The cover story within the latest issue of CSO Digital — read it now if you haven’t already — revolves around the topic of mobile security within the enterprise. Titled, Making Sense of Mobile, the feature takes a look at how enterprise mobility has evolved and how adopting the latest industry best practices can be mission-critical to protecting sensitive data.
Indeed, mobility on an enterprise scale is disrupting the IT landscape faster than ever before, fuelled by higher-powered smartphones, tablets, laptops and 3G- and 4G-enabled devices of all kinds.
With that in mind, here are the key takeaways when it comes to securing mobile devices across the organization:
Develop strong authentication and password controls
A recent IDC Canada study that asked organizations to rate the likelihood that their organization could be compromised revealed a clear blind spot — many businesses didn’t strongly consider tablets, smartphones and web applications potential points of security weakness. More worryingly, fewer than 25 per cent of organizations had provided mobile security training for staff during the preceding 12 months, the report found.
Organizations just don’t connect the data these devices have access to with the threat of being attacked, according to Kevin Lonergan, senior analyst with IDC Canada, adding that there are more mobile vulnerabilities coming to light with increasing regularity.
Yet the majority of organizations are training few, if any, of their staff in mobile security: for example, by using a strong password, two-factor authentication, or biometrics.
Establish clear control policy for third party software, app store and BYOD
Enterprises must also be aware of all devices connected to their network and every app installed on them in order to spot malicious capabilities or vulnerabilities, according to Bharath Rangarajan, a vice-president of mobile endpoint security for firm Lookout.
That means not using mobile device management (MDM) solutions in isolation, and complementing them with a security layer, he said.
“It’s also important to understand the difference between malicious apps and risky apps, and how each application could directly impact the business.
This drives a more informed BYOD strategy that helps balance security with user freedom, instead of simply blocking all the ‘risky’ applications your employees wish to download,” Rangarajan said.
Develop distinct, secured mobile gateways and network protocols
The value proposition for enterprise mobility is obvious: remote productivity, improved communication and sensor network access. But as a recent study from IT research firm Ponemon Institute highlighted, as the number of mobile devices and applications entering corporate offices rises, so do the security risks — as high as US$26.4 million per hack, once operational costs to reputational damage is factored in. With more and more devices accessing the internal network, content caches and business applications, tracking and governing a mobile environment poses a threat to the network and overall compliance.
The average CSO is no stranger to change but there are key compliance, cost and security challenges to contend with when it comes to this mobility disruption, said Ahmed Etman, general manager of cybersecurity for Cisco Canada: In the past, mobile deployments were all about protecting a single device that could access the corporate network, he said.
But the rise of mobile devices is creating a strain on an organizations’ network infrastructure, with few security challenges seen by everyone as a whole.
CSOs should be looking at an integrated threat defence strategy, one that includes both mobility and the cloud, according to Etman.
Conduct regular mobility security audits
Define the mobile policy that clearly integrates mobility into the enterprise while managing the IT strategy and staff expectations, said James Cooper, chief technologist, mobility & workplace global practice for HP Enterprise Services. Organizations need to remember that the days when corporations provided a device and individuals used it to only send personal email and calls are long gone.
This includes defining personal device use down to device choice, setting guidelines for usage restrictions and developing a support infrastructure that includes security and mobile device management solutions. One security approach is to develop a distinct persona with different security controls, Cooper said.