Mobile Devices Present Corporate Security Challenges
Mobile devices are an integral part of peoples’ everyday lives. Being connected is a necessity in today’s business world. Professionals now use their smartphones and tablets as much for business as they do for leisure.
So how do businesses protect their clients’ information, account numbers, employees’ personal details, and other sensitive data? What happens when a once-secure business network is now only as secure as one employee’s unsecured iPhone or Android device? What kinds of attacks are being used against mobile devices and what exactly is at risk?
Mobile technology isn’t going away. Anyone who works with secure data and sensitive information, whether a veteran corporate executive or a recent online MBA graduate, faces the issue of mobile device security and has a responsibility to protect the business against security breaches.
Mobile devices are susceptible in ways that desktop and laptop computers are not. Smartphones and tablets go everywhere with their owners. Devices are exposed to unknown people, unsecured WiFi access points, and a number of other potential threats, including:
• Malware – Malicious codes that find their way onto mobile devices through spam, links, and rogue programs installed from third-party sources.
Trojan malware can get into a mobile device through downloads, SMS messaging, or social network links. From there the malware can spread to other devices on a business network, exposing everything to hackers.
According to VMWare’s Airwatch tech blog, U.S. mobile malware rates are currently increasing by 75 percent year-over-year. OSX (iPhone and Mac products) received five times more malware in 2015 than in the five years prior.
• Attacks – Many of the same exploits (software, data or a sequence of commands designed to cause harm) used by hackers to access laptops can be used to access mobile devices. Exploits typically focus on WiFi hotspots, Bluetooth, NFC (Near Field Communication), and social engineering (i.e. “Hey, can I borrow your phone to call my mom?”).
• Physical Access – The easiest way for a hacker to gain access to a secure network is via physical access, which is as easy as grabbing a lost or unattended mobile device.
“The cleverest intrusion-detection system and best anti-virus software are useless against a malicious person with physical access,” warns David O’Leary, director of Forsythe Security Solutions, and his team in the company’s Forsythe Focus blog.
Experienced hackers have no problem circumventing a lock code or password once they have a mobile device in their possession.
• Insiders – Mobile devices make accessing a company’s network and stealing valuable information easier for ill-intentioned employees, either for their own purposes or to sell to others. All a disgruntled employee needs, to inflict some damage to their employer, is a personal mobile device.
Businesses, government offices, and even educational institutions are vulnerable to security breaches through mobile devices. Hackers access sensitive data any way they can, so keeping mobile devices secure is of vital importance at all times.
BYOD, CYOD, And COPE
The corporate world uses three approaches for granting their employees the use of mobile devices for business purposes:
1. BYOD (Bring Your Own Device) – With this approach, businesses rely on their employees to use their own devices. While BYOD can avoid short-term operating expenses (such as issuing phones to employees), security can be practically non-existent and compatibility issues always pop up.
“What’s a company to do when their employees span not only Windows, Android, and Apple, but also different versions of these different platforms?” Jennifer Hyman Sutton, Chief Operating Officer at Lua, a secure, HIPAA-sensitive mobile communication company, asks in a 2014 Business 2 Community blog article.
2. COPE (Company Owned, Personally Enabled) – The most secure approach to mobile enterprise is actually COBO (Company Owned, Business Only), but because employees are likely to use one mobile device (their personal one) over another, the COPE approach is preferred.
A business using the COPE strategy issues secure mobile devices to employees, but still allows personal use (such as Facebook, messaging, and pictures).
The primary problem with COPE, Rebecka Arlestedt and Melenie Lindh, Masters of Science in Engineering at Mid Sweden University, wrote in their Master’s thesis (“Enterprise Mobility: Defining and Evaluating Business Digitalization,” June 2016), is that employees usually prefer a particular platform (iOS, Windows, or Android), and “devices can become disliked and employees revert to the use of their own mobile devices.”
3. CYOD (Choose Your Own Device) – COPE is sometimes seen as invasive because IT departments can see EVERYTHING employees do with their devices. CYOD is a good compromise because employers will provide a list of approved devices for employees. Business software and security come pre-installed, but the device belongs to the employee.
“CYOD only works if the IT department dedicates resources to keeping the list (of devices) up-to-date,” Sutton said.
