As employees move from on-premises offices to their homes, businesses will be faced with the challenge of managing and securing both company-owned and employee-owned devices as they access company resources from outside the network perimeter.
These unvetted locations and devices open organizations up to vulnerabilities such as malware, data breaches and threat actors waiting to exploit human fallibility.
1. Conduct a mobile security risk assessment
Mobile security threats are growing at record speed. According to the McAfee Mobile Threat Report released earlier this year, over 35 million types of mobile malware were detected in the final quarter of 2019 – an increase of 5 million since the first quarter and 10 million since the beginning of the previous year.
Other threats include:
- Data & Device Theft
- Poor Cyber Hygiene
- BYOD & IoT Intrusion
- Lost Devices
- Out-of-Date Software
- Unsafe Wi-Fi
- Hidden Apps
- Phishing Attacks
- Social Engineering
- Broken Cryptography
- Improper Session Handling
- Ad Fraud & Fake Reviews
If you and your stakeholders are aware of the risks above, then you’ve already begun your mobile security risk assessment.
Awareness is both the first and last step of evaluating and managing the risks that may affect your mobile workforce. We also recommend identifying company assets and planning for exits and crises.
Improve mobile security awareness. Security Awareness Training (SAT) starts with you. If you’re reading this, you’re probably responsible for the information security at your company. Don’t keep that responsibility to yourself; share.
- Share research on the latest threats.
- Share tips on reducing risk.
- Share your organization’s security policies – regularly.
If you don’t have the time or resources for in-house training, many online cybersecurity awareness training courses cover mobile security – and offer a certificate to show completion (so you know your staff is taking this seriously).
Mobile security awareness training, coupled with MDM technology, is your greatest defense against risk. We’ll cover MDM later.
Identify company assets. A data breach could cost your company $3.86 million on average, according to the Ponemon Institute’s 2018 study – and much much more if it’s a mega breach involving 50 million records which might cost $350 million (or billions if you’re Equifax).
The threat is real and stakes are high.
Interestingly enough, Ponemon notes you’re more likely to experience a data breach of at least 10,000 records than you are to catch the winter flu (which is good news in the days of Corona).
Securing your digital assets from mobile data leaks and other mobile security threats involves a little stock taking.
- What is considered sensitive data?
- How do you collect, store and transfer data?
- Who has access to your data?
- Do mobile devices have access to your data?
- Where does sensitive data change hands?
- Can a lost or stolen device compromise your data?
- What are the consequences of a data breach?
But an assessment may indicate the risk is lower or different than you might expect, as in Davis’ case when he realized mobile phones couldn’t reach his company’s accounting software, but employees could share financial data via email.
What happens when you fire a disgruntled employee who has access to your entire database? What happens when your developer leaves? HR? Sales?
- How long do you wait to wipe devices and change passwords?
- Do you know what devices were being used?
- Were they approved devices?
- Were they BYOD or company-issued?
- What applications were they using?
- What level of access did they have?
- Where did they store data?
- Who owns the data on their phones?
- Can you legally wipe their phones?
You need a plan, not only for fires, but also for your run-of-the-mill “I found the job of my dreams” exits. Because you never know. Though this article is about threats to mobile devices, people are your greatest security threats – often unwittingly.
What if they use that data maliciously or they are hit by a phishing scam such as the Coronavirus fake-map scam that infects devices with information-stealing malware?
You need to prepare – for anything.
- Ensure HR and IT are on the same page.
- Review non-disclosure agreements and security policies.
- Retrieve company-issued devices.
- Wipe corporate apps and data.
- Disable company email.
- Revoke access to systems and applications.
- Change passwords to company accounts.
- Monitor suspicious activity.
- Document your risks and assets.
- Build and train an incident response team.
- Create an incident report system.
- Prepare an incident notification list.
- Backup critical data.
- Ensure incidents can be handled remotely.
- Practice incident response.
It’s getting tougher and tougher to stay ahead of threats, but a little planning will help you offboard employees with minimal risk and shorten the duration of any crisis.
The rise in mobility and cloud computing creates favorable conditions for cyber attacks just as dynamic as the devices they attack. Your initial assessment is just the beginning. It’s part of an on-going strategy to understand your risks, educate your staff and plan your defense.
2. Implement a BYOD & remote access policy
In a short time, working from home (WFH) has grown from 5.2% of workers (in the U.S.) to most people working from home. This is meant to keep them safe from the Coronavirus outbreak. They know what to do. The internet is flooded with tips on personal hygiene.
- Stay inside.
- Wash your hands.
- Don’t touch your face.
- Sneeze into your elbow.
- Wear a mask.
- Keep your distance.
But what about cyber hygiene?
Most people are willing to change their habits and routines during this challenging time, but they aren’t willing to give up their personal devices. 61% of Gen Y and 50% of 30+ workers believe BYOD tools make them more productive.
This opens up a can of worms for employers and employees alike, warns QUT researcher, Dr. Kenan Degirmenci. BYOD and, more broadly speaking, mobile access to enterprise systems, presents unique security challenges that cannot be ignored.
The time to act is now.
While the world is suffering from a public health crisis, you can prevent an organizational cyber crisis by laying out some ground rules. You don’t want to assume your employees are obtuse, but you also didn’t want to tell them to wash their hands.
A BYOD and remote access policy can safeguard your company – and your employees – against mobile security threats.
We suggest covering the following:
- Allowable Devices & Applications
- Mobile App Vetting & App Stores
- Secure Configuration
- Acceptable Use & Misuse
- Authentication & Password Management
- Access Privileges & Permissions
- Social Media & Email Safety
- Browser & Web Application Security
- Encryption & Secure Connection Methods
- Privacy, Compliance & Confidentiality
- Separation of Personal & Corporate Data
- Data Loss Prevention (DLP) Strategies
- Security Patches & Software Updates
Your BYOD and remote access policy should cover a range of endpoint, network and cloud security guidelines – ranging from what might seem like common sense tips to technical configurations meant to reduce exposure to hackers.
If you want to ensure your employees’ devices are compliant with your policies, a Mobile Device Management solution is worth trying. You might also benefit from a network visibility and control solution that quarantines devices that do not meet your mobile security requirements. No pun intended.
The sudden exodus of workers from offices to their homes – and in many cases from company-owned devices to BYOD – is a great time to create a mobile device policy and exercise a little control. That said: you should be realistic about what your IT department can realistically handle, where you must turn over control to your employees and how you can all work together to mitigate your risk.
Video: BYOD - bring your own device policy
This was before the Covid-19 pandemic isolated workers in their homes. In this unprecedented situation, WFH employees present security challenges that, according to a poll of Threatpost readers, most organizations are unprepared for.
Your company can tamp down on the risks with Mobile Device Management (MDM) – which brings a range of mobile devices under organizational control – including laptops, tablets, smartphones – and even home IoT devices.
Often part of a broader enterprise mobility suite (EMS), there are many MDM vendors to choose from such as:
All solutions have slightly different features, but most platforms allow you to:
- Control Access
- Manage Apps
- Enforce Policy
- Update Over-the-Air (OTA)
- Troubleshoot Devices
- Track Devices
- Remote Wipe
MDM is essentially about control and insight – getting a grip on what a user can do with a device and what happens to corporate data on a device – while also understanding how devices are used to access corporate networks.
The best results are obtained with a thoughtfully considered MDM implementation – rather than simply putting in place an off the shelf MDM solution.
Your MDM solution will be most successful if you:
Maximize self-service and autonomy. Employees enjoy the flexibility of BYOD. Reducing these flexibilities too much should be avoided; it can backfire. Moreover, MDM that delivers user autonomy can reduce the strain on IT support staff – giving the ability to reset passwords, tracking lost devices, etc, to the end user.
Keep end-user privacy. Your employees may be using their devices for a mix of personal and business use. While MDM can gain control over these devices, it should not be at the expense of user privacy – and you don’t want to find yourself in a legal battle over lost personal data.
Consider your policies. The out-of-the-box policies of most MDM platforms can provide a solid start, but don’t skimp on refining these policies for the purposes of your organization. MDM policies can be incredibly granular – twisting and shaping to match your organizational requirements.
Require updates. Across the board, your MDM strategy should involve frequent updating – refreshing the MDM software in use, ensuring that devices are running the latest OS – and also running the latest versions of apps. Doing so will minimize the security holes that are common with unpatched software.
MDM is essential to mitigating the risks posed by BYOD and mobile devices, but a watertight security approach involves a broad approach. Yes, MDM will give you the initial insight and control, but you must also practice mobile-first security thinking – considering how mobile and remote use benefits your employees as well as affects security parameters.
The way people work is changing and remote and mobile work is not going away. The challenges associated with mobile working and personal devices are unique and, in some ways, still being assessed.
But your security partner can help you understand your risks and choose the best mobile device security solutions for your needs. Assessing your risks, implementing a BYOD and remote access policy and choosing an MDM solution is an excellent starting point.