Research shows Cyber-attacks are exploiting vulnerabilities in mobile computing to infiltrate networks and many organisations do not have the security controls and policies in place to keep up with the threat..
Too few organisations embracing mobile computing are following up the move with comprehensive controls and policies – especially when it comes to employee owned devices.
Perhaps the biggest reason behind this is that organisations who have implemented BYOD programmes are reluctant to admit corporate systems have been compromised as a result.
Companies are continually bombarded with warnings regarding mobile threats, perhaps in the absence of a serious security incident; the threats are being disregarded as scaremongering?
But attacks are real, and they are increasing in volume as more organisations embrace mobile and BYOD says Charlie McMurdie, Senior Cyber Crime Advisor at PricewaterhouseCoopers (PwC) and former head of the UK police central e-crime unit.
PwC finds many organisations hit with cyber-attacks struggle to identify the exact point of compromise. These are increasingly linked to mobile devices – laptops, tablets and smartphones – but seldom reported in public.
With the significant productivity and customer service gains achieved by allowing employees to access data on the move through personal devices, mobile computing is inevitable and unstoppable.
Most organisations are allowing employees to access corporate data from mobile devices, but with varying levels of security and a varying mix of company and employee-owned devices.
This fluctuates from sector to sector and from country to country. The public sector and heavily regulated industries have far stricter controls in place than others. Mobile security controls are far more common in countries with strict data protection laws too, such as Germany.
However a recent US survey conducted by Webroot, a security firm, found the number of employees using personal devices for work more than double the number of those using company-owned devices. This highlights a potentially huge security gap – especially with 60% of those using a personal mobile device for business saying they have either no security or just the system default from the manufacturer.
Another survey from security firm Eset, found 44% of UK respondents planned to take their work-enabled device on holiday in 2014. Over 20% will be checking work emails on a daily basis. And over 33% said they don’t check if the hotel Wi-Fi is secure and private.
“Mobile computing has an important role to play in supporting the business, but it is also incredibly risky if it is not supported by a properly thought-out security strategy,” says McMurdie.
BYOD Security in the Enterprise
Alarmingly, not all of the larger organisations have the right securities in place.
A recent survey conducted by Ovum and Dimension Data found 70% of the UK organisations polled did not have a formal BYOD strategy and this was forcing employees to adopt a DIY approach to IT.
The survey found while 58% of enterprises surveyed are already re-assessing specific business process and activities, 23% are either adopting a wait-and-see approach, or have no plans.
This is proving increasingly risky as company employees use mobile devices to access sensitive data across a growing number of systems and applications.
While some organisations seek security guidance on how to enable employees to use mobile devices effectively, many others fail to go through the full risk-assessment process.
“Inadequately prepared businesses typically tackle one aspect like encrypting all mobile communications, but they fail to identify and address all the other vulnerabilities that can be exploited.” McMurdie.
Organisations also typically block specific apps on company-owned devices and restrict browsing to whitelisted sites. Only in a handful of cases though are companies restricting mobile functionality to email, phone and limited browsing.
Common Security Concerns
In smaller, less well-resourced organisations, however, McMurdie says the necessary supporting security strategies and policies are almost completely lacking:
“Smaller business generally have weak or non-existent policies and processes to safeguard mobile data communications. We see them struggling to do this on their own.”
Other common problems include failure to:
- Educate staff about the importance of mobile security and their mobile security responsibilities
- Use policies to highlight how secure mobile computing can improve business processes
- Introduce measures to confirm mobile policies are followed
- Limit access to only the networks and systems needed for their roles
- Review permissions regularly to ensure they remain relevant
A good benchmark or guidance for any organisation is either government or industry best practice guidelines.
In August 2014, UK government intelligence agency GCHQ published guidance for private and public sector organisations that want to allow employees to use personal devices at work.
McMurdie also advises small businesses to set up security forums in their business sectors and other communities:
“Security forums for sharing information on security threats within small, trusted communities can be invaluable in helping small business to understand the threats and how best to deal with them.”
Dealing with the threats by taking pre-emptive and preventative measures to secure mobile environments is a far better approach than reacting after a breach has occurred, says Min-Pyo Hong, chief executive and founder of South Korean mobile security firm Seworks.
But, Hong – an advisor to various government and corporate organisations in Asia – believes many organisations are overlooking an important approach to mobile security.
While most organisations opt to secure the mobile device, create a safe environment for apps to run in, or screen data communications for malware, few organisations focus on protecting the security and integrity of the mobile application itself.
Hong believes mobile app security is the Achilles heel of many corporations because mobile applications are often the first point of entry into a developer’s server or database, and most malware attacks target the mobile application to gain entry to a mobile device.
“Client-side mobile apps are a vulnerable entry point to access the server. Repackaged apps containing malware or DDoS attack clients can bring down servers, infect devices with malware, and install backdoors into devices,” says Hong.
