The propagation of smart phones and introduction of solid state devices such as the iPad, coupled with increased bandwidth in LTE networks, mobile computing is becoming a fact of life that IT organizations are going to have to grapple with. As with many of the technologies that are consumer driven, the integration of these mobile devices often start at the C Suite of a company and quickly proliferate into the rank and file. Consider the ever growing extension of the enterprise into a consumer driven market is a nightmare for risk managers trying to protect a company’s intellectual capital and systems infrastructure.
Unarguably these devices provide a means for businesses to be more productive and agile, and are a temptation that cannot be avoided. They also blend work and personal business on a level never before experienced by technology organizations as many of these devices are owned by the employees rather than the company (although that trend is starting to change as some companies are adopting tablet computers as a new standard for portal computing devices rather than deploying laptops).
Being that many of these devices are employee owned, companies also now have to deal with the ramifications of having personal devices access corporate assets. This introduces an unprecedented level of risk, HR, and legal issues that companies have never have had to deal with before.
This trend is only going to continue as the computing platform paradigm shifts from computing at a desk to computing available to you wherever you are and whatever you are doing. In so much that these technologies are being adapted (and thriving in the consumer market), companies need to understand the risks involved with extension of their enterprises beyond the virtual walls of their networks and what to do to mitigate those risks.
Key risks and mitigation strategies include:
Information Security
Access to e-mail and company contacts area major reason for having a mobile device. However, there is the ability to use these devices for checking personal e-mail as well as connecting to social media sites (e.g. Facebook, Twitter, Digg, etc.). Whereas many companies have established policies to protect their laptops from these types of vulnerabilities, mobile devices will also need a similar protective framework.
Mitigation Strategy:
- Mobile policy management – if users are going to use their personal devices to access corporate information, then policy enforcement on those devices is a must (such as multi-factor authentication, device password lockdown, and data wiping capabilities, etc.). There are several choices available in the market to help manage these policies to secure information on mobile devices
- Education – ensure that there is mandatory education required for any employee that is using their mobile device to access corporate assets so they understand and acknowledge the risks and their responsibilities for using those devices
Location Sensitive Information
One of the great capabilities of mobile devices is to interact with social media sites and allow them to know your location automatically so you don’t have to provide that information whenever you post to these sites. However, for companies (especially companies that keep employee locations secret), this is an exposure that needs to be addressed. Take an armored car service as an example. If you have an employee who is posting to their Facebook during while working, it would not take long for someone to piece together the patterns of where that employee has been on particular days and map out their regular routes, potentially exposing the employee and the company to theft or other crimes.
Mitigation Strategies:
Education and awareness – like Information Security, education is critical; but awareness of what information employees are posting to social networking sites is also critical. They need to understand the implications of providing location information especially when they are on the job
Disable location capabilities – on managed mobile devices, push the policy to disable this feature. For those devices that are not under corporate management, educate employees on the importance of disabling this feature to protect the company and more importantly, the employee
Audits – for highly secure delivery services, regular audits of employee online activities may be necessary to ensure compliance to these policies. This is a very sensitive issue and should be carefully reviewed by your legal and HR team before implementing
Vulnerabilities from unsecure devices and networks
Given that many of these devices are personal devices, they will likely be synced with home computers or other computers not directly under the security umbrella established by your company. Further, these devices can connect to open wireless networks such as hotels and coffee shop networks, making them potentially vulnerable to access from others.
Mitigation Strategies:
Policy enforcement – if the device is being used for accessing corporate information, policies should be pushed to the mobile devices to govern how users get access to corporate information through these networks
Mobile security software – there are multiple vendors available to protect the cell phones from a variety of threats including antivirus, anti-spam, and activity logging
Education – once again, education is a must. Have users understand the risks of attaching to unsecure networks and be sure they are aware and note any unusual activity while they are connected to those networks
Connectivity into corporate wireless networks
Personal devices connecting into corporate networks expose companies to a variety of risks of unmanaged devices. Risks include introducing viruses or trojans into the corporate computing environment or unauthorized access to information assets.
Mitigation Strategies:
Policy enforcement – for devices that have both Wi-Fi and 3G/4G wireless connectivity, ensure that they can only connect to one network at time to ensure no external network tethering can take place
Unauthorized Devices Management – ensure that your wireless network only allows whitelisted devices to connect to your internal network or have the ability to detect new devices connecting to the network.
Education – corporate policies should be in place and communicated to employees to prevent unauthorized devices to connect to the corporate network
