From sales staff working the floor in large stores to corporate road warriors flitting from city to city, there is no debate about the degree to which mobile devices have increased productivity. Some sources place the time savings as high as 57 minutes per day. As new apps continue to flow into online stores, there is also widespread agreement that those productivity gains are just the beginning of what might be possible.
Change the topic to mobile security, however, and the tone shifts to nagging doubts: “Does my tablet, smartphone or watch keep my data as safe as my desktop computer?” Respondents to a recent Forrester Research survey chose their desktop environment for security by a margin of 71 percent to 43 percent.
But, consider this: A quick Google search can take you to a YouTube tutorial showing how to crack an iMac’s master password, but only your fingerprint will unlock your iPhone. In March, Fujitsu introduced an iris authentication system for smartphones. Other biometric-based security approaches are rumored to be in the pipeline at other manufacturers.
Add to those types of user-facing security features such technologies as partitioning of corporate and personal apps and data, cloud-based enterprise mobility management and BlackBerry’s VPN Authentication and you can start to see the security of the mobile environment holding as much promise as productivity gains offer.
“In some important ways, mobile devices are more secure than the traditional desktop or laptop,” says Edward “Pat” Patterson, enterprise architect at FishNet Security, which merged with Denver-based Accuvant in February. “Mobile operating systems have built-in security measures that are still not present in desktop operating systems, and most of the software for these devices is only available through app stores that check it before it is made available.”
So, why does mobile vulnerability continue to rank so prominently on the list of things that keep CISOs awake at 3 a.m.?
Beyond the lingering perception that smartphones, tablets and the emerging wave of wearable devices are inherently insecure, two major realities are prime sleep-killers: Many organizations have remained behind the curve on the burgeoning adoption of mobile devices, and as intelligently as Apple, Samsung, Xiaomi and other manufacturers have designed their devices, no one has been able to design a user who will not click on a bad link they believe is legitimate, leave their smartphone in a restaurant or let their kid download some random apps.
“Users are still the weakest link,” says Alex Manea, director for BlackBerry Security in Waterloo, Ont., Canada.
It falls to organizations to manage those human factors, establish protocols for securing mobile communications and adopt network technologies for identifying risky usage and potential cybercrime. It remains a subtle balancing act between wringing productivity gains out of mobile’s potential and extending trust too far.
Organizations have to shift the way they think about mobile, says Manea. “They need to understand that these are computers and integrate mobile into their overall security strategy.”
Measuring the risks
Tracing the rise of the bring-your-own-device culture is like trying to determine when standard office wear shifted from suits to khakis, but a look at the rapid decline of BlackBerry’s marketshare in the smartphone category tells the tale. Not surprisingly, Manea calls the period 2008-2012 – when his company’s global share fell from a high of 20.1 percent to 3.2 percent – “a free-for-all” for mobile adoption. With the global economy in crisis, organizations were quick to acquiesce to employees’ demand to use devices of their own choosing, shifting a sizeable expense off company books.
Today, the average U.S. employee has three mobile devices at his or her fingertips and “mobile devices are becoming the predominant productivity tool because of the user experience,” says Aaron Cockerill, vice president of products at Lookout in San Francisco. “They’re beautiful, simple to use and go with you everywhere.”
A research report by the Ponemon Institute showed that 43 percent of employees surveyed would quit their jobs if they were not allowed to use their personal devices and favorite apps at work. Employers have responded in kind. According to Gartner Research, 90 percent of U.S. companies now allow employees to use their own mobile devices and most organizations have a mix of iOS, Android, Windows Phone and BlackBerry operating systems accessing their enterprise networks and databases.
“Even the best security people can’t be expected to know the whole zoo of devices being used across a large organization,” says Andrey Pozhogin, senior regional product marketing manager for Kaspersky Lab North America, based in Woburn, Mass.
But Kayvan Alikhani (left), senior director of technology at RSA, the security division of EMC, sounds a warning about keeping an eye on operating systems. “With the fragmentation of mobile operating systems, companies need to ensure they restrict access to patched devices running acceptable versions of the operating systems.”
