Mel Gibson had it easy. The star of the Mad Max cult movie series could at least see his enemies approaching, so he knew just what to do to keep them at bay. And, the second film of the series, titled Road Warrior, helped spawn the descriptive term for business people who travel a lot.
For today's road warriors, no longer armed just with a laptop but also with mobile phones, tablets and a growing array of personal “smart” technology, the threats can be hard to detect, harder to anticipate and well nigh impossible to completely fend off. Indeed, experts paint a grim picture of potentially expanding vulnerabilities. Of course, in truth, we've seen this movie before in the form of the learning curve provided by personal computers and the early years of the internet. We are all older – and potentially at least, wiser.
One element of the threat is simply volume. As TJ Keitt, a senior analyst at Forrester Research, points out, the more locations from which an individual works, the higher the rate at which they use multiple devices. “Someone who is deskbound doesn't use the technology at the same rate as someone who works from three or four locations,” he says. “As they shift context, they try to use the device that best conforms with their needs in that situation.”
In addition, Keitt notes, personal technology devices – such as those from Fitbit (activity trackers, wireless-enabled wearable devices that measure data) – have the potential to further complicate the challenges of staying secure. For the moment, though, Keitt says most of those technologies are “connected” but not yet too intelligent. So, hacking them is not yet likely to prove rewarding to the bad actors.
However, even with the existing spectrum of intelligent devices – phones, tablets, and laptops – there's plenty to keep security professionals busy. “Individuals care about secure practices up to a point, but that concern is often sublimated to concerns about accessibility and convenience,” says Keitt. Thus, if a business cares about keeping applications and data secure, it is up to them to do the work. Individuals won't.
Michael Finneran, principal of dBrn Associates, an advisory firm, says for organizations with a mobile workforce, the greatest security concerns relate to the increased vulnerability they cause for corporate data and systems. In his view, organizations need to first define their objectives (e.g., increased employee productivity and satisfaction, lightening carbon footprint, allowing work flexibility for families, etc.) and then identify what platforms they will support (e.g., Windows, OS X, iOS, Android, Windows Phone, BlackBerry, etc.). Then they need to delineate the potential threats and design protection measures for each of them on all supported platforms. “That can be VPNs, SSL, secure RTP for voice, MDM systems for mobile operating systems, and anti-virus – the whole nine yards,” he says.
As a first step, says Finneran, organizations should develop an overall strategy for telecommuting that defines who can participate, how often they must come into the office, how they will keep in sync with co-workers and managers, and what kind of equipment and work environment should be required. “As part of that planning, the security plan should be developed...and there should be ongoing monitoring and assessment as part of the program,” he says
Like Keitt, Finneran dismisses the immediate threat from wearables. However, Tyler Shields (left), Forrester's senior analyst for mobile and application security, says that those new technologies, also referred to as the Internet of Things (IoT) is complicating the challenges for security.
“Wearables are mobile devices in many ways but they are more embedded and are changing the threat landscape,” Shields explains. Not much consideration has gone into the manufacturing of IoT devices and its software. “Within the IoT of embedded devices, protocols are mostly wide open and all of a sudden security is a real issue. In effect we are taking steps backwards so people can relearn the lessons of the past,” he says.
And, Shields suspects that road warriors will be among those to quickly adopt wearable technology. Echoing Keitt, Shields says not all IoT/wearable technology will pose a threat. The targets will be some devices – such as wristbands that automatically authenticate the user to other devices – because those attacks can be monetized.
However, the security industry is paying attention. Shields says IoT vulnerabilities have already been a big topic at Black Hat. “IT has gone through the necessary thinking but the people involved with IoT haven't experienced the software exploits of the past,” he says. Still, those lessons are accessible. When combined with some of the “hype” about IoT vulnerabilities, Shields believes the organizations creating the IoT will come up to speed quickly. “Now it is really mostly a matter of educating them about secure processes and secure design, he says.