​Mobility and security – the world is moving fast

Enterprise mobility is expanding to an array of devices, such as connected cars, smart TVs, smartwatches and others. Protecting this new ecosystem with traditional endpoint management models is incompatible with this new world.

John E. Girard is a VP and Distinguished Analyst in Gartner's Endpoint and Mobile Security practice. He spoke at this year’s Security and Risk Management Summit, held in Sydney.

Girard started by describing a recent incident. A system administrator was talking about how much easier his job had become now that he could administer system using an app he recently downloaded to his Android smartphone. It turns out many of the remote management apps offered through that app store had some sort of security vulnerability.

Even if the app is not intentionally malicious, its design might circumvent your existing security measures.

“I can just sit outside, Kevin Mitnick style, and get access to the system,” says Girard.

The risks that we see with mobile represent the tip of the iceberg he says. With the emergence of IoT and M2M (machine-to-machine) communications, the threat surface has expanded considerably and there is less visibility as to what’s going on.

So what external forces will shape mobile security in 2020?

As systems collect, interpret and act on data autonomously, we put more trust in those devices. But what are the conditions that are sufficient to allow us to trust them?

New business designs blend the physical and digital worlds: This means a digital breach can cause physical damage. Even though we are reliant on digital technologies for many things, there will always be mechanical components.

For example, a flaw that was discovered in one line of “smart” lightbulbs could result on an entire building being blacked out, causing a safety issue where forklifts or other devices could cause an accident.

“A couple of years ago, Jay Heiser [Gartner researcher] put out a prediction on loss of life because of mobile devices and IoT. I don’t think we’ve hit that point yet but we’re getting awful close,” says Girard.

People and physical devices exchange information equally: Smart devices can become autonomous and be used maliciously.

For example, a resume sent by a prospective employee had codes embedded within it that altered the printer’s firmware, turning it into a listening device that allowed it to tap into a company’s VoIP phone system, and allow a third party to listen in on phone conversations.

“You’re going to have to rely on more protection based on data-centricity. We really ought to start assigning rights to every piece of information we’ve got so we’re classifying from the beginning. You never know when something in your environment is going to start grabbing information”.

This is why tracking anomalous behaviour becomes important.

“If a light bulb is trying to act like a printer and printer is trying to act like a network proxy, then you’ve got a problem,” he says. “It’s a level of granular security on a scale we haven’t done before”.

So what can be done?

Girard presented a plan straight from the Gartner playbook, suggesting actions that can be taken immediately, within the next 90 days and in the next year.

The most immediate steps to take are to conduct an audit of devices and use-cases to identify policies that either need to be written or updated, and look at how digital business will impact the current and evolving mobility policy.

For the next three months, translate the technical risks into business language evaluate the company’s risk appetite. Also, lock down “dumb” devices, put containment processes in place for smart sensors and focus on getting the basics right.

By this time next year, identify the overlap of controls and tools such as cloud access security brokers and enterprise mobility management and continue to review and refine your mobile security strategy and processes.

Below is a visual about connected car security, along with different hack points listed throughout the vehicle:

 IoT security for connected cars
IoT security for connected cars

Join the CSO newsletter!

Error: Please check your email address.

Tags smart TVsconnected carsenterprise mobilitymobile securityM2Msecurity and risk managementsmartwatchesEnterprise ManagementIoTcyber security

More about GartnerSmartVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place