More difficult, still, is keeping track of all the risky behavior associated with all those assorted devices. The result of those behaviors can turn mobile devices against users and their employers, warns Pozhogin, who notes that malware can now use smartphones’ internal gyroscopes and cameras to send hackers an illustrated schematic of an office building or turn microphones on during confidential business meetings. Malware can also steal address books and other data stored on devices, providing up-to-date information for additional phishing attacks.
“Email is the number one threat vector,” says Stu Sjouwerman, CEO of Clearwater, Fla.-based KnowBe4. Sjouwerman’s company is a co-sponsor of a new study by Osterman Research on phishing and next-generation malware that outlines why phishing attacks remain so successful: Social media, like LinkedIn, gives hackers the information they need to personalize phishing attacks; and not all anti-phishing solutions are kept current, allowing users to fall victim to new techniques.
What is more, the malware that cybercriminals are using is becoming more challenging and difficult to address. Some variants can detect when it has been placed in a sandbox, so it will remain dormant, and some can remain dormant for an extended period, avoiding detection by traditional anti-phishing and anti-malware solutions. Some malware will only execute its code when users activate it by unwittingly clicking on a button in a seemingly innocuous dialog box.
It is little wonder, then, that Osterman found that corporate decision-makers and influencers cited phishing attacks and related malware in their top four security concerns (ranked between 44 and 49 percent). Mobile malware was cited specifically as a very serious concern by 23 percent.
The Kaspersky Lab survey also found that the rate of mobile device theft overall has continued to climb over the years, with a quarter of companies experiencing the theft of a mobile device in 2014, a significant increase from the 14 percent reported in 2011. Overall, reports a survey by Accellion, 1.4 million smartphones were lost in 2013, and 3.1 million stolen. Of those missing phones, only 36 percent were protected with a PIN, only 29 percent had their data backed up, and just seven percent of owners had protected data with a strong password. Most concerning of all, only eight percent of the phones lost featured software that could enable the owner or corporate administrator to remotely wipe the device’s contents.
The Kaspersky survey speculates that the growing prevalence of stolen mobile devices may be a contributing factor to employee apathy, since a stolen smartphone might now be seen as a somewhat common occurrence, and not a rare crisis that demands attention.
The result can be just as dangerous: Businesses have a one-in-five chance of losing data if a mobile device is stolen.
“You can’t be overcautious,” says Pozhogin. “You never know what can be introduced in terms of security holes.”
BYOD on paper
While organizations have been quick to meet employee demands to use their own devices, they have not been as fast off the mark with comprehensive BYOD policies that maximize both productivity and security. In fact, says Sjouwerman, less than half of organizations have policies in place.
Experts agree that BYOD is not a one-size-fits-all proposition – each organization needs to conduct a thorough needs assessment, analyze the kind of usage employees introduce into their systems, and determine how much risk they can tolerate related to the use of mobile devices. Sjouwerman suggests taking a “top-down” approach that starts with thinking about who has access, measuring the risks and deciding how to mitigate them.
Begin with policies, procedures and employee awareness, he recommends, then defend the perimeter with a firewall and related tools to block intrusions. After that, comes protection of the internal network, scanning for attackers and traffic that looks suspicious, followed by protecting network hosts, individual apps and the corporate data itself.
“Combining that kind of defense-in-depth approach with a sound mobile device management policy will make any organization secure, but it is essential not to forget the ‘human firewall,’” he says.
Pozhogin agrees that taking the human element into account is a critical factor in creating a successful BYOD approach. He says that begins by viewing mobile device usage through the eyes of the user. “The way employees use mobile devices is not driven by security,” he says. While privacy may be a concern to them, it is convenience they are after, and they are happy enough to pass along productivity gains to their employers, but only up to a point.
“If your security policy is too difficult, users will rebel,” Pozhogin (left) warns.
The same message is echoed from the suppliers’ side, with BlackBerry’s Manea saying that his company thinks a lot about how to stay out of the way people use their products. “Users are paid to do their jobs, not IT’s job. If you make it too hard for them, they will find a way to get around the rules.”
