Mobile, Smartphone & BYOD
Owing to the development of mobile devices, people nowadays are overwhelmed by tons of information on the go. Curiously, despite being distracted by this constant flow of information, people are so mesmerized by it that they cannot break free from this lifestyle. Modern life is fast-paced and being mobile is the norm today. Mobile technology gradually but logically made its way into the workroom.
Sign up for a SecurityIQ free trial and try PhishNotify email reporting and PhishHunter threat analysis today!
This article revolves around a couple of terms – “mobile management,” “mobile devices,” “mobile security,” and “bring your own device” (BYOD). There is also an 8-question quiz at the end of the writing, which is on topics that bear some relation to mobile management. You can find all the answers right after the reference list.
I. Benefits of Mobile-Optimized Work Environments
One quick scientific fact: personal mobile technology used at work improves workforce productivity (research by the University of Kansas).
People like to buy latest tech products for personal use – another fact (albeit not scientific). Since employees tend to care more about their own mobile device, the probability of losing it is lower than if it is given to them for free, which in the context of the corporate mobile environment will improve their business life and curtail corporate expenses at the same time – an added benefit for both the employer and the employee.
Let us sum up some of the most obvious business benefits that a decent mobile device management policy would entail: dispense with overhead expenditures regarding the provision of employees with devices for work, increased flexibility and workflow, convenience, the opportunity for employees to work remotely, and perhaps less stress.
II. Mobile Asset Management: Threats & Challenges
A mobile device may contain a lot of confidential information, for instance, personal calendars, contact lists, corporate email addresses, personal identification numbers (PINs), login details, proprietary enterprise information, or customer records. One should be very careful when it comes to mobile security in the context of enterprise activities. Your people might walk in the company loaded with malware and have your intellectual property walk out of the front door with them. Either way, it means that you will face serious consequences.
Three basic challenges in mobile security:
- A heightened risk of malware infection due to the lack of control over personal devices
- A cause for concern with respect to data leakage because mobile devices now can access both sensitive personal and corporate data
- IT supportability of mobile technology at work may be complicated because of the great variety of devices, operating systems, platforms, etc.
The adjective “mobile” alludes to the fact that this technology cannot be region-locked to a certain location. Because they are “mobile,” the owner of these machines may feel inclined to use them at any place and anytime, which means that in those cases the devices in question are exposed to all kinds of threats. What may be worrisome about mobile security is that the owner of the mobile device uses it in ways or in places that may bode danger not only to him but also to the organization as a whole.
Moreover, mobile phone overuse is one of the most serious form of a dependence syndrome directed toward an object in recent times – a fact per se sufficient to get many mobile users and their bosses in trouble. Sharing credit card information on untrustworthy websites, connecting automatically to public WiFi hotspots at Starbucks, downloading unvetted apps that perform profiling of users (geolocation data, personal media…) are some examples of dangerous behavior that runs counter to cyber security tenets, but behavior most mobile users nevertheless exhibit on a regular basis.
Do not forget that phishing dangers do exist in the mobile environment. Also, unsanctioned mobile apps may work as a backdoor leading to your secret information. Your device could even become part of a mobile botnet and participate in a DDoS attack against other entities.
Criminals can bring exploits of mobile devices to another level – physical security. Numerous cases of lost or stolen mobile devices attest to this possibility. Once having the targeted devices in their possession, the criminals can extract all unprotected sensitive data from them and leverage it to penetrate into the organization or try to monetize the data through other methods. By way of illustration, crooks need not walk into a bank to rob it; they only need to steal a mobile device with unencrypted bank credentials kept on its hard disk drive.
Mobile devices are part of the Internet of Things trend. American Military University (AMU) professor and cybersecurity expert, Dr. Karen Paullet, noted that “[t]here are 7.22 billion mobile devices today in the world. There will be 21 billion connected devices by 2020.” From a security point of view, this boom in connected devices can be a bad thing, because it broadens the attack surface for hackers at a rate proportional to the number of Internet-embedded devices. A single, unsecured smartphone, tablet or laptop – even a smartwatch or other IoT items – can create an entry point for a great deal of trouble to a given organization.
III. Tools for Managing Mobile Assets
Mobile device management (MDM) or mobile application management (MAM) installed on users’ mobile devices is a mandatory first step if you want to secure and control corporate data in the cloud via a mobile platform. It is a relatively easy process if you manage to set up an appropriate asset, network, log and mobile device management controls. Nonetheless, specific sectors, such as government and healthcare, may not possess the IT maturity level to perform these tasks, even though they process sensitive information.
