Shredding iPads Doesn’t Count: How to Start Securing Enterprise Mobile Devices
The recently disclosed Tesco bank hack, last year’s Pegasus spyware targeting iOS, infected apps on the Google Play Store – every day seems to bring more examples of mobile device attacks that could disable or even dismantle a business. Anecdotes further highlight the problem. One organization’s GPS infrastructure had a leak such that a hyper-alert attacker could have stolen a multimillion-dollar Formula One car during shipping. In another example, cyber thieves have gone after meeting room software, finding vulnerabilities that let them remotely reserve a room and then print a visitor’s badge requiring no escort. Another demonstrates that hackers can track an executive to locate his or her family.
The possibilities and the realities around mobile security are frightening. And the answer is not, as one enterprise did, to shred the company iPads in lieu of a data wipe. Indeed, for too long, firms have reacted, sometimes bizarrely, to intrusions. And many continue to harbor the flawed belief that mobility management software will block all threats. It’s time enterprises set aside their misconceptions and tackle mobile security in a proactive and concerted manner. The urgency to do so grows as smartphones, tablets and even wearables house precious private personal and corporate information, and as end-users govern the devices’ contents. As Marco Nielsen, vice president of managed mobility services at Stratix, put it: “Never in history have endpoints been so important.”
Handling a ‘Traumatic’ New World
It’s an understatement to say mobility plays a critical role in the enterprise. And with this fact comes a perhaps unexpected consequence: IT has lost command over the data that flow through the devices. Compare that to IT’s ability to lock down laptops and PCs – not having the same authority over phones and tablets has sent these experts into a spiral of reactivity. And reaction tends to translate into the ineffective strategy of restriction, said Santosh Krishnan, chief product officer at cyber security firm Lookout. In other words, limit a user’s mobility choices and shadow IT will emerge, much as the black market comes alive when government bans a substance or item.
“People don’t want to be told what to use and what not to use,” said Krishnan. The more IT tries to quash accesses and permissions, the more prone people are to going rogue. “It’s this new world that IT and security folks need to reconcile,” Krishnan added. “And it is a little bit traumatic for them to reconcile that end users have the control.”
Faced with the challenge of trying to administer end users’ devices, enterprises often turn to prevailing wisdom instead of asking questions. To that point, “there’s a common misconception that the iOS devices are secure,” said Michael Covington, vice president of product for mobility management vendor Wandera. Certainly, the 2016 Pegasus event underscores the danger of assuming iOS to be impervious. Enterprises still tend to think, though, that they should worry only about Android. “That is a starting point for mismanagement,” Covington said.
Other problems crop up when IT departments just enforce a PIN code for device security and let employees use free Wi-Fi to save money on cellular data, he said. Combine those actions with the idea that an MDM platform will provide complete protection and an enterprise has a real issue on its hands: “A false sense of security,” Nielsen said. That’s because even though most MDM products will blacklist bad apps, the majority don’t monitor network traffic, check for compromised Wi-Fi hotspots, enforce two-factor authentication and so on.
5 Steps to Take Now
It’s obvious that enterprises must protect their mobile devices. Here are some starting points for doing just that:
- Define, in writing, the policy for mobility. Executives must do this part because the rules need to contain vision, which IT departments don’t have, said Covington. Creating a mobility plan with vision addresses the best interest of the company and its users, Krishnan said. “It’s not Big Brother.”
- Understand how the devices are being used. “We always recommend running [a new platform] for 30 to 90 days with no rules, to learn before you start restricting,” Covington said. That way, later on, an enterprise can identify behavior that lies out of policy “and take the necessary action,” Krishnan said. For example, an oil rig operator may be okay with data leaving the country while a bank is not.
- Manage the Devices. “There’s a certain assumption that management only matters when you need to scale,” Covington said. “I don’t think that’s the case.” If an employee leaves a phone in a cab, for instance, the IT department needs to be able to wipe it, to prevent unauthorized access to sensitive company data. Some platforms now even allow partitioning of phones into business and personal, so a remote wipe would only take out the corporate side. Also, enterprises must track data usage to prevent overages, and stay abreast of malware and phishing attacks. “Don’t wait until the threat lands on the device – protect the device before it’s impacted,” Covington said.
- Conduct a Security Assessment. Determine what data are critical to the organization and decide how much to spend protecting that information, Nielsen said. For instance, shoring up the invoicing app may make more sense and generate more revenue than adding extra safeguards to email.
- Keep Investigating. Meet with vendors and service organizations to refine best practices approaches. “Just like you would do with any security aspect, talk and figure out the landscape,” Nielsen said.
Overall, know that enterprises are not alone in working through the finer points of ensuring mobile security.
“Mobility is almost like a journey – I don’t think anybody starts off with all the information,” Covington said.