How Secure Is Your Mobile Device?

Wednesday, March 13, 2013

Allan Pratt, MBA

5e402abc3fedaf8927900f014ccc031f

Today, the world of mobile devices includes smartphones and tablets. This post doesn’t favor any specific brands, but let’s agree that the industry leaders are iOS and Android devices. The jury is still out as to whether or not BlackBerry will become a contender.

Another fact that we must agree on is that most users of smartphones and tablets use Apps. Some of the most common Apps feature news, weather, banking, photo editing, social networking, navigation, entertainment, music, and games. These Apps may be common for individual users, but thanks to Bring-Your-Own-Device (BYOD) to the office, now employees are using their personal devices for work-related projects. This means that your confidential corporate data may now be stored on employee devices – whether you want it to be or not. This is extremely important to the midmarket segment because midmarket businesses tend to allow their employees to leave company email and attachments on their smartphones and tablets.

So with BYOD as part of the equation, does your business have a BYOD policy? How about a security policy? And does your business sponsor regular security training sessions?

While BYOD may sound like a good idea, there are a couple of issues you need to address and make clear in a policy from the start. First, state that your company is not responsible for maintenance or repair of the employees’ devices, should anything happen to them. Otherwise, you will find your IT staff servicing different platforms of devices on company time. Second, do not allow installation of company email services on any employee-owned device. Doing so creates another attack vector for malware. The reason is simple: If an employee’s personal email gets attacked, your company network may then get attacked. A better option is to use a browser-based email portal instead.

Now, back to your employees and their devices…do you clearly state that, before they download a free App or one that has a cost, they are required to read the App’s Privacy Policy? Do you require employees to check to see if support information exists, such as, an email address or a website? Do you require them to read the App reviews?

Do you instruct your employees on App security issues? For example, if they download a free App, are they aware that the annoying ads might contain links to malware? The malware could interfere with your corporate data, and worse, infect your corporate data. If employees frequently use free Apps, their confidential data stored on the device (name, phone number, email address, contacts, photos, etc.) could easily be shared with the advertiser – and what if the developer sells the data? What if some of the contacts stored on the employee devices are your customers?

Now that you see the reasons to create a BYOD policy and a mobile device policy, ask your employees these questions. How secure is your mobile device? Do you have a backup App on the device? Is your data encrypted? At the very least, do you have a password or passcode to turn it on? Do you have passwords or passcodes on frequently-used Apps? Do you have wipe software installed in case of theft? Is there a policy in place so that when an employee leaves, he/she does not take corporate emails and documents with them? This is especially important if an employee is fired.

There is no dispute that the future belongs to mobile devices and mobile-accessible websites. However, businesses that don’t educate their employees about mobile security may encounter serious data breaches. Don’t you want to be prepared?

Check out this Infographic:  Why You Should Care about Mobile Security

Check out this Infographic: Smartphone and Mobile App Usage

____________

Allan Pratt, an infosec strategist, represents the alignment of technology, marketing, and management. With an MBA Degree and four CompTIA certs in computers, networks, servers, and security, Allan translates tech issues into everyday language that is easily understandable by all business units. Expertise includes installation and maintenance of all aspects of the PC and peripheral lifecycle and the planning and integration of end-to-end security solutions. Allan has taught the CompTIA A+ cert course and currently teaches the CompTIA Security+ cert course. Follow Allan on Twitter (http://www.twitter.com/Tips4Tech)  and on Facebook (http://www.facebook.com/Tips4Tech).

Cross-Posted from Tips4Tech 

Possibly Related Articles:
13896
Security BYOD mobile
Post Rating I Like this!
F66c1a87a8db2cb584b4e06e93a84ce3
Mikko Jakonen How much I do enjoy about discussions around mobility and especially whilst BYOD is brought in...

Unfortunately hardly no-one is touching the dilemma of storing information beyond the corporate data within corporate
systems or cloudified environments - as "BYOD" makes it hard(er) to distinguish between the details; not
mobility itself. Unfortunately BYOD "might be" good idea, but its lacking the base - with or without the "security applications" or policies established. The problem with BYOD is much wider and deeper than one might expect in the first place.

By installing (forcefully) applications controlled by foreign entity to the persons (private) mobility device, or
any other private device like laptop to make example, is creating only a wishful thinking of security and
rendering the security thinking towards flapjack approach. No add-on security solution completes end-to-end
security architecture requested by the community (instead of BYOD) and demanded by the consumer(s).

I give you an example: Apple crafted iCloud to manage iPhone's etc. efficiently within their domain. It creates
a "secure alcove" surrounding many of their functionality offered, iMessage as an example. It lacks many
of the capabilities required by the BYOD enthusiastic s or organizations willing to really create their
information management discipline to the point is possible to utilize such capabilities at the moment, like device management etc. functions. But still. it is fairly nice example of the architecture present - having grown from the
base of the user side function (device) through the access layer (the Internet) towards the cloud service.

Now there is room for industry adoption to create operating environments for mobility in first place to
grant ability run different environments in parallel (compartments), securely distinguishing each other.

Sure - this is the future talk, but no policy helps you with the actual dilemma: Policy is statement of
willing state with BYOD at the moment. People still do what they desire, unless you invest a HUGE pile of money
for BYOD lacking the abilities should already exist.

Maybe some vendors shall introduce such abilities? I would like to get rid of the one single numbering scheme as well :)

@mikk0j
1363268414
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked