Information Security Today Home

New Books

Insider Computer Fraud: An In-depth Framework for Detecting and Defending against Insider IT Attacks by Kenneth Brancik; ISBN 9781420046595
Managing the Insider Threat: No Dark Cornersn by Nick Catrantzos; ISBN 9781439872925
A Comprehensive Guide to Enterprise Mobility by Jithesh Sathyan, Anoop N., Navin Narayan, and Shibu Kizhakke Vallathai; ISBN 9781439867358
Mobile Enterprise Transition and Managementby Bhuvan Unhelkar; ISBN 9781420078275
Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World by Stephen Fried; ISBN 9781439820162
Bring Your Own Devices (BYOD) Survival Guide by Jessica Keyes; ISBN 9781466565036

Maintaining Security despite Enterprise Mobility

by Mike Miranda

In today's day and age, there are countless ways your company can do more with less. You can leverage just about any of your business assets-including personnel-to create a better result. This means you may be sitting on the silver bullet you need to bring in greater revenues, increase innovation, or otherwise edge out the competition. One example of this is enterprise mobility. The problem is that this option could also become a huge problem your business never recovers from if not handled properly.

What Is Enterprise Mobility?

Let's start there, because enterprise mobility is a fairly basic concept, but it's important that you don't misunderstand it before we proceed.

To put it simply, enterprise mobility refers to the trend of sending employees to go work from home or otherwise operate outside of the traditional office. Thanks to the rise of cloud technology and mobile devices, this has become easier than ever, which means more and more companies are beginning to take advantage of this type of mobility.

In fact, in many cases, employees are being hired without ever entering the office. They get hired from just about anywhere on the planet; their interviews are done through Skype or something similar. Hardware is flown to them and software can simply be downloaded. Presently, you could work for a company for years without ever having seen your boss in person.

The Main Problem with Enterprise Mobility

Many of you may already have noticed the huge problem that this could present. This kind of mobility definitely comes with all kinds of advantages. You'll be able to hire the very best in the business without being limited by geography. Your company can also save tons in overhead at the same time. What could possibly go wrong?

Well, there may be some minor issues you'll have to address, like training or disciplining someone from a distance. The major challenge, though, has to do with cyber security. While enterprise mobility may be plenty attractive to you, if you don't properly see to your security, this advantage will turn right around and bite your business. It could possibly cost your company everything too.

Common Problems

That last part may have sound like hyperbole. Chances are your company has faced down a couple issues regarding cyber security already and walked away without a scratch, more or less. Be that as it may, if you haven't adopted enterprise mobility yet, you'll soon be in for a whole new set of challenges.

In the past, for example, you may have dealt with password issues. Just about every company does at some point. Perhaps an employee left hers somewhere that wasn't secure or she just didn't pick a very good one to begin with. It fell into the wrong hands and for a while, it seemed like things were in freefall.

Losing passwords to malicious parties is definitely nothing to roll your eyes at, but having mobile employees will give you much more to worry about.

Consider that your mobile employees will have hardware from your company with them. They might have it in their home, but they may also decide to take it with them to a conference or on a family vacation.

Jack Gold, an enterprise security expert, once estimated that companies will lose three or even four times as many smartphones as they will notebooks. That's a very scary statistic when you think about it. For one thing, it pretty much takes for granted that your employees are going to lose expensive hardware with critical information stored on it. Worse still, that's a lot of hardware to lose.

Now, you want to hear something even scarier? Gold estimated that every data breach costs companies about $250 for each lost record. That's a lot of money down the drain when your employee loses their hardware. Furthermore, many analysts put the total number at $100,000 for small businesses and $400,000 for larger ones. Imagine losing that money unexpectedly.

Data Breaches Do More than Financial Damage

Of course, in most cases, the financial damage is the easiest to address. In fact, you'll be lucky if that's all that happens from a data breach. Most businesses have to try and rebuild their reputation. You have to convince customers that you're a safe company to keep doing business with. If you have stiff competition, that's going to be a tough argument to make. If the data breach includes customer data, you could be facing lawsuits from them because of one little mistake.

Keep in mind that the capabilities of your company's mobile devices are only increasing. In the past, they could access email and little more (even that was a huge help). Now they can get into your organization's internal system, access a whole host of applications and even get to client records. Someone who knew what they were doing would have the equivalent of a detonator in their hands if they ever got a smartphone or tablet from your organization.

The Importance of Monitoring Hardware

The fact that enterprise mobility continues to be a growing trend despite all these risks proves that it has plenty to offer the companies that adopt it. However, hopefully the above has helped you appreciate that you need to take these threats seriously.

Doing so begins with mobile devices. It has no doubt become clear that this hardware, though helpful for a number of reasons, could also be your organization's demise.

While it will definitely cost your business to do this, you need to monitor the devices that are being used. If that means paying for your mobile employees' tablets and phones then so be it. Remember how much a data breach could easily cost your company and this shouldn't be as big of a deal.

What many companies have had to learn the hard way is that allowing employees to simply use their own personal devices to access the network is like leaving the back door open to anyone who wants to stroll in. Unless this hardware is being closely monitored-and it almost never is when it comes to personal devices-the users most likely aren't following security protocols you'd expect from someone on-site.

Let's next look at individual threats that are introduced to your company through a combination of employee mobility and staff using their own devices. Doing so should help to drive the point home further, but also help you deal with these risks if your business can't afford to buy everyone their own hardware.

Everyone Has a Mobile Device and Lots of Apps

First, mobile devices are more popular than ever and not going anywhere. If anything, with the introduction of the Apple Watch, Google Glass, and other devices, their popularity is only growing. Many people already have at least two devices on them at all times.

As a result, most of your staff won't need your hardware if they want to access your company's internal system. They may find it inconvenient to walk around with two phones or tablets too. Without proper training, it will be pretty easy to lapse into bad habits and begin accessing the system through their personal devices.

Even if they do use, say, the iPhone you gave them, without oversight, they could still make mistakes. Think about the popularity of apps. Most iOS users have roughly 60 apps on their devices. From games to organizational tools to music programs, apps are easy to download without thinking about it.

Unfortunately, this could be the window of opportunity an outside party has been waiting for. The wrong app on your company's hardware opens up the door to hackers. Again, it's important to reiterate that most iOS users are going to have somewhere around 60 apps on their devices. Those aren't going to be the same 60 every time. Even if that number was half as big, an organization with 100 employees would potentially be exposed to 3,000 different apps.

Of course, this may sound a bit paranoid. You may think it highly unlikely that an employee would download a malicious app when you consider that they're far more likely to pick something popular like the Wall Street Journal App or Netflix-ones you know can be trusted-than some shady creation thought up by some criminal half a world away.

Back in 2010, the Wall Street Journal actually tackled a very important issue regarding apps, one that hasn't gone anywhere. In an article titled, "Your Apps Are Watching You," the paper found that of the 101 apps they looked at, 56 of them communicated the device ID to a third-party server, 47 sent location data to a third-party server, and five sent personal info to a third-party server.

This may not be considered "malicious" behavior, especially when compared to what many hackers do, but think about what could happen if that information was intercepted. First of all, would you feel comfortable knowing your employees are downloading apps that carry out those kinds of procedures? That alone should be enough to have you worried. Then consider that hackers could be intercepting the data or sitting on the third-party server and extracting what they like.

The Increase of Mobile Access

To be fair, organizations need to take some responsibility for this first problem. There's no arguing that enterprise mobility has become as popular as it has for some very good reasons. However, in an effort to keep up with this red-hot trend, many companies aren't being smart or taking the proper precautions.

In fact, many are mobilizing across their lines of business in an effort to get mobile devices to as many staff members as possible. A large number also have their own apps, with the majority of them being mission critical in scope. We've seen this type of thing in everything from restaurants to insurance companies to airlines and more. The world of mobile business apps has absolutely exploded in the last handful of years.

Obviously, there are all kinds of benefits to be gained from this kind of aggressive expansion. Unfortunately, a number of those benefits are for hackers who can't wait for an app to end up in the hands of an unprepared user.

It goes without saying, but the more employees who have access, the greater the risk of human error betraying your business.

Data Sharing

Traditionally, the way to deal with lost or stolen hardware was fairly simple: remotely wipe them as soon as possible. Obviously, you'd keep it under lock and key-literally and digitally-but in the worst case scenario, you could take steps to ensure that the entire system would be wiped clean before an outsider had a chance at your critical info.

This is still a threat you need to consider and those responses make as much sense as they ever did.

That being said, it's far from the greatest threat anymore. Rather, it's far more likely that information will get taken from a device because the owner is using some kind of consumer data sharing tool. This type of uncontrolled sharing should have any business owner worried.

Using these platforms-and there are too many to list-means that critical information is going through an endless system of endpoints connected by the cloud. There's no telling how many your info will go through, but rest assured that every time it passes through one, the risk of data leakage is there.

When you think about that vast tapestry of endpoints that exists out there, it probably becomes clear that data sharing is more likely how you'll lose control of it, not some criminal stealing a laptop out of your employee's car.

It gets worse though. This type of sharing inevitably leads to saving information outside of your protected network. Those in the security industry refer to this type of thing as the multiplier effect. Data is saved outside your network, which means it most likely won't just be shared with one single device. Instead, it can be shared with every single device connected through a viral method.

This is why so many companies prohibit their employees from using Dropbox and Evernote for corporate purposes. For the typical consumer, these apps are absolutely incredible. They couldn't be any more popular. However, for business purposes, they leave a lot to be desired in the opinion of many. It's not that they're not secure; it's that they make it too easy to share critical info with outsiders.

Rogue Employees

Here's something no one wants to think about. Rogue employees, those who have become disgruntled and decide to take aim at the hand that feeds them, can do virtually unlimited amounts of damage to your company.

A good example of this occurred just this past year. While many blamed the Sony hack on North Korea, most industry experts have long concluded that this was probably not the case. Instead, the nature of the attack seems to point to a leak, which would suggest that perhaps one of the many employees Sony recently laid off had the means to get back inside the system and dump their emails out into the public sphere.

This type of situation isn't as rare as we'd all like to think. It's just that usually it doesn't entail a major studio during a controversial movie premier (the reason North Korea was blamed is because Sony had produced a film that poked fun at the regime).

However, in most surveys, IT security professionals overwhelmingly list rogue employees as the number one risk to their system, even more so than targeted cyber attacks and various forms of malware.

Keep in mind that this doesn't just refer to the staff under your corporate roof. Do you hire subcontractors or freelancers? Do you allow access to third parties? If they ever have a disgruntled employee, said individual might get back at their employer by ruining you.

Addressing the Main Problems with Enterprise Mobility

With the above in mind, let's now work toward some solutions your company can incorporate so that it doesn't have to forego the positive effects of enterprise mobility. Keep in mind that, to some degree, there's only so much you can do. Hackers are more sophisticated than ever before and that trend isn't going to reverse any time soon. Still, while there's no way to guarantee you won't ever be a target, many hackers just want easy ones; it's nothing personal. If you make your business tougher to break into, they'll go elsewhere. With tracking protocols, you'll also know if a disgruntled employee is guilty for any damage.

Managing Your Devices
The main thing you want to do is get control of the devices your employees use. Like we mentioned above, this may not be realistic right now given your budget. If that's the case, then it's time to review that budget and find some extra funds. Any company that wants to leverage enterprise mobility has to ensure that only enterprise hardware is used. This hardware should go through your IT department first to configure passcodes, encryption and other security elements that will keep it safe. That also means designating which apps can be downloaded and which can't.

Provide Alternatives Where Necessary
For some companies, alternatives will have to be found for certain apps. Dropbox may not be an acceptable option for your company, but there's no debating that it's incredibly useful. This would be why you'd want to find a worthy alternative or otherwise get cloud access to shared folders on your network.

You don't want to tempt your staff into finding workarounds that eventually end with them accessing apps you don't trust on your network. You also don't want them suffering from poor productivity either. Fortunately, your company is far from the only one in this boat, meaning options are out there. Smart enterprise mobility practices involve your IT team running constant audits to check for these types of problems. Ideally, you'll want to handle this remotely, otherwise this type of auditing will be too inconvenient to be considered realistic.

Along the same lines, your IT team should be constantly looking for ways to beef up security. Auditing is all well and good, but if there are new apps or forms of technology that could be protecting your interests, you want to know about them right away and begin benefiting from them as soon as possible.

Run Constant Audits
Even though you oversee the devices your mobile staff uses, things can still go wrong. Hackers can still strike; mistakes can still happen.

Consider Compliance
Don't forget, too, that your company may not be the only one that has a say in your organization's security measures. If you're working in an industry that is tightly regulated, then there are probably laws you have to consult first. Those working under clients should check with them to ensure that any steps you take for the sake of security or any apps you use in the line of work don't violate your customers' rules.

Teach Common Sense
Finally, we may be well into the digital age where everyone has a computer and at least one mobile device, but that doesn't mean a lot of us aren't a bit clueless when it comes to subjects concerning them.

Make it a priority to constantly remind your mobile staff of security issues that affect them. Explain why certain apps can't be on their devices and about the need to keep critical information inside the network (and behind a smart password).

A lot of this may be common sense, but you're better safe than sorry. Also, in a pinch, an employee may think it's no big deal to check their email from their personal phone because they don't understand that the apps on that device could betray them.


When you're ready to begin learning more about enterprise mobility and how your security needs can be better handled, contact Rocket Software. With a history that goes back over two decades and 100s of products to our name, you can trust that Rocket Software understands these important issues and can provide your business with the help it needs. While the above may seem complicated or may even have you thinking that enterprise mobility isn't worth it, Rocket Software promises this isn't true. Their experience will ensure you have nothing to lose when mobilizing staff.

Related Reading

Convenience over Security: Creating Effective Mobile Security Policies

Effective Physical Security of a Mobile Device

Mobile Device Security: What Are You Trying to Protect?

Protecting Mobile Data: When Is Enough, Enough?


About the Author

Mike Miranda writes about enterprise software and covers products offered by software companies like Rocket Software

 
Subscribe to
Information Security Today







Bookmark and Share


© Copyright 2015 Auerbach Publications