Cyber attackers are increasingly exploiting vulnerabilities in mobile computing to infiltrate corporate networks, and many organisations' security controls and policies are either lacking or failing to keep up with the threat.
Too few organisations that have embraced mobile computing are backing up the move with appropriate controls and polices, particularly for employee-owned devices.
Perhaps the biggest reason is that organisations, that have pursued mobility and bring your own device (BYOD) programmes, are reluctant to admit their corporate systems have been compromised as a result.
Although companies are continually bombarded with warnings about mobile security threats, in the absence of any mobile security incident reports, these are all too easily dismissed as scare tactics used by security suppliers to sell products and services.
But these attacks are real, and they are increasing in volume as more organisations embrace mobile computing, says Charlie McMurdie, senior cyber crime advisor at PricewaterhouseCoopers (PwC) and former head of the UK police central e-crime unit.
PwC finds that many organisations hit with cyber attacks struggle to identify the point of compromise. Increasingly these are linked to mobile devices, such as laptops, tablets and smartphones – but this is seldom reported in public.
With the significant productivity and customer service gains achieved by allowing employees and partners to access corporate data on the move, mobile computing is inevitable and unstoppable – even in law enforcement.
Most organisations are allowing employees to access corporate data from mobile devices, but with varying levels of security controls and a varying mix of company and employee-owned devices.
This varies from sector to sector and from country to country. The public sector and regulated industries – such as the finance sector – typically have more controls than other sectors. Mobile security controls are more common in countries that have strict data protection laws, such as Germany.
However, a recent US survey, conducted by security firm Webroot, found the number or employees using personal devices for work more than double the number of those using company-owned devices. This suggests a likely security gap – especially with 60% of those using a personal mobile device for business saying they have either no security or just the default manufacturer's features on the phone.
Another recent survey, conducted by security firm Eset, found 44% of UK respondents planned to take their work-enabled mobile device on holiday in 2014. Over a fifth will be checking their work emails on a daily basis. But over a third also said they do not check if hotel Wi-Fi networks are secure and private.
“Mobile computing has an important role to play in supporting the business, but it is also incredibly risky if it is not supported by a properly thought-out security strategy,” says McMurdie.
Read more about BYOD security
Security in larger organisations
And while many large, well-resourced organisations do have the necessary security policies and strategies in place, not all do.
A recent survey conducted by Ovum and Dimension Data found 70% of the UK organisations polled did not have a formal BYOD strategy, leading employees to adopt a do-it-yourself approach to IT.
The survey found that, while 58% of enterprises surveyed are already re-assessing specific business processes and activities – to take advantage of developments in mobile devices – 23% are either adopting a wait-and-see approach, or have no plans in this regard.
But this is proving increasingly risky, as company employees use mobile devices to access sensitive company data across a continually growing spectrum of systems and applications.
“It is a really mixed bag,” says McMurdie. While some organisations are seeking security guidance on how to enable employees to do more with mobile devices, many other organisations are failing to go through the full risk-assessment process.
“Inadequately prepared businesses typically tackle one aspect like encrypting all mobile communications, but they fail to identify and address all the other vulnerabilities that can be exploited.”
Organisations also typically block specific apps on company-owned devices and restrict browsing to whitelisted sites. But only in rare cases are companies restricting mobile functionality to email, phone and limited browsing.
Common security failings
In smaller, less well-resourced organisations, however, McMurdie says the necessary supporting security strategies and policies are almost completely lacking.
“Smaller businesses generally have weak or non-existent policies and processes to safeguard mobile data communications,” she says. “We see them struggling to do this on their own.”
Other common problems across all organisations include failure to:
- Educate staff about the importance of mobile security and their mobile security responsibilities;
- Use policies to highlight how secure mobile computing can improve business processes;
- Introduce measures to confirm that mobile policies are being followed;
- Limit user access to only the networks and systems they need to do their jobs;
- Review access permissions regularly to ensure they remain relevant as users change roles.
McMurdie advises smaller organisations to follow government or industry best practice guidelines wherever possible.
In August 2014, UK government intelligence agency GCHQ published guidance for private and public sector organisations that want to allow employees to use personal devices at work.
McMurdie also advises small businesses to set up security forums in their business sectors and other communities. “Security forums for sharing information on security threats within small, trusted communities can be invaluable in helping small business to understand the threats and how best to deal with them,” she says.
And dealing with the threats by taking pre-emptive and preventative measures to secure mobile environments is a far better approach than reacting after a breach has occurred, says Min-Pyo Hong, chief executive and founder of South Korean mobile security firm Seworks.
But, Hong – an advisor to various government and corporate organisations in Asia – believes many organisations are overlooking an important approach to mobile security.
While most organisations opt to secure the mobile device, create a safe environment for apps to run in, or screen data communications for malware, few organisations focus on protecting the security and integrity of the mobile application itself.
Hong believes mobile app security is the Achilles heel of many corporations because mobile applications are often the first point of entry into a developer’s server or database, and most malware attacks target the mobile application to gain entry to a mobile device.
