SMARTPHONES, MOBILE DEVICES & ENTERPRISE SECURITY

(by Tarran Dookie)

mobile-securityTHE TRANSITION TO MOBILE TECHNOLOGY

One of the biggest technology trends of the past few years has been a transition away from traditional desktops and laptops to mobile technology. The use of smartphones and mobile devices such as tablets has seen exponential growth in recent times.

Smartphones and tablets are now integrated into an organisation’s suite of work tools. Employees are encouraged to use their personal devices to carry out certain work functions. Corporate networks and data are now open to consumer mobile technology. Mobile devices such as smartphones, tablets and other Internet-enabled devices are changing the way employees deal with business information. The employee can access information related to his work from home or while travelling or from a client’s office. Mobile devices are now used in businesses to send and receive electronic mail (email), to link to company networks to access data and network-based applications. The user will also have access to data that is stored on the device. It is now possible to update a customer’s records whilst away from the office. Where the employee has access to the company’s database or accounting systems it is possible to set up a new customer’s account, check prices and availability of product and complete an order.

THE THREATS TO ENTERPRISE SECURITY

While mobile technology is advancing rapidly the capabilities for controlling and protecting the information on mobile devices is lagging behind.  The use of smartphones for both company and personal use bring dangers to a company’s network. It is now apparent that criminals are targeting smartphones and mobile targets as they see the migration from personal desktop computers to these devices.

Because of their size and portability mobile devices are easily lost or stolen and puts corporate data at risk on the mobile devices as well as within the corporate network.

The proliferation of smartphones and mobile devices in business use poses risks to organisations. The devices may store and have access to sensitive and critical data and would be of concern if the devices are lost or stolen. Email exchanges, text messages, meeting dates and documents may be seen. Valuable data can be accessed by unauthorised people if proper precautions are not taken to protect the devices and the data that they carry. A company’s network may be exposed to malware and hacking. Mobile devices can be turned into high-tech spying devices, capturing and sending confidential photos and recordings back to hacker-controlled websites. The fact that they are always on and connected makes them more vulnerable to malicious attacks through various communication channels.

Most mobile platforms started as consumer platforms and were not designed to provide comprehensive enterprise security. This has given hackers incentive to create techniques or malware targeting these devices. One of the issues facing enterprises is the absence of firewall protection when such devices as smartphones are employed in the business.

Mobile device malware—viruses, worms, Trojans, spyware—has been on the rise over the past few years because most mobile platforms do not yet have built-in mechanisms to detect malware. There has been a sharp increase in mobile malware. Loading an application has the potential to spread malware as the software may contain malware. Malware can then spread quickly through connection to another device or a company’s intranet. Personal or confidential data can be lost or stolen. The malware may cause text messages to be sent or make unauthorised phone calls unknown to the owner.

Connecting through Wi-Fi or Bluetooth also poses risks as the Wi-Fi source or the other Bluetooth device may itself contain malware or be the gateway to hacking.

The Internet-enabled mobile device may also be subject to spam attacks and ‘phishing’ (luring the user to access a fake website) aimed at extracting personal information for financial gain or fraudulent activity. Protection features available on a PC to prevent spam or ‘phishing’ may not be present on the mobile device.

SOLUTIONS AND SAFEGUARDS

Businesses must factor the use of smartphones and mobile devices in their security policies. Mobile security must be integrated into the company’s risk management programme. There must be clarity in what is expected of employees and who is responsible for ensuring the security of the devices and the company’s data. Following are steps an organisation can take to safeguard against the risks inherent in the use of smartphones and mobile devices.

ACCESS

  • Use secure authentication to connect to a company’s network. A complex or strong password should be used to access the device or data on the network.
  • Two-factor authentication should be used, if possible. Not only is the user’s static or regular password used, but to gain access a second authentication factor must be used. This ensures that if a hacker steals a user’s static password they cannot go further without the second authentication factor.
  •  Timeout policies can be established so that the employee is not hooked into the company’s network beyond a certain amount of time.
  •  The use of Network Intrusion Software can help businesses to identify any unauthorized intrusions.
  •  Secure technologies should be used, for example virtual private networks (VPNs), when connecting to the company’s network from outside locations.
  • Maintain logs to show when mobile devices and the company’s VPN gateway are in contact and data is being transmitted to and from servers within the company’s intranet.

DATA INTEGRITY AND PROTECTION

  •  Determine the data that will be allowed to be stored on the devices.
  •  Sensitive data should be encrypted.
  •  Back up mobile data on a regular basis.
  • Remote data wiping facilities can be installed so that sensitive data can be deleted if the device is lost or stolen.

PROTECTING THE DEVICE

  • Assign an ID number to each mobile device and be aware of who is using it.
  • GPS (Global Positioning System) tracking can be installed to trace a phone if it goes missing.
  •  Install features to remotely lock the device to render it useless if lost or stolen.
  •  Advise employees to use personal identification numbers (PINs).
  • SIM watch can also be installed so that if the SIM card is removed and replaced the new number is sent to the owner.
  •  It is advisable that the IMEI (International Mobile Equipment Identity) number is recorded so that the network provider can stop a stolen phone from accessing the network.

GENERAL SAFEGUARDS

  • Install antispam solution to block incoming spam.
  •  Install anti-malware and anti-virus software on the devices.
  • Put the device’s Bluetooth setting to undiscoverable mode when not in active use.
  •  Turn off Wi-Fi connection when not in active use.
  •  Install a local firewall on the mobile device to block requests from unknown devices.
  • Advise employees to only download and install trusted or certified applications.