Regaining control of security in a mobile world


Enterprise Security
09 Aug 18 Author: David Ellis

Mobile devices provide flexibility, allowing employees to work outside of the office. This translates into competitive advantages, productivity gains and employee satisfaction benefits. It is no surprise therefore that mobility is one of the fastest growing segments of the enterprise technology market. However, security remains a major challenge that continuously needs addressing.

Keeping machines and data secure becomes more challenging as computing infrastructure becomes less centralised, given the greater potential for malware to enter devices that are being used remotely. This, in turn, increases the risk of data being lost. Another risk to consider is that mobile devices are more vulnerable to data leaks, as they can be lost or stolen more easily.

The financial, legal and reputational impact of these data losses can be immense, particularly given the introduction of the GDRP, which has brought in much tougher enforcement measures for data protection in the UK. Businesses now need to employ very thorough security controls and visibility in order to pinpoint when EU personal data is at risk of being exposed on mobile devices - addressing any vulnerabilities as soon as possible.

Bring Your Own Device (BYOD) compounds the issue as employees use their own devices to access corporate networks and data. It is reported that almost 70% of employees will use their own devices regardless of company policy. Given that organisations have much less control over BYOD devices and their vulnerabilities, it is highly alarming that approximately half of organisations that allow BYOD, do so without enforcing any specific security policy! It’s perhaps not surprising then, that 37% of organisations have experienced a breach or data loss directly attributed to their mobile technology.

Implementing an effective policy is the first step to ensuring mobile security. Companies first need to define the scope and objectives: Who is allowed to access what, and when; what devices will be supported; what applications and content will be mobilised? The security policy needs to be consistent across the entire organisation and should be considered as an extension of existing business strategies and broader technology, security and compliance policies.

At present, many companies are unaware of the gap in their security policies until they are directly asked the question. Here are three simple steps that can immediately improve your customers’ odds against threats – either external or internal.

Step 1: Stop old and new threats with patching
One of the oldest struggles in the IT universe is keeping desktops, laptops and servers up-to-date with the most current software and operating system patch levels. Further complexity is added when using enterprise applications that are seemingly stuck in time, stopping you from upgrading to a recommended operating system or patching old exploits.

Your customer’s journey into security hardening should include a long look at their current patching workflow. To start, ask your customer whether they are currently patching, are they able to quickly remediate a known vulnerability, and is it easy for them to produce a report from their fleet of machines. If your customer’s answer is “no” to any of these questions, you have an opportunity to evaluate how your customer is protecting their endpoint devices.

Step 2: Regain control with improved access management
Many data breaches involve an inside, trusted source. Just like patching, there are a few questions that you can ask your customer to quickly determine how vulnerable they are to malicious activity:

  1. Do you know which employees have access to what, and when? Similarly, if you were asked to give a report of all people that accessed any one file on your company’s file server over VPN within the last week, could you generate that report in less than an hour?
  2. Can you verify that all previous employees have been properly decommissioned and have no access to your company’s data?

If your customer is not able to quickly generate these reports and remediate any gaps, then even if they had the best network intrusion security and patching baselines in the world, the organisation is at the mercy of possible malicious intentions of current and ex-employees.

Step 3: Create a security conscious culture
Encourage your customers to have a discussion with management - it’s possible that their management team is not aware of the issues. If your customer can access vulnerability and breach reports, empower them to use the information to start a conversation and brainstorm small investments that can be made to start turning things around. If possible, customers should begin proactively sending vulnerability reports to management and offering to assist with remediation (but first check that they are not breaking any company rules by generating those reports).

Don’t make things easy for attackers. When organisations neglect even the basics of cyber security, attackers see this as low-hanging fruit. Securing an organisation can be very difficult, but most exploits occur with either insider help or by way of well-known vulnerabilities. The above practical questions and their correlative remediation steps can help any organisation enhance its security posture.