The digital transformation of everything promises efficiency, convenience, opportunity and the chance to create new business offerings, but like any other opportunity the mobile era also introduces risks. We look at five mobile risks for enterprises and the best way to mitigate them.
Forrester Research has claimed that 53 percent of information employees are making use of three or more devices for work. When you consider that at least 95 percent of enterprises also approve use of personal devices, you have a complex challenge for security teams who can no longer attempt to build systems around one core OS. Security protocols must effectively handle environments in which workers are using multiple devices, platforms, operating systems from multiple locations over all available networking infrastructure.
What is the risk for your business? Put simply, if you ignore the proliferation of systems you may easily end up with unauthorized devices accessing email and other confidential systems.
What to do: Enterprises must adopt consistent security policies capable of addressing the needs and weaknesses of a plethora of different devices. They should also adopt strong Mobile Device Management (MDM) tools to enable them to separate personal from corporate data, including the capacity to track data when it is moved between devices, platforms or operating systems.
The mobile workforce doesn’t sit still (hence its name). As they exploit the new freedoms of BYOD, employees are accessing corporate systems 24/7 from anywhere using whichever network connectivity solution is available to them, including public Wi-Fi networks (over 90 percent of which are insecure!).
What is the risk for your business? Do you really want your secure corporate data to be an open book to criminal hackers who have identified corporate log-ins by monitoring transmissions on an unprotected Wi-Fi network?
What to do: It’s good practice to ensure that any connection to your VPN or enterprise cloud services demands certificate-based network access and ensure all apps utilize best available data encryption on their journey to/from end points. It is also essential to block devices and/or apps that do not comply with set security policy or which are not authorized for use with your systems.
3. Lost and stolen
Mobile devices get lost, they get stolen and they get broken. Millions of smartphones are stolen each year and while vendors are improving the protection on the most popular mobile devices in the enterprise, the opportunity to grab them remains a temptation for opportunistic thieves, or an opportunity for sophisticated criminal hackers more capable of obviating any security you might have in place in order to break into your IT systems.
What is the risk for your business? Not only might criminals access all your data via a stolen device, but they might cause significant damage to your computer systems once they do break in. What price stolen data, what are the business consequences of your systems being taken offline?
What to do: Multi-factor authentication of devices used to access your networks is not a luxury item, but an essential requirement for every employee able to access your systems, no matter their security clearance. Encrypt all data in transit and protect all transactions with security certificates. Finally, ensure all devices are protected by systems to wipe data remotely, as provided by MDM software.
4. Data leaks
What happens to your data? Do you know if information taken from your corporate network via a user’s device ends up stored on Dropbox? With so many different devices used in organizations, it can be extremely hard to keep an audit trail of all of your data.
What is the risk for your business? Data protection compliance and regulation is becoming increasingly stringent in some jurisdictions. Not only does it damage your reputation if customers’ personal data escapes into the wild, but it can open your firm up to financial consequences in the event of egregious leaks. How might this impact your business reputation?
What to do: Data Loss Prevention is critical. This can involve decisions taken at the policy level and protections applied across Data as a Service, Software as a Service and other server-based systems to prevent copy and paste of content, storage of data on external (and uncontrolled) hardware like SD cards or external memory devices. You also should ensure your data cannot be accessed by unauthorized apps using server-based compliance systems.
The nature of mobile risk is changing – where before online risk was about virus and malware checking, today your enterprise faces continuous 360-degree risk across every end point. This extends from targeted phishing attacks on selected employees as criminals attempt to piece together a route through your security all the way through to keyloggers buried in apps downloaded to devices on your network.
What is the risk for your business? The user is the weakest link in online security on any platform. When you are an enterprise with ten of thousands of users then your core security protection can be easily undermined through one moment’s inattention by an employee. Is it more economically realistic to pay the consequences of such an event, or is it more prudent to educate employees first?
What to do: The best defense for any enterprise is an educated workforce. It’s not enough just to tell people why they should avoid downloading apps from non-approved sites to their device; or why they should avoid clicking links in genuine seeming emails, you need to explain the inherent risks. You can throw all the policy directives you like at employees, but education is essential if you want them to follow them – as they grow to understand the risks, they may even thank you for the advice.
For more ideas please take a look at our “Security Changes with Orange” report that describes our comprehensive approach to security across infrastructure, working environment, management and governance.