As Hillary Clinton learned all too well, you can't be too careful protecting sensitive material, and co-mingling work and personal email on various devices is never a good idea.
WikiLeaks and the outcome of the 2016 presidential election notwithstanding, it behooves all organizations to better examine just how vulnerable their networks are when non-company-issued mobile phones and other devices are able to access proprietary records.
Make no mistake, criminal elements are banking on the gaping sieves created when employees connect to the internet via public Wi-Fi and charging stations.
As the Ponemon Institute noted in January 2016, security issues – think about the rampant deluge of serious breaches since then – will not curb the use of mobile devices and their access to and storage of sensitive data. Among the 720 Ponemon survey respondents throughout the U.S. using smartphones and tablets for personal matters and/or business, 59 percent access corporate email and documents from those devices.
Gorav Arora, director of technology/data protection, Gemalto
About two-thirds admit that the amount of sensitive/confidential data on devices increased significantly during the previous two years. Further, a March 2014 Ponemon survey conducted by IBM found that 63 percent of the 618 IT and IT security practitioners surveyed believed data breaches involving mobile devices occurred in their organizations.
Yet lackadaisical attitudes remain in ensuring everything is being done to protect assets from being inadvertently siphoned from employers' physical confines, SC's panel of experts concur.
To what extent organizations implement stringent policies regarding bring-your-own-device (BYOD) runs the gamut, according to Kevin Haley (right), director of security response at Symantec, a Mountain View, Calif.-based technology company.
“We're seeing everything from stringent policies in place to no policies at all,” he says, adding that in some cases, tools have been put in place for enforcement, whereas in others they have not.
Stolen or lost devices should be treated as a breach because “mobile devices ultimately become a way for insiders to take data outside of an organization,” Haley notes.
One of the biggest threats businesses face with work usage of mobile devices is the misalignment of the security practices with risk tolerance, points out Gorav Arora (right), director of technology for data protection at Gemalto, an Amsterdam-based digital security company.
“It can take the form of unintentional misconfiguration of a new tool due to the lack of knowledge, or could be intentional circumvention of security policies by employees to achieve higher productivity, meet deadlines, etc. – such as emailing sensitive information over personal email for a colleague who cannot connect to VPN,” Arora says.
The rise in the adoption of “shadow IT,” which is the abandonment of corporate security policy, is a direct indicator of the gap between the provided IT tools and needs of the employees, Arora believes.
Furthermore, once a device is out of the company or an employee's possession, it's typically mined for credentials, company data and personal information, points out John Michelsen, chief product officer at Zimperium, a San Francisco-based mobile security company which recently collected data from 7,000 mobile devices used by a client's employees. It found 60 percent of the devices to be exposed to known vulnerabilities, six percent recorded a critical threat event and one percent to be infected with a malicious app. (Adding to those findings, Symantec's “Internet Security Report,” identified a 77 percent increase in Android malware variants from 2014 to 2015, with even more expected in 2016.)
“This 24/7 access, outside the corporate firewall, likely raises the tendency of employees to share inappropriate information with others,” Michelsen (left) says. Organizations should implement solutions from mobile device manufacturers that provide strong authentication, document tracking/tracing and data loss prevention features, he adds.
As BYOD became prevalent, device manufacturers are turning on security by default, essentially building in two-factor authentication to secure company data, notes Arora at Gemalto. Only two-fifths of enterprises use authentication to protect all of their resources, but it should be a standard business practice, he adds.
Organizations should ensure that if applications are being accessed from mobile devices, suitable authentication safeguards are being used such as ensuring that adaptive authentication and second-factor methods are in place, agrees Keith Graham (right), CTO at SecureAuth, an Irvine, Calif.-based provider of two-factor authentication and single sign-on tools.
If a device is compromised and any credentials being used on the device are stolen, adaptive and second-factor authentication “helps ensure that attackers cannot use these stolen usernames and passwords to gain access,” he adds.
Paying attention to what's going on in the network is critical whether the employee is in the office or working remotely. “Log analytics, particularly those that use behavioral analytics, can identify risky access patterns early in the process,” says Rick Caccia, CMO of Exabeam, a San Mateo, Calif.-based computer security services firm whose specialty is behavior analytics.
