Comment: Mastering Mobile Security

Lothian says organizations must master mobile device security before they are swept up by the consumer IT wave
Lothian says organizations must master mobile device security before they are swept up by the consumer IT wave

Mobile devices are taking the consumer world by storm and the flood is rapidly making its way into the enterprise. Until now, debate has been about whether organizations can feasibly embrace the ‘consumerization of IT’, as employees start to reject company hardware and work from their own – usually better – devices.

So far these devices have evaded the full attention of cybercriminals for various reasons, including their previously limited processing power and capabilities. Today’s devices are true mobile computers, increasing both the benefits and potential risks. If they fall into the wrong hands, are hacked, snooped on or pick up a virus, hackers and cybercriminals can easily access highly valuable corporate data and systems.

As ‘consumerization’ gains momentum, executives need to understand the potential benefits of these technologies and build a clear plan of action. Identifying and focusing on a set of approved devices will help to reduce management difficulties, as will educating users so that they can identify and report suspicious activity on their mobile devices. But this is easier said than done.

Taking Control

Ownership and policy enforcement is often a serious hurdle to adoption, made worse by mobile. The sheer amount of variation between devices is a major difficultly, and IT’s rights, where personal devices are concerned, are not clear, which presents a unique challenge.

Unlike laptops, which already sit largely under the corporate security ‘umbrella’, mobile operating system updates and software releases mainly happen outside the business, sidestepping normal development and testing processes. The use of multiple device types and operating systems increases this difficulty even further, making the successful running of a mobile device estate quite complex.

It is unlikely that many of the devices brought into the business will meet security requirements, particularly as they may be pre-owned and could have malware already installed. In order to prevent these problems, many organizations are considering using third-party applications – with enhanced security controls – to protect corporate data on mobile devices.

Organizations should approach the implementation of mobile devices carefully, as high-profile security issues often come when adoption has been rushed and the organization has failed to complete an adequate assessment of security requirements. Creating robust processes and security configurations for the smart mobile device estate will allow a controlled roll-out.

As the number of personal mobile devices being used in the business environment increases, organizations will increasingly need to oversee their use. Continued monitoring of devices, with employee agreement, will help protect against security breaches and smooth integration with existing business practices.

Plugging the Leak

As with laptops, the threat of employees unintentionally ‘leaking’ data is ever present.

With smart mobile devices, this threat is multiplied. Without the user’s knowledge, malware may be installed and determined hackers can also make use of the multitude of communication channels available to access corporate data. Likewise, once in control of communication channels, hackers could instigate ‘spear phishing’ attacks, where individuals are targeted for special knowledge or access.

This could also be the case with devices that are not properly decommissioned or destroyed at the end of their lives (or no longer used for corporate activity). Many will retain access privileges, or contain valuable data, which could be used by an attacker or enter the public domain.

In many cases, organizations are already testing both the security and the value of consumer devices by encouraging employees to use and adapt these technologies to the enterprise. For example, by allowing employees to use their own tablets at the office and client sites, or using Twitter, Facebook, YouTube and LinkedIn and iPad apps to deliver business insights to the public.

From this experimentation, organizations are not only gaining valuable experience with new technologies, but are also beginning to communicate and understand the change that must happen in infrastructure, corporate culture and strategy to minimize the risk of data loss created by these consumer trends.

They Who Dare Win

For those organizations that can manage these security issues, mobile devices can provide many potential efficiency gains, including improved employee productivity through an increasingly flexible working environment.

As users begin migrating their lives and data to smart mobile devices, threats will no doubt increase, and these issues need to be front of mind. The good news: it is not too late for organizations to take advantage of this trend in a strategic fashion, before they are swept up by the wave of consumer IT.

Paul Lothian, principal adviser at KPMG, leads information risk and IT security change in major organizations, from large programs to C-level advisory. Lothian holds a BSc (St. Andrews) and PhD (London), is a Chartered Fellow of the BCS and the IET, and a member of the BCS Strategic Security Panel.

What’s hot on Infosecurity Magazine?