If anyone told you they had all the answers, you’d probably be dubious about the claim no matter what the topic, nevermind the increasingly complex issue of securing endpoints in the enterprise.
Wireless carriers are boosting cyber security efforts to help their business customers ward off threats, but because of the sheer scope of threats faced and the way mobile devices are managed at many businesses, there are limits to what help they can provide, according to Paul Howarth, senior director of wireline and security portfolio for Rogers Communications. Rogers has launched new services and solutions for business to help in recent months and continues to work on more, but some things it just can’t do.
For instance, provide security directly to the device of a company that’s using a bring your own device (BYOD) strategy. Privacy laws in Canada prevent Rogers from putting mobile security software directly on the devices of its customers based on the request of their employer.
“When I’m dealing with your employees, they’re not your employees, they’re Canadian citizens,” Howarth says. “I’m not even allowed to mention to you that they’re one of my customers.”
Often the idea to ask carriers to help secure mobile devices of employees comes out of the finance department, he told attendees of the CIO Peer Forum last week. He also pointed to some results from a Rogers survey showing that 70 per cent of firms are aware that breaches can happen even to a small business, and that 68 per cent may face a mobile-based threat. Yet 86 per cent of firms are not confident that they are taking sufficient measures to protect themselves from mobile security threats. (Howarth didn’t share details about the number of survey participants or when the survey was conducted).
Some businesses are feeling overwhelmed with security and are justing giving up, Howarth says. Others are just doing whatever they can with their budgets and business priorities.
BYOD continues to be a global trend that impacts IT planning, according to analyst firm IDC Corp.’s 2018 forecast report. Results of the trend have included the positive side of increased employee productivity, leading many enterprises to favour allowing employees to choose and purchase their own devices. It’s possible the BYOD trend will wane over the next few years as devices become more customized to meet the needs of enterprise customers.
When BYOD includes thousands of college frosh
At Vancouver-based Douglas College, CIO Ian McLeod faces a unique BYOD scenario. Not only does he have faculty and staff to manage on his network, but about 16,000 Wi-Fi hungry students swarming the campus. It’s not unusual to see a single student connecting four devices, he says.
“The first thing they want to do when they come in the door is connect their wireless devices to our systems,” he says. “I don’t think you’ll ever manage to protect the student side of the operation. In many cases, students’ aren’t as concerned about security as you might expect them to be.
McLeod protects his network security by running the student Wi-Fi access on an independent subnet. Any device connected to the campus internal LAN must be wired to Ethernet or a mobile device issued and provisioned by the IT department. Faculty and staff are welcome to bring their own devices as well, but they too are restricted to the same subnet used by students for Wi-Fi.
McLeod suggested that carriers could consider packaging mobile antivirus software with each device it sells. This is often done with laptops in the consumer market.
Horwath says that if any further measures are considered, it has to be in a way that doesn’t include extra costs for the customer. “Nobody will pay another dime for a mobile phone subscription,” he says. “There’s price sensitivity out there.”
It’s possible that Rogers could provide better security for all of its Internet users by using DNS filtering, he says. This would serve like a blacklist for all Rogers users where known malicious actors are blocked at the DNS level. This could be done without additional software on endpoints and without any action required on the part of consumers at all. But it’s just an idea at the moment.
Five tips for better mobile security
As to what it can offer businesses, Horwath offers this advice:
- Implement MDM.
- Don’t rely on two-factor authentication over SMS, which has proven insecure. Inst,ead use a time-based one time password (TOTP) application.
- Keep BYOD devices restricted to just Internet access if possible, restricting them from an internal network.
- Consider updating your terms of employment to allow for mobile security on BYOD devices.
- If you use BYOD, set minimum software and hardware standards that must be met for support.