A survey sponsored by Check Point Software Technologies Ltd. found that 64 percent of respondents are doubtful that their organization can prevent a mobile cyberattack, leaving employees' personal information vulnerable to theft.
Alvaro Hoyos, chief information security officer at OneLogin, said that number does not surprise him. He said the employees might not know the ins and outs of their company's security controls. IT departments typically don’t go out of the way to communicate all the security controls that they are relying on to secure your IT environment.
He said companies should use their security awareness training to help users understand what risks you their employers are addressing with technology.
In the report, more than 60 percent indicated some lack of resources (such as budget, shortage of personnel) or lack of experience as the key drivers. Only 37 percent made a conscious appraisal for their company and decided there was not enough risk to warrant the investment.
Travis Howe, CISO of CRM app provider Conga, is also not surprised that the vast majority of organizations feel that their mobile devices are not well-protected.
"While decision-makers understand they should be doing more to protect their employee's mobile devices, they often don’t even realize just how vulnerable they are, ultimately leaving themselves at risk of a critical breach," he said.
Steve Lentz, director of information security at Samsung Research America, said his belief is that many IT and security practitioners rely and think mobile device management (MDM) provides adequate security. “Which is incorrect, MDM provides limited security. Its main function is central management of mobile devices. Look at your typical security infrastructure. Usually, mobile and IoT are white-listed or not behind the security systems, thus vulnerable.”
That might be the reason why only two out of 10 survey respondents believe they have been breached. That seems awfully low; that they might be breached and just don’t know it yet.
“We need to be proactive and ahead of the bad guys, which means our due diligence in finding security solutions for mobile devices and IoT. Both mobile and IoT are on the bad guys' radar due to lacking security. The bad guys want to find the easiest way in, thus mobile and IoT,” he said.
Lentz said in a recent rollout, Samsung found 23 phones with embedded malware leaking sensitive data and another five or six that were jail-broken or rooted with the owners not knowing any of this. He said Lookout missed all this as did traditional antivirus and MDM.
“Security people talk about providing zero-day security for our networks. I take that a step further and include my mobile devices,” Lentz said.
The survey also showed that 94 percent expect the frequency of mobile attacks to increase and 79 percent stated that securing mobile devices will grow more difficult as result.
“We need to take security to all levels, which includes mobile and IoT, not just our networks. We need to keep ahead of the bad guys, which means more research of vendors and solutions to provide full security for your environment. As more and more mobile devices and BYOD grow, the threat will grow,” he said.
“We need to control BYOD devices just as corporate phones,” he said. If the user does not agree to the security apps to be installed and wiping, then they do not get access to the corporate network or company email.
“Mobile and IoT devices are just like a PC to me. I need to provide the best security to these systems just like I do to our PCs and servers behind the corporate LAN. I try my best to stay a step ahead of the bad guys, thus do my due diligence in finding security solutions for an ever-changing landscape. It’s just not PCs and servers any more. It’s much more,” Lentz said.
The report stated that while the cost of a mobile breach is similar to that of a desktop or laptop breach, a third of those surveyed stated the risk of data loss is higher on mobile devices. Just over one third of companies have deployed a mobile threat defense solution, with a lack of resources cited as the primary reason for going without advanced mobile security. That said, this research found that just over half of companies are increasing budget and resources to secure mobile devices compared to previous years.
What can be done
Howe said while no security strategy is one size fits all, organizations should focus on four main capabilities to start ensuring protection:
- Knowledge of where data is stored and the risk that location possesses. Knowing where data is housed is just as important as how it is accessed. For example, most organizations now utilize the cloud, outside of email, which is often the only regularly used data storage on a mobile device. Being aware of both where content is stored, and the risk that location holds can prevent a costly leak.
- Limit access to sensitive data where possible. Many organizations may find that the footprint of a mobile device data breach can be greatly reduced by reducing the number of individuals who have access to the most sensitive data.
- Control of remote access. With mobile usage on the rise, employees are now attempting to access highly-sensitive data from all over the world. Ensuring data can only be reached through a secure, multi-factor authenticated connection vs. through simply entering a password on any device can lower the level of risk significantly.
- Mobile device protections based on risk level. If you find that you must allow access to or store highly sensitive information on mobile devices, have additional protections in place. Services and products exist that provide higher level mobile device security that can be controlled and monitored and if all else fails and a breach still occurs; an organization needs to have the ability to wipe a device of all sensitive data is, no matter where it is located.
Sean Ginevan, director of strategy with MobileIron, said IT has, for years, been perceived as "big brother." He added the world is rife with stories in which IT installed spyware, key loggers, web traffic filters and other technologies onto users' devices. Often this was in the name of "security," but it was perceived as a way for the corporation to intrusively snoop on what employees were doing at the office.
“Rather than be the long arm of human resources, IT needs to act as an enabler for employees. Before deploying a BYOD program to employees, make sure there are tangible benefits for the employee,” he said. Provide tools for productivity beyond simple e-mail access; this can come about as cool applications that let the user be productive both inside and outside the office, secure web access to corporate intranet sites, or easy mechanisms to access business documents.
He said IT needs to proactively communicate these benefits as a part of rolling out the BYOD program and continue communicating the benefits of the mobility program inside the business as improvements are made.
“Be sure to also communicate early and often about privacy – not just what IT will and won't monitor but also why. As new features are introduced, like Apple's HealthKit, be sure to allay any concerns employees may have by proactively addressing what these technologies mean to the BYOD program, even if business has no plans to leverage these new features internally,” he said,
How would you set up a company network to make employees feel safer?
Ginevan said that can be accomplished with tools like the use of certificates that can help ensure that any information the employee transmits over the corporate wi-fi can’t be intercepted by attackers. Moreover, many of the corporate security tools, for instance monitoring that the operating system is up to date and whether it has been tampered with, ensure that end users' private data is protected alongside corporate data.
Hoyos reiterated security awareness training is the number one way to secure all of the endpoints, including those not owned by you which are clearly authorized to interact with your assets (read: BYOD). Nevertheless, there are several technical tools available to secure those interactions.
"But, it is imperative to find the right balance between security and the friction your end users must deal with, especially if those tools are impacting employees' own mobile devices," he said.