Throwing bodies at a problem is rarely the best way to fix things. Yet according to the 2013 BYOD & Mobile Security Report from Information Security Community, this has been a common enterprise response in preparing for mobile security threats. In fact, in 2013 the cost of adding IT staff to handle mobile threats is more problematic to organizations than the mobile threats themselves.
As a former Chief Information Security Officer, I’ve seen this response first hand when managing teams through technology shifts. The migration to mobile devices is no exception. In fact, mobile adoption has only compounded the issue. There is a lot of noise surrounding mobile malware, data leakage, and insider threats — so much that it can be difficult for IT to parse the real risks from the hype. So what can enterprises do to stay a step ahead?
The solution starts by evaluating actual risks, then taking a more programmatic approach based on this evaluation. Driven by a combined lack of insight into actual risks and a strong push from security vendors, most enterprises are blindly throwing water on the fire without insight in the source. By first focusing teams on gathering information, security heads can build a successful risk-based security strategy.
In the case of enterprise mobility, the information gathering begins first and foremost with user activity, including where they are using, storing and sending data. Security teams must look for visibility solutions that fill the knowledge gaps in this area before going down the path of putting control policies in place.
Here are several questions that security groups must answer before proceeding.
The insights gathered from this process create a model for informed security risk management decisions, while the answers allow an organization to focus and prioritize efforts to secure its data.
What apps/cloud services are being used and by which groups of users?
Where is corporate data being stored? On the device? In the cloud?
What apps most commonly store sensitive corporate data?
What model and version of mobile devices are being used within the organization?
Which users are using jailbroken devices?
Likewise, knowing exactly which cloud storage services users are leveraging, for example, provides actionable insight, giving IT an opportunity to vet that cloud service vendor to see if its security features line up with that of the organization, and if the service meets IT requirements, make it the corporate standard.
This is a great example of how IT can work with users to align productivity and security goals.
Full View of Apps
Another critical insight is a full inventory of the mobile apps employed across an organization and which of those apps are using corporate data. This information can directly inform the approach that an organization should take.
For instance, if email is still the primary way that corporate data is being accessed, and that data is staying on the device, a mobile email specific security solution might be the best first technology investment. Why over invest in a broad-based mobile application management framework if it doesn’t reflect the current risk in a given user community?
An interesting outcome of analyzing mobile activity is that many of the organizations have identified the need for a data-centric approach, allowing IT to determine where the data moves, how the data is stored and who has access to the data.
A model like this protects the data regardless of the circumstances, whether user-driven or the effect of malware. It also provides IT with the controls it needs to protect its most critical asset–data–while remaining transparent to the user.
Regardless of how organizations evolve security operations for mobile data, the right strategy will come from clearly identifying the risk. That is why it is essential for organizations to put concerted effort into researching and analyzing the activity of their mobile users, apps and data. Knowledge is the key to operational success for security teams as they take on this mobility wave.