“Sooner or later there will also be a malicious app disguised as a normal app that can hide a Trojan horse virus and infect the rest of the organisation.”
One of the main reasons mobile application security is largely overlooked is that mobile app developers are usually pressed for time and often fail to take the security measures necessary to ensure safety.
“Developers typically secure the server and back end first before turning their attention to the front-end client and, simply put, the technologies around mobile application security have been woefully sparse until now,” says Hong.
He believes security should be present on all layers of information systems and that, in many cases, mobile apps remain one of the glaring security holes yet to be filled.
Most organisations, once they have decided to embrace mobile computing and BYOD, typically start with securing the device, says Michele Pelino, principal analyst of enterprise mobility at Forrester Research.
“The device becomes the initial pain point, with many organisations turning to mobile device management (MDM) technologies to deal with all the new devices,” she says.
The challenge of shadow IT
And although many MDM suppliers are now expanding into application management, Pelino says not all organisations mature into an understanding of the importance of managing applications, content and services.
A common problem is that IT organisations and security teams fail to understand the broad demand for mobile computing across the different lines of business.
“This typically results in employees going around IT and security by using cloud-based services like Dropbox to ensure they have online access to the data they need,” says Pelino.
To avoid this, she says IT and security teams have to understand the needs of business decision-makers, to ensure these needs are addressed by the organisation’s evolving strategy for managing devices and apps.
“At the same time it is vital to educate business decision makers about how important it is for them to be part of that evolution rather than going around IT and security,” says Pelino.
Security framework for comprehensive policy
Typically, mobility initiatives involve only smaller groups of people, but as organisations roll out these programmes for the whole organisation and across several countries, a single policy becomes critical.
“As organisations move down the policy path, we see that it is crucial to involve the legal team to take care of the legal implications in different countries and the finance to look at things like tax implications, payment plans and employee reimbursements,” says Pelino.
Failure to involve all relevant parts of the business is one of the most common failings, she says. “Policies cannot be created in siloes – as much as IT and security are critical players, this cannot be done without looping in the broader organisation to ensure that the business, legal, regulatory, financial and HR needs are being addressed as well as security and IT.”
An increasingly common approach by multi-national companies is to define a policy vision and then create a checklist framework of things that need to be considered in each country to ensure the BYOD policies are consistent with local laws and regulations. This enables each country to create its own BYOD policy based on what the overall organisation is trying to achieve.
“The frameworks are broader than just security or IT issues,” says Pelino.
Frameworks typically include things like what devices will be supported, which groups of employees will be covered by the BYOD policy, what type of services the company will reimburse employees for, which groups will be supported by a helpdesk, what will be included in a self-service portal, and whether or not the company will provide its own app store for approved applications.
Pelino says a good initial step is to segment the workforce based on the roles of individuals and then decide what devices, applications, support services, and networks are appropriate for each group.
“Once you have a framework around those key areas, relative to your industry and your organisation, then you can put together a policy, which needs to include legal, finance, and HR as well as IT and IT security,” she says.
Education is another important element, says Pelino. “Once the company has done a cost-benefit analysis and is committed to BYOD, it needs to educate employees about what they will be asked to sign up to and about which devices to choose for use in the work environment, and why it is important to secure mobile devices at home and at work,” she says.
Finally, organisations and employees need to understand that these policies cannot be static, and will have to evolve over time as technology and regulations change.
“For example, some US states are starting to introduce legislation that requires companies to reimburse employees who use personal devices for work purposes,” says Pelino.
Learning from others` costs and benefits
Mobile computing is a priority and strategic initiative for many organisations, because of the perceived and real cost and productivity benefits, even in the private sector and highly-regulated industries.
What this means for individual organisations varies dramatically. Pelino says there are signs that more companies are starting by looking at what other companies have done to learn from their successes and failings to avoid common pitfalls.
“The more mature organisations understand all the issues and are moving into application and content management, but these organisations account for only about 15% to 20% of those moving in this direction,” says Pelino.
“By far the most are in the early stages and are still focusing on devices or are starting to move one step beyond by trying to figure out manage apps and content,” she says.
Building on basics to evolve strategy
But, according to Pelino, even the most mature organisations are still “living the challenge”. While they have moved beyond dealing with the security of devices and applications and may have put together a policy framework, many are still trying to resolve questions around how to provide user support and increasing efficiency around their helpdesk services for mobile and BYOD.
“Nobody has all the answers yet, and the questions and concerns they have change as they evolve their strategy along the maturity curve,” she says.
Clearly we are not out of the woods yet when it comes to security for mobile computing and BYOD programmes, but some organisations are making progress, having navigated the basics successfully.
As these mature organisations continue to push the boundaries in other areas like support, less mature organisations can look to these more mature organisations to fast-track their own progress.
Above all, these less mature organisations have to recognise that the threat of cyber attack through mobile platforms is real, and that failing to act in a comprehensive way is no longer an option.