Could your trip to the beach herald a corporate technology doomsday?
by Jo Perrin
Are you planning on working while you’re away this summer? Will you be using your laptop at the lakeside, your BlackBerry at the beach, your smartphone in the souk? Notwithstanding the obvious threat of sun, sea and sand on sensitive electronic devices, a pickpocketed peripheral or a compromised computer could be much more than an inconvenience – it could be a threat to corporate security.
With work becoming an activity, rather than a location, and increasing numbers of devices traveling in back pockets, handbags and briefcases, mobile device security is today a critical business imperative. The corporate network is no longer contained within the four walls of the office, but extends to wherever an employee, partner, customer or other stakeholder may be, and whichever device they are using to access it.
But security risks to mobile devices continue to rise as hackers discover new ways to infiltrate smartphones and tablets, especially by exploiting mobile applications. Users face daily threats from Trojans and other computer viruses that can potentially expose sensitive personal data, including credit card numbers, or which can lead to expensive charges on customer bills by sending text messages or making calls. Corporations risk exposing corporate data – Verizon’s 2013 Data Breach Investigations Report showed that seventy-six percent of network intrusions exploited weak or stolen credentials (user name/password); 40 percent incorporated malware (malicious software, script or code used to compromise information); 35 percent involved physical attacks (such as ATM skimming); and 29 percent leveraged social tactics (such as phishing).
The challenge is two-fold – firstly, what should the enterprise do to protect its data? And secondly, what precautions should employees take if they are using their devices on the go?
From the enterprise perspective, the first step should really be to establish a managed mobility strategy, which equips employees with the mobile solutions they need to do business when it happens, where it happens, but which also protects the corporate assets used on mobile devices, regardless of whether those devices are owned by the company or its employees. Cloud-based solutions such as Verizon’s Enterprise Mobility as a Service (EMaaS), can simplify the management of personal and company-owned devices, enabling apps to be provisioned to users even as you control who has access to what, track usage and licensing, and secure sensitive information. As ever, doing simple well is critical, so as a basis, there are three things every enterprise should take on board:
- Employ security policies to protect employer-issued devices. Employers should enforce password-based access and require voice mail codes so that only authorized users can access data on employer-issued devices.
- Be mindful that more and more employees bring their personal devices to work.Companies therefore must have security systems and policies in place to safeguard their business environment and prevent access to company networks from employees' personal devices.
- Remember that mobile devices are tiny handheld PCs. Many security threats that apply to traditional computers also apply to mobile devices, such as smartphones and tablets, and consumers should take necessary measures to protect themselves. One way to do this is to install anti-malware software on mobile devices and enable VPN functionality.
But the individual also has to take some responsibility. ICSA Labs offered guidance on how to combat mobile security threats some months ago which still rings true today. Key points are:
- Only buy apps from recognized app stores. Apps from unofficial third-party stores and applications downloaded from peer-to-peer sites are much more likely to contain malware than apps sanctioned by official vendor stores such as the Android App Market or Apple App Store.
- Think twice about accepting "permissions." Most applications, legitimate as well as malicious ones, require users to accept several "permissions" before the apps are installed. Check carefully to be sure that the app comes from a legitimate source.
- Monitor bills for irregular charges. If attackers gain access to personal information stored on your phone, they can quickly rack up charges by sending "silent" text messages to high-priced call services. For example, if the Android Trojan GGTracker is inadvertently installed on a device, it can sign up users, without their knowledge, for premium text messaging services.
- Consider your connections: Log out of ecommerce sites once your transactions are complete, and turn off WiFi and Bluetooth when it is not in use.
- Protect your mobile phone password and voice mail pin. If your mobile phone does not currently have a password, add one that is at least six digits. Try to choose a unique passwordthat is not already used across other systems and accounts. Do not use repeating digits in passwords or voice mail pins, and do not store passwords on your device. Remember that your provider will never request your voice mail pin, so do not be tempted to provide it to anyone who requests it.
- Out of sight is out of mind: Don’t have your devices on show, and provoke opportunist temptation!
- Immediately report any concerns: If you detect infection on an employer-issued device, immediately report your concern to the employee help desk or IT security staff personnel.
So that’s how to protect your data while on the go. Now all you need is a sealed plastic bag to keep out the elements…