How Cell Phones Undermine Enterprise Security
Read the full Spring 2012 issue.
As more employees use cell phones and other mobile devices for work-related tasks, companies need to address an increasing number of enterprise mobile security issues.
Too often, companies take an “all or nothing” approach to enterprise mobile security. They either ban mobile devices (or effectively ban them by limiting their functionality), or they allow all mobile technologies to access their networks, regardless of (and oblivious to) the risks.
Whether they are prepared for it or not, today’s enterprises live in a world of “bring your own device,” or BYOD. Here are 10 significant worries that keep enterprise security professionals up at night:
- The devices themselves are insecure, as are the networks to which they attach.
- For convenience and ease of use, in a mobile device we forgo many of the things we typically look for in authentication, such as strong passwords. Ease of use tends to trump security.
- The operating systems for many of these devices were never designed to be — and therefore are not — particularly secure.
- By definition, mobile traffic is traveling through the air, which means it can be intercepted at the network level, the provider level, over the air and at the TCP/IP level.
- It is very easy to lose a device with all of the associated data, passwords and access the device provides.
- We tend to connect the devices to multiple and different types of access points, some secure, most not.
- Mobile devices are increasingly becoming cloud access devices, permitting their users access to everything created or stored on that cloud, including sensitive email and documents, personal information and intimate communications. But if the device is lost, someone else could get the same access.
- With a mobile device, for convenience we tend to authenticate the device rather than the user. With so many different handsets by different manufacturers on different networks, and with different operating systems, we need to secure and manage all of them.
- Smartphones are getting smarter, which means a lot of the hacking and processing can be done on the phone itself. There are lots of viruses, worms and malware designed just for phones, and there will certainly be many more. There are very few antimalware programs for smartphones.
- Finally, cell phones are always on and always connected to the Internet, either through the phone company, a WiFi signal or otherwise. A two-way communication is always on, which means hackers can get in, and Bluetooth increases this risk.
So, how do you approach enterprise mobile security? First, you have to recognize the vulnerabilities of mobile devices. Second, you have to accept that cell phone use for work-related tasks is not going away. The question is not, “How do I stop people from using a cell phone?” The question is, “How do I enable people to use it in a way that will be reasonably secure?”
When dealing with cell phone usage, it is essential to put a set of reviews and processes in place:
Risk and Privacy Assessment: Conduct a risk and privacy assessment that includes looking at your current state, determining what state you want to get to and developing a process for getting there. As part of the assessment, you need to determine how people are using mobile devices, how they are circumventing the policies already in place and what else can be established.
Technology Review: This is not just a review of the mobile technologies themselves — not only how secure is iOS, Windows, Android or BlackBerry — but it’s also a question of what technologies out there can help. Finally, what is the cost of doing it, and what is the cost of not doing it?
Privacy Considerations: An organization should consider both the impact of mobility on the privacy of the company and its customers and the impact of policies on the privacy of employees and those using the mobile technology. You need to choose a monitoring solution that effectively protects the interests of both parties.
Because these devices are mobile and move across jurisdictions, enterprises might also need to undertake a legal and regulatory review and look at the impact of foreign laws, technologies and monitoring.
The ultimate goal is to find solutions to these enterprise mobile security issues that actually enable people to do things they hadn’t thought they’d be able to do. Mobile devices bring many challenges, but the ultimate payoff can be rewarding for both employees and the enterprise.
MARK RASCH is director of cybersecurity and privacy consulting at CSC.