While the trend towards workforce mobility is undoubtedly growing, many companies don’t take into account the full breadth of security vulnerabilities that can result. Strong passwords and full-disk encryption have their place, but VPNs continue to be one of the most reliable and effective ways to protect mobile data. Additionally, as more people use personal mobile devices for work purposes, protecting these devices with encrypted VPNs becomes essential.
Although Apple iOS and Android smartphone platforms are built with security in mind, their built-in mechanisms are not enough to protect enterprises from all breaches. Even so, these mobile security vulnerabilities are often routinely overlooked, which is part of the reason why mobile security breaches have skyrocketed in 2011. Below we will take a look at some of the major high-profile company breaches of 2011, develop a sense of the potential real world ramifications of those breaches, and explain how enterprises can improve their security to prevent future mobile security issues.
Top VPN breaches of 2011
- Gucci: A former Gucci network engineer created a fake employee account to access and control the company’s computer system, eliminating access to documents and emails in Gucci’s servers. This cost Gucci more than $200,000 in lost productivity and restoration efforts
- DigiNotar: Hackers tricked the digital certificate authority’s system into issuing more than 500 fraudulent digital certificates for top Internet companies like Google, Mozilla and Skype. The hack happened in early June, but DigiNotar didn’t uncover the breach until mid-July. The company filed for bankruptcy in September
- Comodo: Hackers issued fraudulent SSL certificates to seven Web domains, including Google, Yahoo and Skype
- Citigroup: Hackers gained access to the account information of over 360,000 accounts, viewing customer contact info and transaction history, exposing their website’s security flaws
- Sony: Account information of 93,000 users was compromised when hackers accessed the PlayStation Network and Sony Online services.
With the number of smartphone users set to increase 49.6 percent from 2010 to 2012 and the ubiquity of Wi-Fi, it's often a simple VPN that stands between a company's network and the slew of opportunistic hackers.
Mobile users implementing a VPN on their device should know that all VPN solutions aren’t meant for mobility. A conventional VPN client cannot handle changing physical connectivity, IP addresses and points of network attachment. Because it’s meant for users who tunnel from stationary devices, a conventional VPN will most likely disconnect if users try to switch between networks. Once disconnected, users waste valuable time re-authenticating and risk the security of their data. A dropped VPN means users automatically have to go back to a regular “connecting mode” through an insecure tunnel.
A VPN that is designed to easily adapt to network changes and that enable seamless mobile roaming are the best options for teleworkers. Solutions should allow devices to automatically change between 3G/4G, Wi-Fi and LAN networks, for example, redirecting the VPN tunnel without interrupting mobile computing sessions. The VPN should also automatically recognize secure and insecure networks, activating the appropriate firewall and security policies as needed.
Enterprise security is a broad and complex framework, and mobile security is a growing piece of that puzzle. With an overall security model embracing VPN technology, the right mobile policies, and employee communication and training, companies can improve their security profiles and help teleworkers focus on business rather than worrying about establishing and securing their network connections.