MDM serves as a natural extension of the organization’s security strategy. It allows for central mobile management and application of security policies from the cloud, which will protect valuable data on smartphones, tablets, etc. An MDM solution is an extra precaution that will provide IT access to any device connected to the corporate business network, along with the capability to revoke this access and even to remotely wipe the device if it is stolen or lost. Access to corporate sensitive data can be restricted based on device-specific identifiers, e.g., the MAC address. Furthermore, MDM will outline policies, protocols, and other details on how one is to access company data from locations inside or outside corporate premises. Mobile device management, however, is not foolproof. Therefore, additional help like a cloud security gateway (e.g., GitHub, Box, and Salesforce) is necessary to enforce corporate policy on apps and data, as well as company developed apps. That will secure the BYOD usage at the application level in the cloud.
One can also make use of an emerging group of a technology dubbed mobile application management
(MAM) so that one can detect whether people do not bring malware along with their device (irrespective of whether they are aware of that fact or not). An MAM tool can manage a company’s homemade apps as well as such created by a third party supplier.
Virtual Mobile Infrastructure (VMI) is another tool that may facilitate mobile security. It keeps data and apps on a secure platform while allowing every authorized user to access them via tablets and smartphones. A VMI is based on a single sign-on process that also improves security.
BYOD as a technological trend may take advantage of security mechanisms known as secure containers to safely store sensitive company data on the device without to lump it together with any personal data.
Lastly, as an extra means for precaution, employees should receive identity access management (IAM) solutions equipped with two-factor authentication.
IV. Best Practices Concerning Managing Mobile Assets
Do you need to stay ahead of the competition?
Do you want to reduce the risks associated with mobile devices at work?
The key to success is the development and implementation of a workable strategy for mobile assets.
List of Allowed Mobile Devices /and Applications/
- Provide employees with a list of acceptable and banned devices. Specify how many mobile devices will be included in the mobile management policy.
- Business leaders should determine which devices, operating systems, and apps will be allowed to participate in the BYOD scheme.
- Apparently, some registration process for mobile devices would be required. A human-centric approach alone would not be enough. Enforce standard antivirus software and scan each device before you allow a full connection to the corporate network.
- Do the same thing for apps – this rule also includes social media use during working hours.
Be Organized and Transparent
Cover in a comprehensive fashion every aspect of the policy on mobile devices – data security, data retention, reimbursement, human resource policies, business continuity and contingencies details, liability, etc. Create a plan in case an employee’s device is lost or stolen.
Managerial staff should discuss matters such as employee access to the corporate network, common security threats, data ownership, and employee responsibility. Generally speaking, employees must know how they should access corporate Wi-Fi and whether it would be permitted to access public Wi-Fi networks. Employees must also be informed about the repercussions of breaching their responsibilities on the corporate policies.
If you decide to use software designed to keep track of websites all of the employees visit or the apps they install while they are connected to the corporate network, you need to familiarize them with your decision.
Unencrypted corporate and personal documents, emails, chat, and images stored on mobile devices are among the riskiest items, regarding content. Attackers value these kinds of datasets despite the fact that they may not be able to capitalize on them immediately.
A mobile device policy should be coupled with a remote access one. Entry to corporate data must be granted through an encrypted SSL or IPsec connection. Strong encryption algorithms in combination with modern authentication methods are safety solutions of proven merit that will certainly contribute to creating a secure mobile environment.
A VPN cloud network solution allows organizations to secure every kind of data, including app data, by replacing employee IP addresses with generic ones. In effect, a VPN creates a secure tunnel between the organization’s servers and the employees’ mobile devices.
Passwords and Multilevel Access Control
Virtually all mobile devices today come with password protection capabilities. Unfortunately, many people prefer not to use this feature because they feel it is cumbersome to type in a password rather than merely swipe the screen. According to a 2014 study by Verizon, 76% of data breaches on enterprise networks happen because of weak employee passwords (very common is “123456”). An appropriate case study about password security, among other things, is the Target data breach. It is perhaps enough to say that the retailer incurred approximately $200 million in costs arising as a result of an overly simplistic password being hacked.
Passwords are not the ultimate solution, but they work well when they are well crafted. Also, do not use the same password for multiple access control points. Single sign-on passwords are one of the reasons causd trouble for Home Depot, Target and many others. So do not join this club – lock yourself out of it with different strong passwords placed at different folder locations, data sets, device screens, etc. Encourage employees to create strong passwords that contain both letters and numbers, as well as symbols if that is possible (More on password security here).
Activate password-enabled or biometrically secured devices’ lock screens – it prevents jailbreaking, among other things.
Applications, Other Software & Updates
Enforce strong application policies:
- Install corporate network settings (Wi-Fi, proxy…) to personal mobile devices right from the outset
- Blocking Skype video, Facebook games/chat, etc.
- Install software only from trusted sources
- Regularly install OS and app updates, and the most recent security patches
- Rely on applications that have a functionality that allows users to log out of the user login remotely
- Wipe clean all business data on outdated inventory or on personal devices of workers leaving the company
- Remote wipe must keep personal data on users’ devices completely intact
Sometimes organizations resort to creating an enterprise app store for its staff to download only approved apps. A company-issued access application could establish an encrypted connection between the mobile client and a Microsoft Exchange Server, for example, thereby granting the user access to inside corporate information (e.g., calendar, schedules, notes, contacts, emails, etc.) when he enters login details. Every data set is to be loaded into the main memory for the duration of the application being active. Upon termination of the session, none of the data loaded into the device will remain there. By this simple procedure, there is no risk of a data breach in case the devices is stolen or lost, because the data always remains hosted on a company’s servers, not the device.
Divide et Impera
Michael Thorne, CTO of Fintech company Bristlecone Holdings, suggests separating a corporate network into three tiers: Public /guests/, Private /Regular employees/, and Limited /authorized employees/. These three tiers could co-exist in the same Internet pipe, given that there are proper configuration tools and firewall mechanisms in place.
Training On Basic Mobile Security!!!
BYOD reduces training costs since it can deliver all of the corporate eLearning benefits to the employees but in a secure, well-organized manner.
“Classroom learning was inflexible. eLearning was more flexible. Now, mLearning takes it to the next level.” /Source: http://info.shiftelearning.com/blog/how-mlearning-is-revolutionizing-the-learning-landscape/
Well-trained workers tend to cause less nuisance regarding cyber security lapses, and they will most certainly repay training costs in many ways (not necessarily money), and one of them is by reducing the burden of mobile-related security incidents on the IT department. Consequently, proper training can make a difference. A mobile security awareness program may provide the following benefits:
Educate users on best practices when it comes to downloading and using apps. For example, guidelines that differentiate between various app platforms – Google Play Store vs. the Apple App Store. Illegal apps collect mobile device data to find a way to hack you, but, interestingly, most legal apps collect more mobile device data (geolocation data, images, calendar, a list of contacts, etc.) than they need to sell it to advertisers. Not many people know that.
Not many people know about the dangers of metadata, either. A mobile security awareness training course can teach you how to manage location-based services so that you will not inadvertently reveal geolocation data to third parties. Geo search and geolocation data as a whole may jeopardize your privacy – perhaps you do not realize it, but one can find your photos on a map even if you use a pseudonym. Furthermore, geolocation data being obtained by malicious actors opens the possibility for a real-world attack, such as burglary.
A mobile security awareness program may protect you from being hacked while using mobile devices. Adequate training would instill caution into people’s minds, and eventually make them refrain from opening phishing attachments, links to malicious websites, or visit websites that do not support HTTPS while working on their mobile devices. Quick tips: When accessing public wireless Internet via laptop, iPhone or Android devices, only use websites that offer HTTPS. Try to avoid using public Wi-Fi hotspots at all or use own cellular connection instead. Beware of social engineering scams.
Mobile security awareness training also covers safe social media use on mobile devices (e.g., security issues due to oversharing). While it may reiterate some components of the geolocation part, it touches upon other important matters such as how to set up two-factor authentication.
Finally, yet importantly, security awareness training may help you avert some physical attacks against your mobile device: theft, juice jacking or fake phone chargers. Quick tip: Set up your device to be tracked by an app or another service so that you will be able to locate it or remotely lock/erase it if need be.
- What are the three most common types of cloud deployment?
“Containerization” is a term that refers to:
- Placing mobile devices in a special signal-blocking container (e.g., a Faraday cage)
- A series of steps whose purpose is to contain a piece of malware detected on a mobile device
- A process that separates corporate and personal data on users’ devices
In which cases device encryption may not provide protection?
- When cyber criminals use decrypting tools designed by them
- When the device is stolen while unlocked
- When the system itself has a known backdoor attack vulnerability
Pick the right answer that describes each of these two terms: lockout and screen locks.
- It prevents someone from casually picking up and being able to use your mobile device
- When users fail to provide their credentials after repeated attempts, the account or device is disabled for a certain period
Possible workarounds about screen locks are:
- Connect to the device over wireless
- Connect to the device with a USB cable
- Connect to the device over Bluetooth
- All of the above
- What is jailbreaking?
Chose which functions a Mobile Device Management (MDM) solution can perform:
- Improve overall security
- Detect zero-day jailbreaking
- Provide monitoring
- Remotely decrypt ransomware
- Enable remote management
- Support troubleshooting
- Always prevent data leakage via cloud services
Is the following statement true?
