It is not unusual these days to see professionals using their own mobile devices for work-related tasks. However, the popular BYOD trend, despite its convenience, presents many security risks.
IBM performed a study to “identify if and how mobile is transforming the enterprise and what companies are doing to secure their mobile initiatives.” In summary, because using personal mobile devices in organizations is so common already and because it helps businesses gain measurable productivity, it is easy to forget that security for mobile is a bigger problem than expected.
To ensure successful deployment of mobile in the work place, it is crucial for enterprises to understand the risks involved with mobile devices as well as employ a mobile-specific security strategy.
Be Cautious When Embracing Mobile
Employee-owned devices can be supported alongside devices that are owned by the organization, but usually mobile devices are separate from company-sanctioned devices and are not supported by the company’s IT department. This means that if personal mobile devices connect to the corporate network or access corporate data, those devices can pose security threats to the organization.
Risks for Networks
Any mobile device could potentially become a part of an enterprise’s network. Because that device is owned by the employee and not confined to the company, it is more likely to be stolen, lost, or even hacked. In a study conducted by Ponemon Institute, “two-thirds of respondents reported a data breach as a result of using their own mobile devices to access company resources.”
Network and mobile security are even more imperative for industries, such as financial services and healthcare, that have developing regulatory, privacy, and operational risks. Enterprises must be aware that unprotected networks—and any unsecure mobile device connected to them—can be compromised.
Risks for Devices
Device flaws are common enough; it seems like every week there is a new vulnerability to patch. Securing the mobile environment has been more heavily focused on Android devices rather than iOS. However, this focus is changing, according to the National Vulnerability Database. In 2015 alone, there were 375 Apple iOS vulnerabilities.
Organizations everywhere run the risk of allowing private data to be compromised by personal mobile devices if they fail to implement mobile regulations that help protect against such vulnerabilities.
Risks for Apps
According to SC Magazine, cyber-attacks against web applications are increasing; unfortunately, security budgets for app developers remain low. And when it comes to mobile apps, end-users have a plethora of options to access enterprise systems. As a result, any corporate data linked to these apps (e.g., Dropbox, OneDrive, Google Drive, and SugarSync) can become at risk, whether it be accidental loss or calculated theft.
To better protect from unsecure apps, an article from Information-Age suggests enterprises need to “define the data and application platforms they want to enable and ensure only authorize apps can access them.”
Why Organizations Should Employ a Mobile Security Strategy
It is possible for enterprises to allow their employees to use mobile devices while reducing the risks of a data breach or the loss of enterprise files and data. This means that all enterprises should enforce basic controls on mobile devices connecting to the central network. When implementing a mobile strategy, consider the following:
- Secure enterprise content on the device, including work email and attachments from system storage files. Enterprises who work with DigiCert can use Client Certificates to digitally identify a particular individual or user to an authentication server.
- Use Mobile Device Management. MDM allows a company to centralize the administration of mobile devices, including phones and tablets. MDM also checks to ensure that devices are not jail-broken, and it can also remotely wipe a stolen phone or tablet.
- Protect company data from malicious applications—anything from mail to calendar applications must be secured. Only permit the installation of apps from trusted sources and fully encrypt mobiles devices as well. SSL/TLS Certificates can be used to encrypt sensitive information transmitted between users, and MDM can manage the corporate applications users install on their mobile devices. This way users get correctly licensed versions of apps, as well as push upgrades for software to patch vulnerabilities.
- Enforce mobile authentication, record times of network access, and restrict jail-broken devices on the network. Using multi-factor authentication provides an added layer of security, and requiring employees to use VPN outside of the office will create an encrypted connection over a less-secure network.
There is a growing need for mobility in businesses, but as mobile grows, so do security threats. Embracing new platforms and avenues in our online world means successively getting ahead of the risks those avenues open. Employ a solid mobile security strategy, do not downplay the threats, and stay two steps ahead of cybercriminals.