Mobile security - it doesn't have to be a Wild West standoff

Last month, we posted a blog about the “bring your own device” (BYOD) practice that more and more businesses are welcoming as a part of their internal communications. 

While we could speak all day on the plethora of benefits this provides for organizations, there’s another trend running parallel to this that IT directors should be wary of, and it’s not a good one.

"This network ain't big enough for the two of us!"

Think of the recurring use of personal devices for work purposes like the old, Wild West. There are many landscapes still being discovered while more and more people join the trend. But, like the Wild West, there’s still a lack of governance for these new landscapes. Therefore, there are more possibilities for some “bad apples” to take over the territories for themselves, putting peoples’ smart phones and tablets in jeopardy.

Nope. He's not living among the Kiwis.

Confused by the Wild West reference? We’re talking about hackers here, people. 

Hackers, like the people that have enough technical experience that they can take control of others' computers from their own device, no matter the distance between the two operating systems, or can sneak in to PBS’s network and tell the world that former rap star Tupac Shakur was still alive and living in New Zealand (*cough* LulzSec *cough*).

In February 2011, PC World reported than cybercrime had doubled in growth "year after year," and according to Noa Bar-Yosef, senior security strategist for Imperva, "In the last half of (2010) there were 2,383 mobility-related keywords in hacker forum threads compared to only 264 on the previous half - almost a tenfold increase" (Keeping Data Safe When it Leaves the Corporate Nest).

These hackers are using the same tactics with mobile devices as they have for years with computers - installing malware, phishing, etc. The difference now, however, is that companies, particularly those with sensitive data, that allow their employees to use their own devices for out-of-office communication, are at a much higher risk of a security breach on their data and information than they were before.

Why is this the case? Because there is still limited IT control over these devices. A personal device is thought to be just that, personal. But when an employee makes the decision to bring it to work and use it for business-related transactions and communication, their phone is no longer just their own device.

"Organizations need to respond to this trend by developing policies to address new mobile work styles that can drive productivity through more flexible working, while safeguarding the use of data and sensitive information," wrote Stephen Withers in an article for iTwire last November.

Business Computing World lists some policies that can be developed and implemented by IT directors:

• Remote wipe and lock: IT managers can required employees to install remote wiping software on their device before using it for work. This allows IT to lock down and erase data if the device is stolen or lost.
• GPS tracking: "Some Mobile Device Management (MDM) solutions allow IT to send an alarm to the device to help identify the location for a user, and if truly lost, IT can then leverage the wipe and lock technology mentioned above."
• Network authentication, authorization, account: IT can adopt a solutions that tie devices connected with the organization's network with each user's identity and role, then apply proper policies (depending on the role) to grant certain access privledges. "This enables IT to differentiate access for different levels of employees or guests, or even by device type. It also lets IT take a proactive stance on tracking and monitoring how mobile devices are being used within their network."
• Secure remote support: Many users of BYOD use person mobile devices for work when out of the office - having a secure way to support and fix these devices from a remote location is necessary. It allows help desks to "configure devices, chat, transfer files, and even remotely see and control the device."
• Acceptable use policy: As a company would expect its employees to use their computers only for work-appropriate purposes, so should it expect its employees to use their personal devices if they choose to use them for work. Having employees sign an Acceptable Use Agreement to allow them access to the company network with their person device allows IT to have a better grasp on the conditions under which the employee is allowed to use their phone. The agreement may include conditions, such as installing a device certificate or the remote wipe software, or state that devices can be seized if necessary for legal matters.
  
   While some may see IT taking such measures as a bit controlling, at the end of the day, it will ensure security, not just for the company's data, but also for the person to whom the device belongs and their personal data (i.e. banking information, personal account logins, contact information, etc.). And, just like in the old, Wild West, when a new sheriff comes in to town (or, in this case, a new IT policy regarding personal devices), keeping order is a shared responsibility between both parties. The "sheriff" lays down "laws" to ensure everyone's safety, and if people follow these laws, they're less likely to be harmed by malicious, external forces.