By some BYOD policies, workers may need to agree to be tracked and monitored on their personal mobile device, even when not on company property and outside of work hours.
Andrulis, T. (2017). How Safe Is Company Data from BYOD Breaches? Available at http://enewsletters.constructionexec.com/riskmanagement/2017/01/how-safe-is-company-data-from-byod-breaches/ (14/02/2017)
Comodo.com. (2016). The Benefits of Mobile Security Training. Available at https://dm.comodo.com/blog/mobile-device-management/mobile-security-training-benefits/ (14/02/2017)
Dimov, D. & Juzenaite, R. (2015). Password Security: Efficient Protection of Digital Identities. Available at https://resources.infosecinstitute.com/password-security-efficient-protection-of-digital-identities/ (14/02/2017)
elearningindustry.com (2017). 7 Surprising Mobile Learning Statistics eLearning Professionals Should Know. Available at https://elearningindustry.com/surprising-mobile-learning-statistics-elearning-professionals-know (14/02/2017)
Francis, R. (2017). 7 musts for any successful BYOD program. Available at http://www.networkworld.com/article/3166535/mobile-security/7-musts-for-any-successful-byod-program.html#slide8 (14/02/2017)
Hamblen, M. (2016). One-fifth of IT pros say their companies had mobile data breach. Available at http://www.computerworld.com/article/3048799/mobile-wireless/one-fifth-of-it-pros-say-their-companies-had-mobile-data-breach.html (14/02/2017)
Hand, S. (2016). How Mobile Learning Is Changing to Meet the BYOD Era! Available at https://www.pulselearning.com/blog/mobile-learning-for-the-byod-era/ (14/02/2017)
Hoffman, S. (2016). Cybersecurity Alert: Employee Mobile Devices (BYOD) Make Your Company Vulnerable to Attacks. Available at http://inhomelandsecurity.com/cybersecurity-byod-vulnerable-attacks/ (14/02/2017)
Honigman, B. (2013). The Major BYOD (Bring Your Own Device) Issues Facing the Healthcare Industry. Available at https://getreferralmd.com/2013/12/byod-issues-healthcare/ (14/02/2017)
Kohli, V. (2016). 1 in 5 Organizations Suffered a Mobile Security Breach: 2016 Spotlight Report. Available at https://www.skycure.com/blog/1-in-5-organizations-experience-data-breach-via-byod-2016-spotlight-report/ (14/02/2017)
Krumpack, L. (2016). The Future of Training in a Mobile World. Available at https://www.gensuite.com/future-training-mobile-world/ (14/02/2017)
Lord, N. (2017). BYOD Security: Expert Tips on Policy, Mitigating Risks, & Preventing a Breach. Available at https://digitalguardian.com/blog/byod-security-expert-tips-policy-mitigating-risks-preventing-breach (14/02/2017)
Pappas, C. (2016). 5 BYOD Mistakes To Avoid For Successful Online Training. Available at https://elearningindustry.com/5-byod-mistakes-to-avoid-for-successful-online-training (14/02/2017)
Queen, A. (2017). BYOD Security: 5 Threats Employers Need to Know About. Available at https://www.effortlesshr.com/blog/byod-security-5-threats-employers-need-to-know-about/ (14/02/2017)
Skidmore, S. (2013). Best Practices for Employee BYOD Training. Available at https://www.apperian.com/mam-blog/best-practices-for-employee-byod-training/ (14/02/2017)
Smith, A. (2016). Best Employee Mobile Device Policies Share These Four Things. Available at http://www.tomsitpro.com/articles/best-mdm-policies-share-these-traits,2-1078.html (14/02/2017)
Stewart, J., Chapple, M., Gibson, D. (2015). Certified Information Systems Security Professional Study Guide (7th Edition)
trainingindustry.com. Bring Your Own Device. Available at https://www.trainingindustry.com/wiki/entries/bring-your-own-device.aspx (14/02/2017)
Vang, H. (2017). Securing Mobile Devices in a BYOD Business Environment. Available at https://www.liaison.com/2017/02/03/securing-mobile-devices-byod-business-environment/ (14/02/2017)
- On-premises, cloud, and hybrid
- b), c)
- Screen locks a), Lockout b)
- “Jailbreaking, in a mobile device context, is the use of an exploit to remove manufacturer or carrier restrictions from a device such as an iPhone or iPad. The exploit usually involves running a privilege escalation attack on a user’s device to replace the manufacturer’s factory-installed operating system with a custom kernel.” /Source: jailbreaking by Margaret Rouse/
- a), c), e), f)
- a) “The idea is, it’s not really your phone. The data isn’t yours. The expectation of privacy should be low,” states Shira Forman, employment lawyer at Sheppard Mullin Richter & Hampton.