informa
News

Tech Insight: Smartphones The New Lost And Stolen Laptops Of Data Breaches

Mobile device management and a new spin on user awareness training are essential to the enterprise mobile explosion
Enterprises have enacted full-disk encryption to protect themselves from their data being exposed through careless users. And the same trustworthy users who've left laptops in taxis or had them stolen from the local coffee shop are now forcing companies to deal with mobile devices that are smaller, always-on, unmanaged, and need to be plugged into the corporate network.

Management and IT are butting heads on the issue. Why? The trend of allowing users to bring in personal devices might be saving money when a company's bottom line is being considered, but the support headaches and increasing risk to company data are immeasurable. Employee satisfaction and productivity are important, and letting users use their own devices can help with that, but enterprises need to draw a line so that fluffy user experiences are not allowed to trump data security and the brand/reputation impact a data breach would have.

The hard-edged approach would be to simply ban all noncompany-issued phones, but that only leads to unhappy employees who either become spiteful and careless, or find workarounds to do what they wanted to do in the first place. You as a security professional don't want to deal with either situation. The safer choice is to find a compromise that -- backed by appropriate security policies -- will allow users to choose from a set of devices that can be centrally managed using one of the many mobile device management (MDM) solutions currently available (see Gartner's "Critical Capabilities for Mobile Device Management").

An alternative to the full MDM approach is to use a mobile security solution that focuses more on email security and access to email, calendaring, and contacts. Since access to company email is the primary driver for smartphone use in the enterprise, it makes sense, and Good for Enterprise is an example of this approach.

Finding a way to manage mobile devices is just one problem: A larger one is the general lack of awareness of the risks to enterprises as a result of these devices. Security professionals, including the CISOs, need to take the time to learn about the security risks associated with smartphones. While some of the risks are similar to those faced in the past with laptops and mobile storage, there are newer ones associated with their high mobility, constant connection, and lack of cross-platform security controls that require new, creative approaches to solve.

Kevin Johnson, a security consultant with Secure Ideas and SANS Institute senior instructor, told Dark Reading that mobile devices are "one of the most popular attack targets today due to the limited security controls and the large amounts of sensitive data."

Seeing a specific lack in mobile device security awareness and training, Johnson has worked with the SANS Institute to develop the "Security 571 Mobile Device Security" course. "Most organizations are just now starting to realize the risk associated with these mini-computers in their employees' pockets," he says.

Veracode, with the help of the Lookout Mobile Security research team, has put together a Mobile App Top 10 List of risks that provides a good introduction into mobile application risks. Some of the top issues include activity monitoring and data retrieval, unauthorized network connectivity, sensitive data leakage, and hard-coded passwords and/or encryption keys. All of those could directly impact the security of an enterprise network were mobile devices allowed to freely connect, view, and store sensitive data, and access e-mail without any sort of security controls in place.

With technical controls in place and the requisite knowledge in the hands of the company security pros, no mobile security effort would be complete without a user awareness program. User awareness, while a sore spot for many, is an absolute must -- and it needs to be done properly. As experts point out, awareness efforts fail because it' ha been done wrong for so many years. Users need to understand the issues, but not through yearly, half-day events that blast them with so much information that they'll glaze over 15 minutes.

Break the awareness topics down into easy-to-digest chunks like marketing people do; provide monthly reminders on the importance of different aspects of mobile security; and make users aware of consequences if policies aren't adhered to or purposefully circumvented.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: