The world has fallen in love with consumer devices like smartphones and tablets. By reinventing the way phones and portable computers work, they offer an intuitive and user-friendly way to surf the Web, communicate and access entertainment. For many of us, it’s hard to imagine life without the instant access to personal communications, social networking and media sharing sites that these devices provide.
The problem for information security professionals comes when people bring these consumer devices to work. Users increasingly want to use these ever more powerful and capable devices for business applications too.
The trouble is that many of the most popular consumer devices were not designed from the start as business tools, and do not offer levels of security comparable to current desktop and laptop computers. What is more, the way such devices are used blurs the line between personal and business usage and behaviour.
The potential risks to the organisation include misuse of the device itself, outside exploitation of software vulnerabilities and the deployment of poorly tested, unreliable business apps – all of which opens up new routes for data loss, another way for an organisation’s reputation to be damaged.
But all is not lost. By putting in place the right working practices, usage policies and management tools, organisations can benefit from the greater flexibility, increased productivity and reduced costs that consumer devices can bring to the workplace, while minimising exposure to the potential risks.
However, time is of the essence, and organisations urgently need to formulate a response to this trend. That’s why I’ve compiled an objective, best practice-focused approach to securing mobile devices, broken down into four manageable components: governance, users, devices, and applications and data.
Here the challenge is that, without control over consumer devices, organisations have little or no visibility of usage and penetration, and poor knowledge of ownership, support requirements, adherence to policies or compliance. In addition, consumer mobile devices and apps are typically sourced from a wide variety of unapproved, non-corporate suppliers, with limited attention paid to service provision contracts.
Addressing this demands creating a framework for ensuring correct and consistent mobile device security assurance. This involves getting an understanding of the extent of consumer device penetration and identifying the different device user groups, their requirements and the attendant risks. Organisations then need to agree a device provision mechanism, define policies around ownership, corporate access and acceptable use, and identify any statutory requirements.
With no control over consumer device working practices, users are free to combine work and personal tasks and data, with the risk of working in unsuitable locations and exposure to loss and theft. Users can potentially misuse or abuse the device through jail-breaking or disabling security features. They might also copy data to removable storage devices, or use the device for making inappropriate calls, or for downloading and sending offensive or inappropriate content.
Organisations need to ensure employees are aware of what constitutes good working practice for mobile devices. As well as making consumer device security an integral part of awareness campaigns, organisations should create an Acceptable Use Policy, which employees must sign. In addition, organisations should consider monitoring device usage and enforcing policy through disciplinary or financial sanctions.
Left unprotected and unmanaged, consumer devices are exposed to a range of information security threats. These include; exploits by malware targeted at the device’s operating system or apps; unauthorised connections; exploitation of software vulnerabilities by malware that exposes data or causes unexpected behaviour; compromise or irrecoverable loss of data.
Organisations need technical solutions for securing access to mobile devices and their contents. These include: enabling or installing functionality such as malware protection, firewalls and storage encryption; enforcing complex passwords; and enabling remote maintenance, upgrades and device wipes through a Mobile Device Management (MDM) system.
Applications and data
Most applications on consumer mobile devices will have been purchased or downloaded from an app store or software vendor. In many cases the provenance of the apps is unknown, and they are unlikely to have undergone formal software development and testing or to be provided with proper documentation and upgrade regime. The apps may also lack activity reporting and logging, and typically provide poor data protection.
Organisations need to make sure that apps used for business, and the types of data they are able to access or generate, are appropriate and properly tested. This might include going as far as developing apps in-house and building an organisation app store. This way, apps could be thoroughly tested and secured against malware infection or attack. Organisations could implement data classification to set limits on the type of data that can be accessed or generated by users on consumer devices.
Consumerisation is a fast-moving trend – organisations cannot afford to stand still and allow mobile device adoption to run its own course.