“Client-side mobile apps are a vulnerable entry point to access the server. Repackaged apps containing malware or DDoS attack clients can bring down servers, infect devices with malware, and install backdoors into devices,” says Hong.
“Sooner or later there will also be a malicious app disguised as a normal app that can hide a Trojan horse virus and infect the rest of the organisation.”
One of the main reasons mobile application security is largely overlooked is that mobile app developers are usually pressed for time and often fail to take the security measures necessary to ensure safety.
“Developers typically secure the server and back end first before turning their attention to the front-end client and, simply put, the technologies around mobile application security have been woefully sparse until now,” says Hong.
He believes security should be present on all layers of information systems and that, in many cases, mobile apps remain one of the glaring security holes yet to be filled.
Most organisations, once they have decided to embrace mobile computing and BYOD, typically start with securing the device, says Michele Pelino, principal analyst of enterprise mobility at Forrester Research.
“The device becomes the initial pain point, with many organisations turning to mobile device management (MDM) technologies to deal with all the new devices,” she says.
The challenge of shadow IT
And although many MDM suppliers are now expanding into application management, Pelino says not all organisations mature into an understanding of the importance of managing applications, content and services.
A common problem is that IT organisations and security teams fail to understand the broad demand for mobile computing across the different lines of business.
“This typically results in employees going around IT and security by using cloud-based services like Dropbox to ensure they have online access to the data they need,” says Pelino.
To avoid this, she says IT and security teams have to understand the needs of business decision-makers, to ensure these needs are addressed by the organisation’s evolving strategy for managing devices and apps.
“At the same time it is vital to educate business decision makers about how important it is for them to be part of that evolution rather than going around IT and security,” says Pelino.
Security framework for comprehensive policy
Typically, mobility initiatives involve only smaller groups of people, but as organisations roll out these programmes for the whole organisation and across several countries, a single policy becomes critical.
“As organisations move down the policy path, we see that it is crucial to involve the legal team to take care of the legal implications in different countries and the finance to look at things like tax implications, payment plans and employee reimbursements,” says Pelino.
Failure to involve all relevant parts of the business is one of the most common failings, she says. “Policies cannot be created in siloes – as much as IT and security are critical players, this cannot be done without looping in the broader organisation to ensure that the business, legal, regulatory, financial and HR needs are being addressed as well as security and IT.”
An increasingly common approach by multi-national companies is to define a policy vision and then create a checklist framework of things that need to be considered in each country to ensure the BYOD policies are consistent with local laws and regulations. This enables each country to create its own BYOD policy based on what the overall organisation is trying to achieve.
“The frameworks are broader than just security or IT issues,” says Pelino.
Frameworks typically include things like what devices will be supported, which groups of employees will be covered by the BYOD policy, what type of services the company will reimburse employees for, which groups will be supported by a helpdesk, what will be included in a self-service portal, and whether or not the company will provide its own app store for approved applications.
Pelino says a good initial step is to segment the workforce based on the roles of individuals and then decide what devices, applications, support services, and networks are appropriate for each group.
“Once you have a framework around those key areas, relative to your industry and your organisation, then you can put together a policy, which needs to include legal, finance, and HR as well as IT and IT security,” she says.
Education is another important element, says Pelino. “Once the company has done a cost-benefit analysis and is committed to BYOD, it needs to educate employees about what they will be asked to sign up to and about which devices to choose for use in the work environment, and why it is important to secure mobile devices at home and at work,” she says.
Finally, organisations and employees need to understand that these policies cannot be static, and will have to evolve over time as technology and regulations change.
“For example, some US states are starting to introduce legislation that requires companies to reimburse employees who use personal devices for work purposes,” says Pelino.
Learning from others' costs and benefits
Mobile computing is a priority and strategic initiative for many organisations, because of the perceived and real cost and productivity benefits, even in the private sector and highly-regulated industries.
What this means for individual organisations varies dramatically. Pelino says there are signs that more companies are starting by looking at what other companies have done to learn from their successes and failings to avoid common pitfalls.
“The more mature organisations understand all the issues and are moving into application and content management, but these organisations account for only about 15% to 20% of those moving in this direction,” says Pelino.
“By far the most are in the early stages and are still focusing on devices or are starting to move one step beyond by trying to figure out manage apps and content,” she says.
Building on basics to evolve strategy
But, according to Pelino, even the most mature organisations are still “living the challenge”. While they have moved beyond dealing with the security of devices and applications and may have put together a policy framework, many are still trying to resolve questions around how to provide user support and increasing efficiency around their helpdesk services for mobile and BYOD.
“Nobody has all the answers yet, and the questions and concerns they have change as they evolve their strategy along the maturity curve,” she says.
Clearly we are not out of the woods yet when it comes to security for mobile computing and BYOD programmes, but some organisations are making progress, having navigated the basics successfully.
As these mature organisations continue to push the boundaries in other areas like support, less mature organisations can look to these more mature organisations to fast-track their own progress.
Above all, these less mature organisations have to recognise that the threat of cyber attack through mobile platforms is real, and that failing to act in a comprehensive way is no longer an option.