by Samuel Greengard, writer, Security Roundtable, January 24, 2018
Mobility is at the center of today’s enterprise. Employees rely on smartphones, tablets, and personal computers to access data anywhere and at any time. It’s no news flash that these devices are now a critical piece of the enterprise productivity scheme. Yet, all the gain doesn’t come without some pain: employees carrying devices and data wherever they go—and sending and receiving data and files over the air—dramatically increases the odds of a security breach.
“There are enormous risks associated with the loss of data and information,” said Benson Chan, senior partner for Strategy of Things, a Hayward, California, technology-consulting firm. “Today’s business environment makes it very easy for data to be lost, stolen, or otherwise compromised.” This encompasses everything from how people use and store laptops on business trips to how, when, and where they use public Wi-Fi networks and personal devices.
What this all means is that it’s essential to create a framework for protection. According to Paul Hill, a senior consultant at SystemsExperts Corporation in Sudbury, Massachusetts, a program must focus on three key areas: device configurations, physical security, and the use of networks. “Companies should provide detailed guidance on the acceptable use of mobile devices to all traveling workers,” he explained. “The guidance should be based on the perceived risk resulting from the type of data that travelling workers might access, could have stored on the device, and where they travel.”
There’s certainly no shortage of news reports about laptops and data being lost or stolen. These incidents not only pose a threat by exposing the data on the device, they can lead to further breaches or break-ins. They might also lead to legal problems. For example, in 2015, EMC and Hartford Hospital agreed to pay US$90,000 to the state of Connecticut over the theft of an unencrypted laptop that was stolen from an EMC employee’s home. It compromised personal data for 8,883 residents of the state.
Data thieves also intercept data over the air and establish free Wi-Fi networks—sometimes with SSIDs that trick users into thinking they are legitimate networks—to take advantage of harried travelers. Yet, even a legitimate network at a hotel or coffee shop represents real-world risks. Anyone with access to the password can lurk on the network, view activity, and use specialized software to steal data. A password and login simply aren’t adequate for ensuring security and privacy.
According to Terry Young, senior product marketing manager, at Palo Alto Networks: “Today, the risks come from many directions.”
Here’s how your enterprise can better protect devices and data when employees hit the road:
Focus on device configuration. IT teams should ensure that all devices require a password, pass phrase, or PIN access, Hill said. In addition, mobile devices must have full system or full disk encryption enabled. These devices should have malware protection installed and the systems should be configured so that end users cannot shut them off or modify the security software in any way. It’s also wise to require the use of a virtual private network (VPN). “A VPN adds another layer of security,” Chan said.
Provide protection for devices. A growing problem, Young noted, is a lack of protection on mobile devices. This is particularly a problem on Android devices, which come in hundreds of different models. “We are witnessing an uptick in malicious activity on the Android platform,” she said. Not only can devices wind up compromised, but hackers and attackers can worm their way into an enterprise network and unleash spyware, ransomware, and other threats. In some cases, attackers might use Android phones to propagate Windows malware. “It’s critical to use malware protection and monitor devices and activity,” Young added.
Address physical security. Many problems occur because workers fail to follow basic precautions and protocols when they are working outside the office. One fundamental safeguard is avoiding business centers and kiosks at hotels, airports, and other locations.
Hill noted that several other critical precautions are important: make sure devices are locked in the trunk of rental vehicles; always place mobile devices in carry-on luggage; power down devices at international borders; and inform corporate security if an agent demands a login or forces an employee to disclose a password. Chan said that a privacy shield is essential on airplanes and other public locations. “People should always be aware that someone sitting next to them could be a competitor or a thief.”
Keep an eye on Wi-Fi. Wireless technology also represents real-world risks.“Employees should be extremely cautious about using hotel networks or public Wi-Fi hotspots,” Hill warned. Airline Wi-Fi is also a serious security concern, since it’s a public network. “In general, these networks should only be used in conjunction with a company VPN.
However, a VPN does not mitigate all threats when using these networks. Employees should be trained in what to be suspicious of and how to identify a valid SSID.” One way to avoid the problem altogether is to supply employees with a Mi-Fi connection option or ensure that they use a personal hotspot through their mobile phone. If an organization opts for the latter, it’s crucial to configure devices with a strong password.
Likewise, it’s important to ensure that Internet of Things (IoT) devices and personal accessories are properly configured. Bluetooth is especially vulnerable. “Companies should provide employees with guidance on the acceptable use of Bluetooth devices, acceptable profiles, and how to properly configure devices securely,” Hill said.
A traveling workforce represents the classic challenge of balancing productivity and security, Chan concluded. What’s more, as the use of mobile devices has become pervasive—and the cloud has entered the picture—the goal of protecting sensitive data has become more difficult.
Securing devices starts with establishing clear policies and strong controls. Organizations frequently benefit by using mobile device management (MDM) software that can track, oversee, and wipe lost or stolen devices. “But technology and processes are not a silver bullet,” Chan warned. “Organizations still face a basic problem: If someone decides to bypass controls, whether intentionally or unintentionally, they have created a gap.” He suggests adopting a balanced approach that focuses on three things: technology, policies, and education. “In many cases, security gaps occur because someone is simply trying to get their work done and they require Internet access.”
It’s also important to conduct audits and keep an eye on evolving technology. In the end, according to Chan, good security practices are as much about behavior as they are controls and enforcement. “People must understand what puts data at risk and when they are engaging in risky activity. If something is extremely sensitive, then it’s wise to ensure that you’re on a secure network and using encryption or take it offline.”