When it comes to mobile device security, the smartphone chickens have long flown the IT security coop, and companies of all sizes are in the continual process of corralling device usage and reducing risk.
To assist with this effort, CompTIA asked IT security experts—including forensic specialists, enterprise security executives and academics—to list their top enterprise best practices for mobile device security.
Now that business intelligence flows through social networks, web apps and Cloud-based services, relational databases and content marketing strategies, mobile device security has emerged as a key linchpin to protecting enterprise and customer data. No company wants to have sensitive information exposed via the contacts, text messages, call history, email, photos, audio and video recordings, and geolocation data on their employees’ mobile devices.
Increasingly those mobile devices are not company owned or controlled. CompTIA research found that 85% of US small and medium sized businesses (SMBs) know of employees using personal devices for work purposes. Among that population, security is a primary concern, whether it is employees transmitting viruses (cited by 47% of SMBs), a security breach involving customer information (41%), or the employee taking data with them when they leave the company (41%).
In addition, a serious disconnect has to be eliminated between organizations’ mobile device security policies and reality: A 2011 study by McAfee and Carnegie Mellon University found that 95 percent of the organizations have policies in place for mobile devices. However, less than one in three employees are aware of their company’s mobile security policy, and fewer than half of companies report that all of their employees understand their mobile device access/permissions, the study found.
In other words, mobile device security policies that organizations create and ask their employees to follow rarely reflect how people really work
The message from the experts’ whom CompTIA contacted: Tighten up enterprise mobile device security now. It’s only going to get worse. Their recommendations include:
1.) Centralize mobile device security, technologically and organizationally
Technologically: RIM/Blackberry solutions offer built-in central control, but companies have to proactively structure their technological control of iPhone and Android devices. Winn Schwartau, chairman of the Atlanta-based smartphone security company Mobile Active Defense, is an advocate of Virtual Private Network (VPN) technology to establish a Blackberry-esque control: a certificate of authority to validate the user, the device and its permitted access to the network, for example. He contends companies secure the mobile enterprise to the same degree they do the fixed enterprise and that mobile devices should be linked into data loss protection mechanisms, content filtering, and anti-virus/malware detection.
Organizationally: Every organization needs a central management point that would determine, promote and support mobile device procedures and policies for the entire company, said Rebecca Lawson, director of Worldwide Enterprise Security Solutions for HP Enterprise Business. “Without policy controls you expose yourself to a tremendous amount of liability,” said Spencer Wilcox, CISSP, CPP, and member of the American Society for Industrial Security’s IT Security Council. Adds Andrew Hoog, chief investigative officer at the Chicago-based IT forensics and security firm viaForenics, “At this point in time, it’s very difficult to address a lot of the risk that you have in mobile because the technology is not mature enough, and device management and security is not baked in enough. The only way you can address those limitations is by policy.”
2.) Lock-down devices.
Require that employees use passcodes, teamed with time out/auto log-out rules, to control access the handsets. Enable the company’s ability to remotely “wipe” the device of data should it get lost or stolen. Passcodes and built-in hardware encryption can be circumvented, noted Hoog. A four-digit PIN on an iPhone can be cracked in 15 minutes, so Hoog recommends a minimum six-digit alphanumeric passcodes for mobile devices.
3.) Make mobile device security easy for employees.
Lawson advocates the use of company intranets to centralize information (about approved devices, apps and uses, for example) and, where possible, automate processes (i.e., reporting lost or stolen phones). Hoog urges companies to encourage employees to quickly report lost or stolen devices, because an enterprise may have only a short window of time to remote wipe the device before data could be extracted.
4.) Secure data traffic into and out of the device.
Schwartau advocates using “at minimum 256-bit AES encryption and a VPN” to thwart eaves dropping and password interception.
5.) Tier access to the enterprise network by user and device.
“Use authentication parameters (for mobile devices) to limit what a person can access,” said Marcus Burton, director of product development at CWNP Inc., the Atlanta-based enterprise Wi-Fi certification and training company. “That limits liability as well.” For internal Wi-Fi networks, he recommends an upgrade to 802.1x to better support device authentication.
6.) Limit the data flow to mobile devices.
“You don’t want employees to be getting all enterprise data on their smartphone,” said Lawson, adding that user identity, device type and application should limit access to the enterprise network. “There are a lot of different cases to consider—a CRM app is handled one way, while a direct marketing app is another way—which does make this hard.”
7.) Separate the business from the personal using technology and/or policy.
Schwartau contends a business device should never see personal use, and personal device should never be used for business. Employers that permit employees to Bring Your Own Device (BYOD) ”places the organization into an untested legal position of liability, “ he said. “If there’s a data leak, or a security incident, what’s the legal liability for the user? What is the legal liability for the organization? We don’t know the answer.” Alternatively, experts like Jonathon Giffin, assistant professor associated with the Georgia Tech Information Security Center, and also Wilcox, accept “sandboxing,” using software technology to partition the device, its apps and its data into business and personal modes, as a possible solution.
8.) Scrutinize app usage and vulnerabilities.
Apps and app marketplaces come with multiple types of risk—for downloading malware, or improperly handling user data. Lawson, Hoog and Schwartau recommend regularly testing apps used by the company for security vulnerabilities—via in-house IT resources or third-party testers. “The level of vulnerabilities for a web app is really high–much higher than it should be,” said Lawson, adding that companies need to “continually look for vulnerabilities, and make a patch, fix or policy to remediate it…..It’s never going to be perfect. Hackers are always two steps ahead, but lots of organizations offer vulnerability testing as a service.” Schwartau contends that, “app stores are the greatest hostile malware distribution systems ever invented by man, and many organizations run their own enterprise app stores for that reason.”
9.) Maintain a “Secure Application Catalog.”
Keep information about the company’s allowed and disallowed apps up-to-date and readily available—ideally via an intranet—to employees. “Make it easy for an employee to follow the rules,” said Lawson.
There are no foolproof solutions, but organizations have no choice but to manage their mobile device security risks amid rapid technological change and increasingly sophisticated threats.
Whereas business intelligence used to be isolated and protected behind physical and technological walls, pieces of that data are now “zooming away from the center” into the business ecosystem via social media, web applications and more, Lawson said. Embrace enterprise mobile device security now, she urged. “It’s going to change fast, with more device types that we haven’t even thought of. So getting in the grove is the smart thing to do.”
