The Moving Target
By Computer News Middle East
The advent of mobility and its infiltration on enterprise has birthed a whole new type of security risk, and as a result presented businesses with a whole new challenge for protecting themselves. With so many Middle East companies employing BYOD and mobile strategies, mobile security is high on the agenda for the entire industry.
BYOD is currently one of the top IT trends and employing strategies which incorporate this can leave a business very insecure IT departments are forced to reconsider the simple security measures previously taken to keep their company’s data and information safe. As technology grows, so too does the sophistication of attacks.
Before, businesses believed that putting up a large wall around their information and data centre would protect it from any outside intrusion. However, with data growth ballooning, sensitive information being stored on multiple platforms, devices spread out across the globe and sensitive data being accessed day and night, the simple firewall has become inadequate.
Now businesses not only need to account for security breaches, but also new elements of risk which have developed from this trend. Loss or theft of device, weakness or lack of passwords, and connectivity onto unsecured networks are just a few of the newer risks which have become industry priority now that the enterprise has gone mobile.
There is no question that mobile strategies can add to productivity, employee satisfaction and work rate, and offsite access. But weighing up these advantages with the negatives can be a headache for businesses.
Taking your company’s data away from a secured network or accessing it from the outside is the first major concern for IT departments. This decreases the level of control which a company has, as Ray Wizbowski, VP Strategic Marketing, Online Authentication Division, Gemalto, highlights.
“Mobile presents an interesting challenge for corporations. For years the security industry has worked on tools to identify and mitigate threats, but these technologies were either network or desktop/laptop based. As mobile devices have become more powerful, there is a growing trend of these devices accessing corporate networks to do everyday functions like email and document review. A desktop or laptop computer is typically owned by the company and has a standard set of security protocols in place,” he says.
Malware, data loss, unauthorised access and unencrypted communication are some of the main threats, according to Nirmal Kumar Manoharan, Business Head, Emerging Markets, ManageEngine.
Maher Jadallah, Regional Manager, MEA, Sourcefire, supports this point, and also highlights the issue of mobile connectivity to third-party cloud services.
“Mobile devices introduce security risks when used to access company resources as they easily connect with third-party cloud services and computers whose security posture is potentially unknown and outside of the enterprise’s control,” he says.
“In addition, mobile malware is growing rapidly which can further increase risk. Research indicates malware targeting Android-based devices have increased by nearly 500% since last summer.”
Identify and protect
It might take security breaches, attacks and data theft to make a company realise the importance of mobile protection, but once the realisation has been made, what should the crucial next few steps be?
InfoWatch’s International Business Chief, Alexander Zarovsky, says that the priority is to create strategies and policies which allow personal devices to be used in a professional environment so long as the data usage can be monitored.
“The first logical step is to develop and enforce the policies of mobile devices usage in the corporate environment. After identifying the strategically important devices, the company should start monitoring them in terms of corporate data usage. In addition, companies need corporate mail server control as well as applying limitations on private mail usage in the corporate perimeter.”
Being on top of what devices are accessing corporate networks is vitally important, says Wizbowski.
“There are some options from the network side that can identify the difference between a mobile device and a company laptop. By identifying these resources and being able to segment the network you can ensure these devices only have access to non-sensitive information. There are several companies providing network access control that can perform this function. Another technology that is being developed is providing strong authentication on the mobile handset.”
Jadallah adds that an emphasis should be made on the employees side to act accordingly to corporate policies.
“With many enterprises adopting a BYOD model, it is important for organisations to put an effective security policy in place that leverages the latest defences to protect against mobile threats. And in addition, end-users can help by adhering to their company’s security policies when using their mobile devices and following the identity and access management procedures set up by the company to ensure the security and integrity of the organisation is not compromised,” he says.
Popular or practical?
The BYOD trend is driven largely by employees as opposed to the IT department. Therefore, this can cause issues which the employee may not consider when choosing their desired device. Nicolai Solling, Director of Technology Service, help AG, says users will typically buy a device which suits their specific needs without much thought for what that would mean to the organisation.
He outlines the issues which can arise: “The device type is one. Typically devices used for BYOD are based on popular operating systems like Android and iOS – both excellent operating systems for personal use, but unfortunately there are inherited risks associated with them, like the ability to jailbreak devices and the weak encryption capabilities. Then there is the usage of the device. When a user brings their own device into work they will not accept companies trying to dictate how the device can be used. Therefore, it is very difficult for an employer to tell a user what they can and can’t do – especially since the user paid for the device.
“Finally, there is the very real possibility of mobile theft or loss of device. In such a scenario, it becomes absolutely essential that the organisation has the ability to remotely wipe all data from the device.”
Manoharan believes there are far simpler things that can put devices at risk.
“Downloading free apps from an untrustworthy source, handing the device to children, taking the device abroad, or simply misplacing it, all add to the risks of personal devices.”
Having a personal mobile device also introduces a human element of risk into the equation which wasn’t there previously. As Manoharan mentioned, the chances of simply misplacing or losing a device, which has weak security and full access to sensitive data, are very high. Zarovsky proves that human mistakes donate greatly to the vulnerability of corporate data.
“Credant Technologies conducted research in the airports of seven USA cities – Chicago, San Francisco, Douglas, Miami, Orlando, Minneapolis and Denver. The summarised information was oppressive. Between June 2011 and June 2012, passengers left 8016 mobile devices in city airports, among them were smartphones, tablets, laptops and flash storages. The company also reported that the owners of the vast majority of devices had access to corporate networks, data and email correspondence. At the same time, 62% of devices were not even protected by a password.”
It almost goes without saying what the consequences of mobile attacks are. On a corporate level, documents, files, revenue, identity, and product theft are just some of the areas which can be targeted. On a personal level, credit card numbers, phone numbers and identity issues can all be targeted. The recent Facebook phone number issue provides evidence of that. Massive corporations are targeted by ever more sophisticated groups of cyber criminals.
With the trend effortlessly steam rolling its way through industry, the only thing organisations can do is attempt to strategise and find ways of benefitting from BYOD and mobility whilst keeping security in deep consideration. Solling points out that the benefits are there, and at the right costs, organisations can enjoy the trend.
“Mobile endpoints are highly convenient and the ease of access means that employees are available for round the clock connectivity. This high availability translates to quicker turn-around times on issues and results in better co-ordination between staff. Also, given that the devices are not subject to slow upgrade cycles and infrastructure upgrade policies, they tend to be more cutting-edge allowing the enterprise to benefit from the latest features and capabilities,” he says.
“Clearly there are plenty of benefits for the organisation that chooses to adopt this trend and it is up to the IT department to define a roadmap that ensures that this is done in the best possible manner,” he adds
Wizbowski explains: “This is and will be one of the most critical items on IT’s agenda going forward. Mobility is here to stay and there will be increased use of these devices by corporate workers at all levels. The goal will be to balance the convenience and user experience that is present today with the security that is needed to protect the network.”
Whilst enterprise turns its head towards an ever mobile and accessible future, IT departments will have to back-up the ambition with smart and adequate security services. With mobility, it appears that the moving target is now to the benefit of the criminals.