Breach Prevention: The Missing LinkWhy Gaps in Mobile Policies Threaten Corporate Data Protection
"What's happening most often is that enterprises are discovering that a major portion of their workforce is using mobile devices, applications and cloud services that are outside of sanctioned and approved services," says Tyler Shields, a leading expert on mobile and application security topics at Forrester Research.
"Enterprise are having difficulty in identifying what 'shadow IT' services and BYOD mobile devices are in use ... let alone getting a handle on the security and privacy aspects required to approve specific offerings," he says.
One reason these issues are emerging is that the business units within an organization are ahead of the IT department with regards to mobile use, says Brian Evans, senior managing consultant at IBM Security Services. "In many instances, IT is playing catch-up," he says. "Laptop, smart phone and tablet policies are still incomplete in some companies and contain gaps and other inconsistencies that don't measure up to business obligations."
For example, an enterprise might require laptop users to have user IDs and strong passwords but overlook weak or missing passwords on tablets, Evans notes.
In ramping up breach prevention strategies to account for mobile, organizations need to:
- Recognize the advancing sophistication of malware attacks on mobile applications and work to mitigate those risks;
- Go far beyond implementing a mobile device management system to address application and network layer security;
- Encrypt mobile devices, such as laptops, that store sensitive company information; and
- Consider establishing a mobile center of excellence to educate employees on safe mobile use.
Mobile: The Security Gaps
Many organizations are having trouble identifying what mobile services and devices are in use in their workforces, Shields says.
To address that, organizations should more closely monitor access to company resources to understand the types of mobile devices being used within their environment, he says. "Once you have that, you can begin to roll out a mobile device management solution that will allow for management and basic security controls of the device and operating system."
Enterprises also must sufficiently monitor the rollout of new cloud and mobile offerings to enterprise users. "This is a process; it's not something that you can just flip a switch and achieve," Shields says.
Two risk areas of concern are the lack of anti-malware software on smart phones - especially on Android devices - and how smart phones, tablets and other devices are linked to the cloud with automated synchronization for data backup, says Alan Brill, senior managing director at Kroll Advisory Solutions.
"There seems to be a disconnect between the knowledge that malware writers are developing new and nastier attack software aimed at the Android platform, and the wisdom of installing and running anti-malware software on the phone," Brill says.
And many mobile devices have features where data stored on the devices is backed up on the cloud automatically, sometimes without the organization's knowledge or control, Brill notes. "The potential for issues arising, such as when an employee leaves a company to join a competitor, is potentially significant," he says. That's because sensitive corporate data could be stored on the cloud and potentially obtained by the former employee after leaving the company.
Brill says organizations need to spell out clear policies on the automated synchronization issue. For example, in some cases, they could consider requiring segregating business-related information into controlled containers on the device that are excluded from cloud synchronization, he says.
Ramping Up Mobile Protections
Securing mobile devices as part of an organization's breach prevention strategy requires having layers of protection, Brill says.
"Companies should require BYOD devices that connect to their network to run one of the anti-malware apps and should recommend it for all employee smart phones," Brill says. "It's just another layer of protection which, when combined with mobile device management and other security controls, provides the kind of layered security that makes sense when facing today's threat environments."
Malware attacks against mobile devices are succeeding because of insufficient vetting of the security of mobile applications by organizations, Evans says. "[Organizations] must take into account the increased capabilities for all devices," he says. "[They] need to better understand the threat they are trying to protect against."
The security of mobile devices is especially important given the possibility for devices to get lost or stolen, says Kroll's Brill. To give some perspective, the loss or theft of unencrypted devices, especially laptops, are the most common causes of breaches on the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website, which lists healthcare breaches affecting 500 or more individuals.
"Unencrypted laptops pose the biggest threat [to organizations], and therefore deserve highest priority attention," says Dan Berger, CEO of Redspin, a data security services firm. Laptops and other mobile devices that store sensitive information should always be encrypted, he says (see: Stopping Laptop Breaches: Key Steps).
Given the risk to sensitive company information accessible via mobile devices, an organization may want to implement an "immediate notification" policy, Brill says, where an employee would alert their security department promptly when a device is lost or stolen. "[That way], the phone could be temporarily locked out of the network until it is returned to the owner," he says.
Organizations also should consider implementing a remote data wiping feature available in many mobile device management systems, he adds.
But Forrester's Shields says businesses need to go far beyond making the most of their mobile device management system. "Enterprises have to look up stack and down stack into the application and network layers to properly secure mobility," he stresses.
For example, enterprises must scrutinize how they are securing all of the cloud services that are in use in their environment, Shields explains.
Mobile Center of Excellence
Organizations also should consider creating a mobile center of excellence, Evans suggests. This involves bringing senior management and business units together to address mobile concerns, and then educating employees on mitigating the risks posed by mobile use.
"Part of this education must include an understanding that IT cannot enforce everything and that some of the onus falls on each employee," Evans says. "This center of excellence must also set the proper expectations for the organization while creating an organizational culture which will play a significant role in the acceptance of mobility."