A report by IDC predicts that there will be over 1.7 billion smartphone users by 2020. When added to other figures supplied by the IDC’s FutureScape: World Mobility 2017 Predictions report- IT spending on mobile is predicted to peak at 50% of total enterprise budgets by 2019. Given that enterprise mobile applications are expected to double by 2018, it becomes apparent that the common use of enterprise mobile platforms is fast growing.
The trend is spurred by organisations encouraging the uptake of mobile use for work purposes through Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) policies. This approach enables staff to work anytime, from anywhere using either their own device or one supplied by the company based on the user’s specifications. The FutureScape report also points out that up to 40% of organisations will save time and money by adopting common management and policy controls for various devices to manage all endpoints on a single system. This is a viable requirement, as a host of new security risks are introduced with the adoption of the mobile workforce.
Mobility provides many benefits, predominantly given that it enables organisations to maximise their workforce while reducing the space required to ‘house’ them. Having said that, security concerns related to BYOD or CYOD are rising. Enterprises need a strong mobile strategy that places security at its core in order to mitigate risk and defend themselves against cyber-attacks. There are three key concerns that need to be addressed:
- The increased prevalence of text and social engineering, where users receive or unwittingly send messages containing contaminated hyperlinks. When accessed, the hyperlink allows cybercriminals to hijack an online session, or directs the user to a replica site where they could unknowingly reveal their credentials, or invite malware into their organisation’s network
- Use of public networks. Mobile devices used for work are likely to contain information related to the organization, or have portals or cloud access that link to corporate networks. Users who use public, unsecured Wi-Fi networks to access company networks or data, put their organisation – and themselves – at risk of infiltration
- Poor risk awareness and education. Individuals who use their own, or a company device to access company data and networks are often unaware of the risks in doing so. This lack of awareness can lead to unsafe behaviour, putting themselves, their devices and the organisation at risk.
Poor management of these areas puts the entire organisation at risk. Organisations could be vulnerable to loss of valuable data, or run the risk of data ending up in the wrong hands and being used for unauthorized purposes. A data breach can result in lost revenue, interrupted operations and/or repetitional damage.
There is also risk for the individual user, who can suffer personal losses.
Defining a strategy
Defining an enterprise mobile strategy amidst the vast variety of mobile devices that are available today can be tricky. Organisations need to ensure that they define what constitutes acceptable devices, whether they are user-owned, or company assets. These allowable devices also need to have strict policies around their management, including a jailbreak policy which disallows users from unlocking their phones in order to allow unrestricted access. The policy must also define which applications, websites and social media portals are permitted or restricted.
In conjunction with the device policy, there should be a security policy which imposes security tools across all devices, and outlines security best practices and rules. The following should be covered under the policy:
- Right Network Tropology and rules implemented for access of Internet in company’s premise with firewall, Intrusion detection system, Web Gateway, Email Gateway and Advanced Persistent Threat (APT) filtering the access to Internet.
- Mobile Threat Management
- Mobile Information Protection and Control
- Mobile Gateway and Access Protection
- Mobile Security and Vulnerability Management
- Mobile Identity and Access Management
- Application Security
- Content protection, such as message filters, web protection and mobile bitmap.
- Encryption like SSH, TSL, PKI, in case of access to Server from Mobile devices. WEP, WPA, RSN for connection to Wi-Fi network.
- Right Password policy as NIST 800 -118 guidelines
- Enforced security and threat awareness training
The last point is absolutely critical. Users need to be regularly updated on new and emerging threats, how they work, where they originate, how to prevent them, and how to proceed in the event of an infiltration or cyber-attack. They also need to understand basic mobile security. For example: what necessitates an IMEI number, or ICCID (SIM card ID number). The policy must equally outline what the damage control procedures are to minimise the effects of any breach, or potential breach.
Making it accessible
From an implementation point of view, organisations should simplify their policy, clearly communicating its contents and educating on any aspects that are not understood. Policy adoption, especially when it comes to security, can be difficult to attain when users (especially using their own devices) do not understand the risks their implications. When the risks and procedures are understood and enforced, adoption is more easily managed.
Incorporating a user Helpdesk can streamline this process. Helpdesks are able to respond to questions, provide guidance on adhering to policy, and assist when there are breaches – suspected or actual. They can also provide user assistance in other matters, which aid in mobile strategy adoption.
There is no better time for organisations to create or update their mobile strategy than now, when mobility is becoming rife. Businesses should, however do so with a view on the future. Technologies such as Artificial Intelligence, Augmented Reality and Internet of Things (IoT) are set to become woven into the wireless fabric of businesses, accessible by mobile devices that share the same network. As such, these technologies should be provisioned for, or at least carefully considered, when planning a mobile strategy and defining security parameters.
Organisations can collaborate with expert partners who understand the global and local technology and security landscape in order to create a mobile ‘use and security’ strategy that aligns with their business. Together with a partner, businesses can outline and implement a policy with all the right tools to cater to their current and future requirements, while mitigating risks and maximising success.
By Sanjay Vaid, Director, Cybersecurity and Risk Services-Africa & Continental Europe (CE), Wipro Limited