Caccia believes that putting more security on the device itself has only marginal benefit. “It's much better to increase monitoring and detection throughout the network itself, and then to link that to cloud services in use,” he explains. That way, even if an employee switches devices, the firm can detect unusual behavior.
The mobile arena, because of less device management, “can make it easier for a malicious insider to copy and remove sensitive information,” he points out. “Mobile doesn't create new types of insider threats, it just makes the most common types easier to execute and harder to detect.”
Part of the problem is an office desktop computer and server mentality is influencing IT departments without acknowledging workflows have changed dramatically. By their very nature, mobile phones are reliant on non-desktop technologies.
“We've seen numerous cases of attacks orchestrated where a one-time-password sent to a phone via SMS has been intercepted and stolen from the mobile device using malware,” Graham notes. This, of course, enables attackers – with already compromised usernames and passwords – to bypass the second factor.
Meanwhile, Haley points out that mobile phones are “great spying tools” that can take pictures and record audio and video, and even report the location to an insider who could control the device.
A social engineering ploy that tricks an employee to click on an emailed, malware-infested link accessed from a BYOD can easily result in a data loss, or worse.
“Business email compromise (BEC) exploits the hyper connectivity and mobility of the workforce,” Arora notes. “Often such threats start with phishing attacks to have unwitting trusted insiders allow privileged access to untrusted outsiders, leading to the installation of malware or ransomware,” he says. In June the FBI estimated such attacks have resulted in $3 billion being swindled from businesses around the world, he adds.
Back to basics
Organizations need to go back to basics. “There is no substitute for continuous security training and education of all employees to ensure the security mindset permeates through every business transaction and is weaved into company culture,” Arora points out.
To mitigate risk, organizations need to shift their mindset toward “breach acceptance” rather than prevention, he believes.
Although mobile devices allow the unification of multiple accounts, many users end up using personal accounts for work. “Not good,” notes Sean Sullivan, security adviser for F-Secure, a cybersecurity and privacy company based in Helsinki, Finland. “There should be a clear division between personal and professional accounts,” he says.
He also urges employees to learn how to archive. “There is almost no good reason to keep 10 years of communications at your fingertips,” he says. A desktop client can sync a mailbox and archive the old stuff to an offline file. “Then delete and sync. If you don't know how, get an IT staffer to assist.”
Not taking all the precautions in protecting health and financial data, for example, opens an organization to legal liabilities. Ken Dort, a partner in the IP Group of Chicago law firm Drinker Biddle and chairman of the firm's Technology Committee, notes that companies have regulatory responsibilities in safeguarding personally identifiable information (PII) relating to employees or customers, and personal health information of patients held by health care providers.
Proprietary and/or confidential information – such as research and development plans, corporate financial data, marketing plans and pricing information – can be valuable to competitors.
“The ubiquitous use of mobile devices to permit the flexibility of today's workforce has exposed sensitive data to greater risk of loss as these devices leave the secure facilities or systems of companies with otherwise solid security practices,” Dort says.
The fact is mobile data faces a higher risk of loss than data kept within the walls of a company's secure framework. “Given the small size of most mobile devices, intentional theft of data by disloyal insiders becomes easier as the capacity of these devices grows ever larger,” he adds.
Arora notes that the data perimeter has been eroded by the mobile workforce and adoption of the cloud. Focus should instead be on securing the data through encryption and strict access controls, and using strong authentication to elevate the assurance of the end-user identity, he says.
Minimize the mobile threat: 4 must-haves
How can organizations reduce and mitigate the mobile threat posed by its own employees? Kevin Haley, director, security response at Symantec, lays out here four simple must-haves that organizations should implement to reduce and mitigate the threat:
Policies: Have policies about the use of data and ensure users are educated on them
Tools: Use tools to both alert and prevent data leakage
Encryption: Leverage encryption on mobile devices to protect data
Scanning: Ensure devices are scanned for spyware and malware
Haley also suggests any mobile toolkit should include protections such as two-factor authentication, data leak prevention, and encryption/remote wipe technology.