It Takes Two to Tango (and to Secure Smartphones)
For most industries, mobile devices are a must-have workplace tool. On the front end, they allow your people to get work done efficiently and effectively. On the back end, cloud capability can help you save money on servers, infrastructure, and the number of staff needed to manage these systems.
Switching to the cloud can make information accessible from any device, anywhere in the world. While that accessibility is the benefit, it’s also the challenge.
It’s surprisingly easy to create a rogue wireless network.
For example, people often don’t think twice about connecting their smart phone to public Wi-Fi networks in coffee shops, airports, and other business settings. They absentmindedly scan for a plausible network name, join the network, and move on, assuming it’s correct and secure.
Yet it’s surprisingly easy to create a rogue wireless network. It only takes a three-minute online tutorial, a $30 wireless network card, and some basic web skills to manufacture a believable landing page.
We saw this first hand during a recent penetration testing scenario. Employees began connecting to the rogue network before we had even finished doctoring the logo on the fake website. In the wrong hands, a compromised network could allow hackers to intercept and redirect traffic, or worse, turn mobile devices into a gateway to your business network.
They say it takes two to tango, and for businesses and organizations that allow mobile use by workers, it takes two to secure mobile devices.
Protecting your assets requires you to have technical controls in place that are operating effectively, and an employee base that is trained to use technology in a secure manner compliant with organizational procedures.
In a public Wi-Fi scenario, procedures might include a policy that stipulates your employees ask the business for the correct network name and password. But there are many other mobile security issues for organizations to consider.
Personal device or company issued device?
Personal mobile devices and company-issued devices present different sets of issues. Employee devices can be less secure than company-issued devices because the organization cannot manage those machines to the extent they can manage their own. This includes keeping the device up-to-date, restricting what apps can be installed, remote wiping capabilities, encryption, and enforcing a password on the phone or tablet. Managing mobile devices (company or employee owned) often occurs through the use of a mobile device management application such as IBM MaaS360, VMware AirWatch, Good, MobileIron and more.
However, many organizations still allow employee personal devices to be connected to the internal network, which may expose you to risks:
- Employees may download potentially malicious applications on their personal phone, which could introduce spyware, malware, or banking Trojans on their device. This may allow criminals to steal sensitive information such as text messages and emails, or create mobile botnets where they can control many mobile devices from a central location.
- By nature, mobile devices are often connected to a large number of wireless networks that may not be under the control of the business. These networks could have been previously compromised or may have been created to impersonate legitimate networks to exploit devices connecting to them. In addition, businesses cannot control employee personal device password strength, encryption, or whether the phones are updated regularly.
iOS devices and Android considerations
If you still allow personal phone use for convenience or other factors, be aware of some of the key differences between iOS and Android devices.
Apple maintains strict control of the hardware, firmware, and software of its devices, allowing them to weave in security as a core component of the device. From an organization’s perspective, this also tends to make management of the devices easier due to standardization.
On the other hand, Android is an open source operating system that works with separate hardware manufacturers and provides the ability for innovative customization and portability of operating systems and applications. A tech-savvy Android user can be sure of the security of their device by reviewing the open source code, but the average Android user will not take this precaution.
Apple also has control of which applications are entered into its app store, whereas Android devices can install applications from Google Play Store and other third-party app stores. Historically this has led to more malware being created for Android devices (not to say that iOS is impervious to this issue). Android has been making efforts to remove malicious applications from its app store that have been uploaded by developers of questionable integrity.
What you can do
Establish a bring your own device (BYOD) policy — All of these are compelling reasons why businesses should have bring your own device (BYOD) policies in place. These policies should stipulate the terms and conditions for employees who are connecting their personal devices to the organization’s network.
Typically, personal devices should never be allowed to connect to the internal corporate network containing sensitive systems. If employees need to access the internet on their smartphones, a common solution is to implement a physically or logically separated wireless network that does not have access to the internal network. If employees require access to company email or other resources, there are more secure options that allow for data to be contained in a separate compartment on a mobile device or for data to be encrypted in transit.
Educate your employees — Employees should be trained on mobile device risks. An employee base that is informed and aware of security threats can be one of the best defenses against information technology threats. Make sure that users are aware of company policies surrounding mobile devices and acceptable use of technology.
Use effective controls — Limit mobile device risk through effective operational controls. This includes:
- Utilizing a virtual private network (VPN) when connecting to unknown networks
- Enforcing encryption
- Preventing mobile devices that are “rooted” or “jailbroken” from connecting to the network
- Maintaining up-to-date operating systems
- Installing anti-virus applications
- Only installing applications from trusted sources
How we can help
We can help you dance through these challenges by helping you build a BYOD policy. We can also assess your vulnerabilities through penetration testing, and then train your employees to recognize fraud and social engineering techniques, so both dance partners can more safely realize the power of mobile technology.