10 Mobile Security, BYOD Privacy And Security Myths10:00 AM EST Mon. May. 27, 2013
Organizations are grappling with how to lock down employee-owned mobile devices and keep company data secure, but the real threat is the loss of the device itself and the possibility that restricting employees too much could harm productivity levels, according to the BYOD & Mobile Security 2013, a survey of the Information Security Community on LinkedIn, sponsored by Scottsdale, Ariz.-based Lumension Security Inc. Security firms such as mobile security startup Bluebox, say enterprises may need to look for innovative alternatives in the mobile security landscape, rather than applying traditional security technologies to the perceived threats.
Here's a look at some of the myths surrounding BYOD and mobile security, as well as advice from security experts on how to not only better protect company devices but also employees' privacy.
When employees become conscious of mobile device management (MDM) features, such as requiring a PIN code or a remote wipe capabilities, at all times, it may call into question how much IT is monitoring the device. However, Bluebox believes the right implementations don't cross the privacy line; they don't track activity on the device nor do they read personal data, and that should be communicated to end users.
Mobile malware may dominate headlines, but according to the recent LinkedIn Information Security Community survey of 1,600 IT administrators, data loss is a bigger priority in their organizations than malware (75 percent versus 47 percent). A lost or stolen mobile device consistently ranks as the chief mobile security issue in most studies. In addition, mobile malware studies conducted by F-Secure, McAfee, Symantec and other vendors find most mobile malware activity in Asia, Russia and Eastern Europe, with the bulk of that malware coming in the form of SMS Trojans that rack up premium text messaging charges.
MDM may give companies more control and visibility into employee-owned devices connecting corporate infrastructure. But applying comprehensive data protections may be the ultimate cornerstone of mobile security, according to Bluebox, because data readily travels off the device through apps into the cloud, making multiple copies along the way. Security experts tell CRN that data encryption and better managed user provisioning systems could also help provide added security.
Gartner, Forrester Research and other analyst firms are tracking more than two-dozen mobile device management vendors vying for business. Yet security experts say most firms can provide basic security measures. For example, remote wipe and password enforcement can be done via ActiveSync mobile synchronization provided by Microsoft. About 60 percent of organizations have not adopted BYOD, according to respondents to the LinkedIn survey. A quarter of those surveyed said policies and procedures are first being developed.
IT administrators in the LinkedIn survey indicated that 28 percent of all corporate data is accessed through mobile devices and that data can be accessed by over 50,000 business productivity apps regardless of whether they are mobile enabled. Mobile security startup Bluebox said organizations may want to take a hard look at the weaknesses prone in back-end systems that business productivity apps tap into.
Universities and higher education have been dealing with BYOD for years and have applied a number of technologies and policies to address the issue. A Bradford Networks survey of more than 500 IT professionals from colleges, universities and K-12 school districts found network access control (NAC) as a critical part of their mobile device security program. Nearly 90 percent of those surveyed in higher education allow BYOD. And, 56 percent of those surveyed said their BYOD on-boarding process has been automated using NAC.
Some mobile device management platforms enable businesses to manage corporate app stores to whitelist third-party apps and issue custom-made business apps to tap into corporate resources. Yet, the LinkedIn survey found that only 41 percent of all organizations create mobile apps for employees. Only 18 percent plan to do so in the future.
Daniel Brodie, a security researcher at Lacoon Mobile Security presented a paper at Blackhat Europe, which showed how containers can be bypassed using surveillance tools planted on a victim's device. Desktop malware is already using applications and browser components that use containers or sandboxes to expose data. There is no silver bullet for protecting corporate data, according to Bluebox.
Nearly 60 percent of users circumvent mobile security controls because they were impeding productivity, according to the LinkedIn survey. Security experts advocate finding a balance between strong controls and hindering productivity. In a user-driven BYOD world, security will have to get out of the way of the user and focus directly on the corporate data, Bluebox said.
Data Loss Prevention assumes that either all data can flow through a fixed perimeter or there can be unwieldy software running on the endpoint. Neither model is viable when corporate data can start anywhere and end up everywhere, Bluebox said. Businesses should consider emerging alternatives and avoid applying traditional security technologies to address mobile. IT security will have to manage the data as the first line of defense regardless of where it is, according to Bluebox.