How can organizations reduce and mitigate potential risks?
How can organizations reduce and mitigate potential risks?

As Hillary Clinton learned all too well, you can't be too careful protecting sensitive material, and co-mingling work and personal email on various devices is never a good idea. 

WikiLeaks and the outcome of the 2016 presidential election notwithstanding, it behooves all organizations to better examine just how vulnerable their networks are when non-company-issued mobile phones and other devices are able to access proprietary records.

Make no mistake, criminal elements are banking on the gaping sieves created when employees connect to the internet via public Wi-Fi and charging stations. 

As the Ponemon Institute noted in January 2016, security issues – think about the rampant deluge of serious breaches since then – will not curb the use of mobile devices and their access to and storage of sensitive data. Among the 720 Ponemon survey respondents throughout the U.S. using smartphones and tablets for personal matters and/or business, 59 percent access corporate email and documents from those devices.

OUR EXPERTS:
Insider threat 

Gorav Arora, director of technology/data protection, Gemalto
Rick Caccia, CMO, Exabeam
Ken Dort, partner/chair IP Group, Drinker Biddle
Keith Graham, CTO, SecureAuth
Kevin Haley, director, security response, Symantec
John Michelsen, chief product officer, Zimperium
Sean Sullivan, security adviser,
F-Secure

About two-thirds admit that the amount of sensitive/confidential data on devices increased significantly during the previous two years. Further, a March 2014 Ponemon survey conducted by IBM found that 63 percent of the 618 IT and IT security practitioners surveyed believed data breaches involving mobile devices occurred in their organizations. 

Yet lackadaisical attitudes remain in ensuring everything is being done to protect assets from being inadvertently siphoned from employers' physical confines, SC's panel of experts concur. 

To what extent organizations implement stringent policies regarding bring-your-own-device (BYOD) runs the gamut, according to Kevin Haley (right), director of security response at Symantec, a Mountain View, Calif.-based technology company. 

“We're seeing everything from stringent policies in place to no policies at all,” he says, adding that in some cases, tools have been put in place for enforcement, whereas in others they have not. 

Stolen or lost devices should be treated as a breach because “mobile devices ultimately become a way for insiders to take data outside of an organization,” Haley notes. 

One of the biggest threats businesses face with work usage of mobile devices is the misalignment of the security practices with risk tolerance, points out Gorav Arora (right), director of technology for data protection at Gemalto, an Amsterdam-based digital security company. 

“It can take the form of unintentional misconfiguration of a new tool due to the lack of knowledge, or could be intentional circumvention of security policies by employees to achieve higher productivity, meet deadlines, etc. – such as emailing sensitive information over personal email for a colleague who cannot connect to VPN,” Arora says.

The rise in the adoption of “shadow IT,” which is the abandonment of corporate security policy, is a direct indicator of the gap between the provided IT tools and needs of the employees, Arora believes. 

Furthermore, once a device is out of the company or an employee's possession, it's typically mined for credentials, company data and personal information, points out John Michelsen, chief product officer at Zimperium, a San Francisco-based mobile security company which recently collected data from 7,000 mobile devices used by a client's employees. It found 60 percent of the devices to be exposed to known vulnerabilities, six percent recorded a critical threat event and one percent to be infected with a malicious app. (Adding to those findings, Symantec's “Internet Security Report,” identified a 77 percent increase in Android malware variants from 2014 to 2015, with even more expected in 2016.)

“This 24/7 access, outside the corporate firewall, likely raises the tendency of employees to share inappropriate information with others,” Michelsen (left) says. Organizations should implement solutions from mobile device manufacturers that provide strong authentication, document tracking/tracing and data loss prevention features, he adds. 

Authentication required

As BYOD became prevalent, device manufacturers are turning on security by default, essentially building in two-factor authentication to secure company data, notes Arora at Gemalto. Only two-fifths of enterprises use authentication to protect all of their resources, but it should be a standard business practice, he adds.

Organizations should ensure that if applications are being accessed from mobile devices, suitable authentication safeguards are being used such as ensuring that adaptive authentication and second-factor methods are in place, agrees Keith Graham (right), CTO at SecureAuth, an Irvine, Calif.-based provider of two-factor authentication and single sign-on tools.

If a device is compromised and any credentials being used on the device are stolen, adaptive and second-factor authentication “helps ensure that attackers cannot use these stolen usernames and passwords to gain access,” he adds.

Paying attention to what's going on in the network is critical whether the employee is in the office or working remotely. “Log analytics, particularly those that use behavioral analytics, can identify risky access patterns early in the process,” says Rick Caccia, CMO of Exabeam, a San Mateo, Calif.-based computer security services firm whose specialty is behavior analytics. 

Caccia believes that putting more security on the device itself has only marginal benefit. “It's much better to increase monitoring and detection throughout the network itself, and then to link that to cloud services in use,” he explains. That way, even if an employee switches devices, the firm can detect unusual behavior.

The mobile arena, because of less device management, “can make it easier for a malicious insider to copy and remove sensitive information,” he points out. “Mobile doesn't create new types of insider threats, it just makes the most common types easier to execute and harder to detect.”