Last month, I wrote an article on the Emergence of Smartphones as a Key Platform for Security Industry that discussed the growing ubiquity of smartphones within the workplace and the increasing number of mobile apps that have the ability to collect information from its environment such as video streams, audio streams, indoor location and information from other sensors.
In stark contrast to the focus on the information that mobile devices may capture, store and provide intelligence back to an organization, this article focuses on what intelligence others might be able to capture about your organization by accessing an employee’s mobile device in an unauthorized manner.
Sensitive information may exist on mobile devices in many places including email, SMS and instant messaging archives, contacts and phone records, as well as a growing number of enterprise mobile apps that extend major enterprise CRM, ERP, HR and other systems as well as document repositories and other databases setup for off-network, mobile access.
The cybersecurity threat to unauthorized data access is essentially the same for smartphones as it is for tablets, laptops or any other mobile device operating outside of an organization’s physical offices. However, smartphones are more commonly lost, stolen and vulnerable to attack; they are also (generally) more locked-down – think “Apple” – in terms of what sorts of functions and low-level controls that device manufacturers and operating system providers allow companies and mobile application developers to install and execute on smartphones and tablets versus laptop computers.
The emergence of Mobile Device Management (MDM) providers are helping to address some of these mobile security concerns through the use of secure containers for company information and apps, improved encryption and the ability to remotely wipe sensitive and other information off devices that are lost or stolen, or when an incorrect device password has been entered a certain number of times.
MDM isn’t for everyone, and there is no clear winner yet in the space; MDM vendors are still putting together pieces to the puzzle in their unique ways. Similarly, each organization will ultimately set up their own IT policies and procedures, and aim to manage risk in accordance within their own unique risk exposure limits.
For organizations not yet sold on MDM, there are several proactive measures that can still be undertaken to better understand your risk and batten down the hatches.
If you choose to get a vulnerability assessment, ensure that the firm reviews your organization’s policies surrounding mobile device access and the use of passwords, accessing corporate information using VPNs, email access and email archive history available to users on mobile devices. The assessment should also cover third-party enterprise mobile apps that connect to major enterprise systems and additional security layers required to login, access and alter information within those systems. Third-party mobile apps serve a variety of function within large organizations, from sales to business intelligence to security, and not every mobile application may require a full audit or assessment. Assessment priority should be dictated and aligned with the level and depth of sensitive information that may be accessed, abused or misused by cybercriminal or cyberterrorist activities.
Though it seems simple, the vast majority of attacks still stem from weak passwords, and a set of passwords that are all identical. By employing a simple mandate to use strong passwords on mobile devices for access, and a different set of strong passwords for email access, network login and for access to other enterprise systems, you can drastically reduce overall organizational risk to intellectual property and other information breaches. By having a unique password for each system, a criminal's ability to breach each successive system will be thwarted – or at a minimum delayed further – providing IT groups with greater amounts of time to deny system access or remotely wipe device data.
Device Tracking and Cyberthreat Prevention
Third party mobile apps may be installed to track the location of employee’s mobile devices – both outdoors (using GPS) and indoors within corporate offices. By developing policies that limit data access (i.e. specific data and documents) to mobile devices in certain locations, an organization may prevent access to sensitive information outside the US, for example if a traveler’s phone is stolen overseas. These location-based policies may be as broad as “country-level”, more moderate such as “within 1 mile of a particular office”, or as granular as “only on floor 7” of a particular building.