Article published in Harvard Business Review – Recommended Read
By Larry Dignan
September 22, 2016
Mobile devices are one of the weakest links in corporate security. Executives are wrestling with managing a proliferation of devices, protecting data, securing networks, and training employees to take security seriously. In our Tech Pro Research survey of chief information officers, technology executives, and IT employees, 45% of respondents saw mobile devices as the weak spot in their company’s defenses. (Employee data was cited by 37%, followed by wireless access of networks at 34% and bring-your-own-device efforts at 29%.)
Meanwhile, the potential for mobile attacks continues to expand. In July, ComScore reported that half of all digital time was spent on smartphone apps, and 68% percent of the time was spent on a mobile device. If mobile security isn’t a problem for your company yet, it will be.
Consider the following recent events:
• A flaw called “Quadrooter” left more than 900 million Android devices vulnerable to attacks. The code was published online. Google has since patched Android.
• Pokémon Go became a global phenomenon, but people in regions without the game downloaded it from unauthorized marketplaces, exposing their devices to malicious attacks.
• Researchers at Binghamton University found that wearable devices and smartwatches can give away PINs and passwords through an algorithm that has 80% accuracy on the first try and 90% after three attempts.
Securing mobile devices is tricky. Android is a fragmented mobile operating system. Security researchers are anticipating more attacks on Apple’s iOS. Employees lose their devices and can be lax with security compliance. Toss in people bringing their own unsupported devices to work, and you can see why security executives are stressed.
• The Future of Cybersecurity
Exploring the risks and the remedies.
Now for the good news: These challenges can be overcome. Our previous survey work at Tech Pro Research found that only 12% of companies have been hit by a mobile security breach. There’s still time for businesses to improve their mobile security practices. Yes, mobile devices can be a problem, but like most things in the security world, the issue isn’t necessarily the smartphone, tablet, or laptop. The problem is us. The solution is following security best practices, protecting corporate data, and educating humans — the real weakest link.
In a July report on mobile security, we noted that mobile devices are breached largely because people lose them or don’t practice good security habits (including not applying the latest security updates), not because of inherently weak security in devices.
Simply put, most corporate mobile security incidents are due to humans failing to follow basic security procedures. Given that reality, mobile security needs to be part of the broader policy and procedure mix.
Tech Pro Research analyst Jack Wallen outlines the following recommendations to shore up security overall and fortify corporate mobile defenses. These recommendations are based on best practices as well as responses to our surveys.
• Educate employees and upper management. People need to learn how their actions can have consequences. Sessions on protecting corporate data and thwarting social engineering efforts could be useful. Educating upper management is a different task for information technology executives. The education job here is to make sure upper management knows how dire security breaches can become. Employees traveling abroad can also become easy targets without security know-how.
• Continue to invest in systems to encrypt data and protect networks and various endpoints, internet of things sensors, point of sale terminals, mobile devices, etc.
• Audit networks, retool and continually update security policies, and migrate systems to a more secure provider. These efforts have to incorporate mobile risks from devices currently in the workplace today, such as smartphones, as well as devices that will be soon, such as wearables.
• Hire a digital forensics specialist. Of companies with 1,000 employees or more, 41% percent have a digital forensics expert on staff. These specialists are critical to investigating security issues on all fronts, including mobile. Smaller companies or companies with fewer resources to devote to forensics may find themselves to be easier targets for cyberattacks.
Cybersecurity also involves a heavy dose of individual responsibility. Employees and consumers should follow these best practices from security firms Kaspersky and TechRepublic to secure their devices.
• Set a lock and PIN on your phone.
• Turn on your phone’s auto-lock.
• Use container technologies such as Samsung’s Knox, which adds a layer of security to work items and segments them away from personal items.
• Back up information to cloud services, and store as little as possible on the device.
• Use basic security common sense, such as ignoring spam email and avoiding downloads that don’t come from an approved app marketplace (Apple’s App Store, Google Play, or a company-specific area).
• Keep devices close to you and within sight at all times.
• Use two-factor authentication whenever possible.
• If a device is lost or stolen, notify your employer right away for remote wiping procedures. For a personal device, Android and Apple’s iOS offer remote wiping features.
• Avoid unsecured Wi-Fi connections.
• Keep Bluetooth out of discovery mode when not in use.
• Encrypt corporate data using the security software your company provides.
• Connect your smartphone to company networks via VPN connections.
Mobile security is likely to become the next frontier for corporate security executives as exploits and hacks become more creative. Making mobile a regular part of your company’s broader security policy and procedure framework will be critical.
This article was originally published in Harvard Business Review.
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet’s sister site TechRepublic and Tech Pro Research.