When it comes to corporate security, smartphones and tablets have changed everything—and not necessarily for the better. By changing the way that information workers connect to the network, mobile devices open a number of windows through which unauthorized users can access corporate data—a problem that simply did not exist in the days of traditional desktops or original enterprise mobile devices.
But more importantly, by releasing control and ownership of network-approved devices with personally owned devices, corporate IT departments are challenged to work with users in a cooperative partnership to provide adequate security. This role change means devising, communicating, and enforcing security policy rather than simply putting up fences. Furthermore, it means remote access capabilities must be perfected.
Let's look at some of the ways that mobile devices have overhauled corporate security as we know it:
This new reality presents a different breed of security challenges that require IT to be clever, persuasive and, most importantly, prepared with specific policies to handle a range of compromising situations. To keep your environment uncompromised, here are five common mobile security challenges and how to solve them.
1. A "personal" device that isn't very personal
Employees often hand over their mobile computing device to someone else for a brief time; fortunately, in most cases there is little to fear on the security front. Grade schoolers looking to play 'Angry Birds' usually aren't interested in finding corporate secrets hidden in mom or dad's email. But that's hardly a sufficient reassurance for IT.
Once email or corporate apps touch a user's phone or tablet, everything about how that device is accessed needs to change. Mobile devices are multipurpose and users are naturally going to find occasion to share their devices with others—to make a phone call, find an address or play a game. The onus is on IT to make sure corporate data and apps can't be shared so easily
Unfortunately, the easiest route to securing device access—requiring a password to unlock the device—is riddled with security holes. More often than not, these enforcements result in weak passwords that are shared widely with friends and family. The better solution is to require a password only when corporate data is involved, and that means isolating all corporate data, including email, together on the device.
2. Limiting risk from sudden departures and terminations
When employees and employers part ways, a lot of things can go wrong. Terminations are an obvious source of unhappy departures, which can occasionally prompt irrational acts of retaliation. Occasionally, even an employee in good standing will quit suddenly, without warning, and disappear, leaving IT scrambling to quickly close down remote access to email and applications.
Damage caused by disgruntled employees is one of those things that shouldn't come up very often, but when it does, the damage can be particularly brutal.
This situation was easier to solve in the days when employees only accessed corporate data from corporate-owned devices. Asking a newly terminated employee to hand over his personal property so you can remove his network access is not likely to be accomplished without awkwardness at best, and refusal or outright malice at worst.
Rather than request permission to handle an outgoing employees' device, most companies make the decision to simply execute a remote wipe of corporate data and apps without an explicit discussion with the outgoing employee. A simple remote wipe protects the organization against the risk of sensitive data being stolen or disseminated by an angry ex-employee.
Unlike with a stolen device, in the case of a termination you must take care not to wipe the user's private data and applications. This is another good reason why isolating corporate data and applications in a specific, cordoned area of the device is an essential part of your mobile deployment strategy.
3. Cutting your losses on a lost device
It's no secret that smartphones and tablets are easy to lose. But sometimes the difference between "lost" and "temporarily misplaced" is not so cut and dried. Your employee may adamantly maintain that her smartphone will soon turn up but every hour that the exact location of that device remains unknown the threat to your corporate data grows greater.
Remote wipe capability is not a nice-to-have. Data encryption and remote wipe capability are generally considered to be the bare minimum requirements for mobile security. So the issue here is not what you need to do but when you need to do it.
A misplaced device is a great example of why a well documented and strictly enforced mobile security policy is so important. An explicit protocol excuses IT staff from the necessity of negotiating with a lost device's owner. Let the user know what time their device will be wiped and ask them to notify you immediately—by phone—if it turns up before the deadline.
For a typical employee, most companies define their tolerance threshold for a misplaced device within a specific window, numbered in hours. For employees with access to highly sensitive information, a zero tolerance policy may be the right choice, meaning lost devices must be reported immediately and wiped without delay. Users should know which part of the policy applies to them and what is expected of them in terms of reporting a lost device.
4. Protecting against viral infection
Viruses and worms are a plague that still predominantly affects desktop and laptop computers. But you can expect that to change quickly. The first security breaches via rogue apps have already occurred. Applications designed to steal banking credentials from users were discovered in Google’s Android Market online software store in early 2010 (SC Magazine For IT Security Professionals, January 11, 2010).
Untrusted applications downloaded from an app store are by far the biggest vector for malware and viruses. Because apps pose the biggest risk, companies must make it their policy to deny access to corporate applications from any untrusted application that resides on a user's device. Users who download a new productivity application and want to use it in concert with corporate data must submit a request and wait for IT to vet the application and make a determination about whether or not to support it.
Most IT experts would agree that protecting any computing device with antivirus software is a sensible investment that is sure to pay off sooner or later. But because most mobile devices are employee owned, it can be difficult to make this a mandatory policy. Consider a reimbursement option that covers all or part of your employees' antivirus purchase in order to increase the level of protection across your enterprise. In the meantime, remind employees that common sense security guidelines against clicking on suspicious links or forwarding unsolicited emails are equally important on smartphones and tablets as they are on laptop computers.
5. Providing guest access to the network
Guest access is commonplace in most organizations, but IT staff should view giving guest access with a healthy dose of trepidation. Guest accounts can not only be abused by the intended guest but, if these accounts are found, they are sure to be exploited by nefarious individuals both inside and outside the enterprise.
A request for guest access should generate an immediate reply to the requesting manager, who must identify exactly what resources the guest will need access to and for how long.
In the case of mobile devices, a huge security hole walks out the door with your guest at the end of the day—and where it goes from there is anyone's guess. Whenever possible, a guest account should be set to expire at the end of the workday, if not sooner. Never rely on IT staff to remember to terminate a guest account manually; all guest accounts should be configured with a preset auto-termination.
Mobile devices are certainly making corporate security challenging for IT departments all over again. As mobile devices continue to gain popularity and ubiquity, they will be targeted more often by criminals and disgruntled employees to do damage. But by setting strong policies in advance, organizations can rest easier, knowing that they have minimized their risk and have documented procedures in place to solve the trickiest security issues.