests a choose your own device policy may work better.
By providing employees with a list of acceptable devices for use on the network, IT establishes more control over their mobile security processes, he said.
“If there are other devices that people want on the network, companies need to have a painless process for them to be evaluated and to determine if they are safe for the network,” Croft said.
But Croft is quick to point out it isn’t just the device that IT needs to be concerned with: Just as important are the operating system and which applications to allow on the devices. A rogue app could tunnel back into the network and cause damage by accessing the company contact list and sending it to spammers, he said.
“There are so many opportunities for rogue applications in the mobility marketplace that an area that we advocate in a big way is that companies need to establish their own app store that is privately owned by the company,” Croft said. “Then those are the only apps that devices that are connected to their network are allowed to download.”
Muttik agreed, and recommended that mobile users disallow installation of applications from any location other than an approved marketplace to greatly reduce the chance of infection.
But, Muttik added, “the keys to the castle” currently remain in the hands of companies operating online app marketplaces. Although there are many other attack vectors, quality-filtering of apps posted to major marketplaces is a major factor affecting security, he said.
“In the future, we would like to see OS developers — one can also call them ‘app market makers’ as they all run major app markets — cultivate a deeper relationship with security companies as they can offer a wealth of knowledge and products to assist fighting digital threats,” Muttik said.
Stay ahead of the mobile market
Perhaps the smartest way to handle any new devices that employees will want to connect to the network is to stay proactive. Croft said it’s definitely not a secret when a “next big thing” device comes on the market.
He recommended that as soon as these new mobile devices are released, IT departments test them for security features before allowing them on the network.
“It’s not a three- to four-month test — you can generally take a device and conduct your own internal test within 72 hours and make a determination whether it meets security requirements and if it’s acceptable,” Croft said. “With each OS comes new features and functionality that may or may not pose a threat to a company.”
So despite the influx of mobile devices in the workplace following the holidays, companies should not despair when it comes to mobile device security — but, of course, stay vigilant. And this goes for the entire year, not just around the holidays, when new mobile devices might be most prevalent at your company.
“Personal devices in the workplace only create a problem if they are not subjected to sensible security policies,” Muttik said. “It is relatively easy for IT administrators to have centralized control of these security policies and allow only devices with a certain level of measured security to connect to internal company networks and resources.”