Mobile Security Assessment
Throwing technology at the problem may help, albeit with added complexity and expense. What technology cannot do is replace policies and process.
Mobile technology has provided business professionals and executives with the opportunity for greater productivity, availability and convenience. Unfortunately, it also has facilitated fraudulent and criminal behavior. Business resiliency mandates adequate security measures to mitigate the risks inherent in using mobile technology. As business risks and countermeasures are identified, the term “security” is focused on preventing breaches and protecting corporate data. Because information security options for commercial corporations have lagged behind the availability of new technology, businesses ultimately have to rely on employees’ ethics and due diligence in protecting confidential corporate, market and customer information.
We divide our mobile security risk assessment into four categories:
The top-level concern about mobile devices is that they can access sensitive data and potentially cause a breach or leak of this data to the public. But can they really? For example, a company we performed a risk assessment for didn’t even know what it considered sensitive data.
Once we identified that (it was the financials), we were able to point out that the accounting software the company used ran only on Windows, wasn’t reachable via mobile devices, and just six of 400 employees even had access rights. The real risk was reports containing financial data being generated and emailed around.
Our experience shows that most mobile devices don’t have direct access to sensitive data. Rather, they have peripheral access, and existing security systems, such as data loss prevention, identity management, and access control, can usually address those sources.
Device risk is where most of the media spreads FUD: 200% increases in mobile malware! Less than 50% of mobile device users employ passcodes! While scary stats are fun to talk about and easy to sensationalize, evaluating risk is not nearly that simple. Each mobile device operating system has unique vulnerabilities and offsetting controls. When looking at device risk, we don’t focus on viruses and Trojans and instead we review how the sensitive data is encrypted, guard against theft of the device, educate the help desk, and extend the reach of your mobile security technologies.
When we analyze the coverage of most mobile device management suite deployments, for example, clients are surprised to see that there are devices that bypass their MDM software and go directly to ActiveSync, use legacy IMAP or POP3, or have VPN access into the network and users don’t even realize their devices are connected.
Mobile security is difficult because of the thousands of devices being traded in, lost, stolen, and updated with new apps and firmware every day. You’re always going to struggle to keep up with the velocity of change, so make sure you have a process to quickly analyze the risk any given mobile threat presents to your data, and to evaluate new operating systems and devices.
The day the Fire was released, it began accessing corporate email and Wi-Fi networks. How would you handle 20% of your company’s workforce logging on using a new, unknown mobile device with an untested version of Android? Also, as we mentioned before, mobile devices are traded in, damaged, and stolen–a lot. Do you have a policy to make sure they’re wiped first?
Analyze the processes you’ll use to deal with malware alerts and end user problems. How likely is it that you can consistently execute these processes? Be honest–are resources allocated properly? Do you have enforcement mechanisms for mobile security policies?
The first and last line of defense for mobile devices is the user. Users are running at admin level and have the ability to install and delete apps, reconfigure settings, back up data or not. How well are you informing them about risks? A handout as they go through new-hire training isn’t enough. They need to know exactly what to do when they see something suspicious going on with their mobile devices.
Comprehensive mobile security awareness training is very effective at reducing risk. I believe it is one of the strongest security controls you can invest in outside of MDM technology, but many companies I work with aren’t prepared to talk with employees about these risks in an ongoing way.
SOFTBOLT offers risk evaluation of your mobile strategy, in-house & third-party apps and web services for mobile solutions. We support a full array of mobile devices, including Apple iPhone, iPad, Android, Windows Phone 7 and Blackberry.
Many common assumptions regarding mobile device security are inaccurate. Security breaches of ordinary business networks by someone from the outside are not as frequent as business employees unintentionally doing something that has security ramifications. For example, in January 2007, a large study in the UK tested the probability of corporate employees introducing malware to corporate networks. The consulting firm sent flash drives containing an anonymous message about “Party of a Lifetime.” Percentages of people placing the flash drive in computers connected to corporate networks varied by industry: 50 percent of finance directors, 65 percent of media company employees, and 38 percent of technology, retail and transportation companies’ employees.