Mark Hughes, Senior Vice President and General Manager, Security at DXC Technology, looks at the issue of securing mobile devices from an enterprise perspective.
Traditionally the office was the core location from which business was conducted. As a result, most organisations keep core systems located in office buildings and over the years elaborate defences have been put in place to ensure all this digital information is kept safe.
Cybersecurity is a concern that affects everyone but for many organisations a significant hack can result in the inability for them to run their business. But the way people work is changing, employees aren’t tied to their desktops (many don’t even have one) and the age of mobility has led to an evolution in how business is conducted – whether from a café, a co-working space, airport, hotel or home. The issue is that employees in these locations are the ‘weak link’ in a business’s cybersecurity strategy.
Unfortunately, many organisations have neglected the security of mobile devices and it is expected that by next year mobile malware will amount to one-third of total malware, a huge increase from the 7.5% it accounts for today, according to Gartner.
Thankfully, businesses are not going to be left to fend for themselves when it comes to safeguarding mobile workers. For instance, there are enterprise mobility management (EMM) tools that have extended capabilities to security-specific threats aimed at mobile devices. There is also a new category of products called mobile threat defence (MTD), which integrate with a company’s EMM platform and are designed to prevent attacks against mobile devices. Gartner has predicted that by 2020, 30% of organisations will have an MTD solution in place, up from the less than 10% now.
Businesses must however ensure that they are thinking about every potential risk that mobile security needs to cover. These include – but are not limited to: network threats, device risks, application risks and risks occurring when users access the web and its content (including e-mail and malicious applications).
Defending against network level risk
Starting at the network level, office networks maintain the highest level of security and home broadband connections that require a user name and password and are maintained are relatively safe. The real risks occur when mobile users try to connect to the enterprise from remote sites through public Wi-Fi – which are usually totally unsecured. This allows hackers to easily deploy man-in-the-middle attacks where they create fake web sites that intercept and hijack the connection – giving them access to potentially sensitive information or even the device itself. The new mobile threat detection tools can detect rogue Wi-Fi services and block users from connecting to fake sites.
To counteract this, companies need to build layers of security defences to protect corporate data. For example, policies can be set in EMM tools that require that software patches must to be up-to-date, that limit remote access to certain data stores, and that tie into identity and access management (IAM) systems. Enterprise mobility solutions also need to be able to recognise if a user is at an unknown location and respond appropriately, such as requiring use of the corporate VPN in order to access certain applications or triggering the need for multi-factor authentication.
When we view the application layer we must keep in mind the kind of information that many applications can access. EMM solutions can help to mitigate risk by allowing organisations to create policies and access rules on an application-by-application basis. Within an EMM tool like Intune, for example, companies can create an app store for mobile workers that can include in-house apps as well as approved apps from the common Application stores.
This way they can prevent users downloading apps from unknown sources – which could potentially be infected with malware or be designed to harvest data. MTD solutions can also detect apps with malware and create an alert for ‘leaky’ apps, that is, apps that send sensitive data — like your contacts — to an external server. At a device level, companies need to deploy encryption, make sure patches and OS updates are in place, that the OS is not compromised (jailbroken or rooted), that minimum rules are set for passwords and that the device is configured properly.
However, even with all these defences in place, they cannot guard against an attack if the end user chooses to click on a phishing link, browse risky websites or picks up a stray USB stick in a public place that could be infected with malware and plugs it into their laptop. As such the final – and in some ways most important piece of the puzzle – is to ensure users are educated to the dangers of phishing and making sure they are even more vigilant and suspicious of phishing attempts when they are on the road. By undertaking all these steps, businesses can at least give themselves the best chance of avoiding a cyberbreach and keeping their business running smoothly.