Employees may also balk at a BYOD policy that does not include provisions to protect their privacy if they are using a device for personal use, or does not spell out that personal data – including music, photographs or bookmarked web links – will not be removed should corporate data need to be wiped from the device.
Cockerill says that the strongest BYOD policies embrace the freedom inherent in employees using their own equipment. If you are going to allow them to choose which device to use, why try to restrict apps or network providers, he asks. “That approach does not embrace the idea of BYOD.”
Second, he recommends securing the corporate environment for the lowest common denominator, but allowing for some flexibility. “If you consider Android Open Source Project (AOSP) to be the least safe mobile platform, then build your infrastructure to protect AOSP devices. Everything else will be safer because of it.”
He adds that the policy needs to be flexible enough to address future needs. “Today, most employees may use iOS and Android devices, but in the near future I predict that there will be more operating system diversity in the workplace, as Microsoft, Ubuntu, Firefox and more introduce competitive software and devices.”
Addressing productivity, he recommends planning on the organization rolling out new, potentially custom enterprise apps. “When choosing or developing these apps for your organization, think mobile first, and make sure they are secure.”
Finally, he says, no BYOD strategy is complete without taking into account other important trends, like software-as-a-service. “Consider the fact that your employees’ mobile devices will be connecting to enterprise systems, like Box, Salesforce.com, etc., not necessarily through the enterprise network.”
Like all corporate policies, BYOD regulations are only as good as their reinforcement. If allowed to remain ignored in an employee handbook, they will grow stale – neglected by employees and likely not updated to reflect changes to both technology and malware. It is an irony of life inside an organization that new hires – fresh out of their orientation session – are often more familiar with the rules than seasoned veterans.
That is not a good way to deal with mobile security, says FishNet’s Patterson. “Mobile security education should be a part of the general security training given to employees at hire and repeated annually,” he says.
“You definitely need to keep it in front of them,” says Sameer Dixit, director of Chicago-based Trustwave’s SpiderLabs. “Make it a part of regular training, because that reflects that security is always a work in progress.”
Sjouwerman, who has a penchant for proving how easy it is to create authentic-looking email messages based on readily available personal details, says training should include regularly scheduled mock-phishing attacks.
Yet, that kind of approach is relatively rare, based on the findings of the 2014 Ponemon Institute report. Only 20 percent of respondents said they had received training on the security of mobile content access in the workplace, and 74 percent of those who did receive training reported it was ineffective in reducing the risks created by the use of mobile devices.
The message is that mobile security training needs to be integrated into ongoing corporate communications, and that message extends to the technological aspect, too. Alikhani says that as the line between various mobile devices blurs organizations need to look to merge management of what used to be segregated as “mobile device/application” management into their overall enterprise device and application management services. That kind of integration can yield the kind of productivity/security union that is the Golden Fleece of mobile communications.
“As standards such as FIDO [Fast IDentity Online] get broader adoption,” says Alikhani, “companies can rely more heavily on mobile device-based user authentication. This means that business applications can firmly rely on the mobile devices to assert as to the identity of the users.”
From there, organizations can use emerging technologies – integrated with their existing network oversight technology – to analyze usage trends and ensure that users are not indulging in potentially risky behavior, and then head it off if it occurs.
At this point, mobile devices might be viewed as the first 1940 Ferraris – a new breed that ran fast and turned heads, but was raw and built for the racetrack. It held potential, but only refinement turned it into the luxury powerhouse it became. The productivity gains introduced by mobile devices to this point have been natural byproducts of their design. Once the devices, and the technologies to keep them secure, have been integrated into the organizational workflow – once enterprises introduce mobile-first approaches – the full potential will be unlocked.
“If IT departments design and build their security infrastructure to enable maximum productivity on mobile devices,” says Cockerill, “then theoretically, the overall security of the firm should be enhanced because it will be catering to the most difficult use case.”
Secure mobility: Six steps
Ensuring that the myriad of mobile devices and operating systems accessing your organization’s network and data are secure requires a multi-pronged approach. SpiderLabs Director Sameer Dixit shares his half-dozen best practices.