Bring Your Own Device, or BYOD, is a relatively new business approach to technology. The days of issuing employees company-owned laptop computers, cell phones and pagers are largely over. Instead, businesses are taking advantage of the proliferation of smartphones and tablets by scrapping their old technological plans and allowing employees to use their own devices – laptops, smartphones, tablets and USB devices – for company purposes and giving those devices access to the company network.
While BYOD is a net positive for organizations as it promotes more responsiveness, more accessibility for workers and higher worker satisfaction with the ability to work outside of the office, it does come with drawbacks. Security issues are of greatest concern to businesses. IT staff responsible for corporate security now have a new and complex challenge to solve – supporting employees who bring their own devices into the corporate fold while maintaining the security and confidentiality of sensitive company data. Yet, despite the security risks mobile devices pose, most companies have not taken measures to address them. Failing to take such measures, including protecting devices against malicious code and configuring devices so they can be disabled remotely, may cost organizations hundreds of thousands of dollars if a breach occurs.
It’s easy to lose sight of what makes mobile devices so vulnerable amidst their popularity and productivity-boosting potential. By keeping in mind the following six core security risks associated with mobile devices, and potential solutions, businesses may better balance mobility’s risks and rewards.
1. Ways to attack mobile devices abound. The attack surface on mobile devices is small from a traditional network security perspective but deep in terms of the range of services that can be attacked (e.g., applications, messaging, near field communications) and the variety of techniques cyber criminals use to attack devices (e.g. browser-based attacks, phishing attacks targeting small screens, man-in-the-middle attacks). The range of potential attacks on mobile devices makes securing them particularly challenging.
Potential solutions: Establish baseline security configurations specific to each mobile operating system (OS) and push related technical policies down to the devices connected to your network. Regularly update OS versions and apply security patches either directly or by prompting users to do so via automated messages. Monitor your mobile communication/ synchronization logs for suspicious activity. Educate users on the latest social engineering and phishing attempts.
2. Mobile malware is easy to write. Platform vendors distribute documentation on their mobile operating systems so that developers can write applications for them. This documentation contains a variety of APIs (application programming interfaces) that enable basic smartphone functionality, such as identifying users’ physical locations, calling up the contents of their address books, making phone calls, and sending SMS messages. Unfortunately, malware writers have access to this documentation and they don’t need particularly strong programming skills to write malicious code for mobile devices. Using the APIs, they can, for example, quickly and easily write code that will access the contents of users’ address books or send SMS messages.
Potential solution: Educate users on the potential dangers of downloading apps to their smartphones and on ways to identify questionable apps. Consider blacklisting known malicious applications, or conversely, whitelisting known good apps (but be ready to deal with the overhead associated with selecting such apps).
3. Marketplaces for mobile apps may inadvertently distribute malware. Vendors’ online mobile application stores do their best to prevent malware from being distributed through their channels, but their processes for scrutinizing apps have limitations and they’re not entirely focused on security. The fact that malware is getting more sophisticated and harder to detect further complicates vendors’ app validation processes.
Potential solution: Educate users on the potential dangers of downloading apps to their smartphones and on ways to identify potential malware.
4. Network communication channels may be compromised. “Man-in-the-middle attacks” can intercept data in transit between the mobile device and server, potentially allowing cyber criminals to gain unauthorized access to sensitive data. Kaspersky Lab reports that 70% of tablet owners and 53% of smart phone/mobile phone users use free public Wi-Fi hotspots. Since these connections often rely on unencrypted protocols, your employee may be transmitting login credentials in the clear.
Potential solution: Design mobile applications and solutions to communicate over an encrypted channel, such as SSL (secure socket layer) or require that sensitive information only be transmitted when directly connected to the corporate infrastructure (e.g., corporate Wi-Fi or VPN). Educate users on when and when not to use public wireless networks.
5. The mobile ecosystem is extremely diverse. For every mobile operating system (presently there are at least three dominant ones), wireless carriers may have their own specific implementations and in the case of certain platforms, they may have device specific implementations. This results in a far more diverse environment than in the past and makes it difficult for enterprises to deploy singular solutions for mobile security.
Potential solution: Carefully consider which mobile platforms your enterprise will support today and in the future, while recognizing that the mobile operating system landscape is shifting every few months. Start by supporting the critical platforms and devices and establishing operational processes and security controls and expand as your mobile program matures.
6. Mobile devices are easy to lose. Loss of a device can lead to the loss of sensitive information, including stored credentials, contacts, personal information, and corporate data. According to a study commissioned by Protect Your Bubble, a lifestyle insurance company, 113 cell phones are lost every minute in the United States. In particular, they are most commonly lost in public areas such as fast food restaurants, drug stores, grocery stores, coffee shops and the office. What would the impact be if sensitive organizational information such as emails or reports were on said employee’s smart phone?
Potential solutions: Require that devices be password/PIN-protected, that devices be wiped after a set number of failed PIN entry attempts and that remote device wipe functionality be enabled as part of your baseline technical security standards. Build a supporting mobile security infrastructure that enforces technical security requirements, enables geo-location of lost devices, and allows for monitoring of mobile device connectivity.
These six threats highlight the need for technical solutions such as mobile device management systems, mobile application management systems and security information and event management (SIEM) solutions. They also underscore the importance of ongoing end-user education and awareness. User training and vigilance can go a long way toward reducing the risk of device loss, malware infection and phishing and social engineering attacks that can lead to data theft. Increasing user awareness may also alleviate the management and support burden mobile devices have imposed on IT organizations.
Sarah Hendricks who is a security expert on protecting users and businesses from hackers and data leakage. Users in the office, at home, or working remotely are all subject to attack. Sarah has teamed up with mobile antivirus software leader NQ.com to keep mobile devices protected nationwide!