Although many businesses continue to use the BYOD approach, many are now leaning toward CYOD. The CYOD system combines corporate security with the freedom of personal devices, unlike the restrictive options of the COPE method.
Once a business decides whether to use BYOD, COPE, or CYOD, additional security measures may also be considered:
• Secured Containers – Portions of a smartphone’s internal storage and memory can be partitioned off into separate, secured areas where sensitive data can be stored. The process of securing only a small area of the overall storage capacity is called “sandboxing.” Individual files, file folders, and even entire applications can be sandboxed. Another secured container option is the use of a “virtual phone.” Virtual phones can partition off a completely separate smartphone service from the main smartphone within the same device. It offers the user a choice between using the device as smartphone A or smartphone B – one secured for work purposes and one left for personal use.
• Samsung KNOX – Samsung recently began manufacturing its catalog of mobile devices with secure container framework already built in and designed specifically for enterprise use. Other manufacturers are following suit.
Uri Kanonov and Avishai Wool, academic researchers at Tel Aviv University, in their 2016 conference paper for the Sixth Workshop on Security and Privacy in Smartphones and Mobile Devices in Vienna, Austria, described Samsung KNOX as “a delicate combination of technologies, consisting of multiple components whose integration is Samsung’s answer to BYOD security.”
• Security Training For Employees – The human element is as crucial as technology.
“The majority of security incidents are caused by trusted employees within the organization, and in most instances, these incidents are a result of human error. This justifies the need to put emphasis into training,” Eduardo DeSouza and Raul Valverde write in their 2016 Journal of Theoretical and Applied Information Technology article, “Reducing Security Incidents In A Canadian PHIPA Regulated Environment With An Employee-Based Risk Management Strategy.”
Mobile device security training programs can teach employees about mobile vulnerabilities and how to defend their devices against unauthorized access.
• Mobile Device Security Audits – IT departments, especially in COPE and CYOD environments, can audit employees’ mobile devices to ensure everything is up to date and all of the installed security measures are working properly. IT can also remove any malware infections.
Companies need to implement corporate policies aimed at increasing mobile device security, according to Grover S. Kearns, accounting professor at the University of South Florida.
“If policies and controls are lacking,” he writes in the January-June 2016 edition of The Journal of Forensic and Investigative Accounting, “then the growing use of mobile devices creates new opportunities for hackers to exploit a range of vulnerabilities including infection of corporate servers.”
As Mobile Devices Thrive
Keeping corporate information technology (IT) infrastructure and computer systems safe from security threats is a core function of MIS executives. Since the use of mobile technology is only going to become more prolific in the future, executives and managers in management information systems (MIS) must continue to address mobile device security. They can significantly reduce security threats by regulating the types of devices employees use for business purposes and by implementing employee-training programs, secure hardware and software upgrades, and perform audits on employee devices.
About UAB’s Online MBA Management Information Systems Concentration
The University of Alabama at Birmingham offers an online MBA degree with a concentration in management information systems. With a mixture of foundational business principles and practices and modern technological and management strategies, students can develop into adaptable, well-rounded leaders ready to face the challenges of modern information technology management.
• Mobile Device Security in the Workplace: 5 Key Risks and a Surprising Challenge – http://focus.forsythe.com/articles/55/Mobile-Device-Security-in-the-Workplace-5-Key-Risks-and-a-Surprising-Challenge
• 23 Disturbing Statistics About Mobile Security – http://blogs.air-watch.com/2015/10/23-disturbing-statistics-mobile-security/#
• Countering Mobile Device Threats: A Mobile Device Security Model – http://web.nacva.com/JFIA/Issues/JFIA-2016-4.pdf
• Enterprise Mobility: Defining and Evaluating Business Digitalization – http://www.diva-portal.org/smash/get/diva2:945850/FULLTEXT01.pdf
• BYOD, CYOD, COPE: What Does It All Mean? – http://www.business2community.com/mobile-apps/byod-cyod-cope-mean-01025828#SE3Lpjw6dHftiiA5.97
• Secure Containers in Android: The Samsung Knox Case Study – https://arxiv.org/pdf/1605.08567.pdf
• Reducing Security Incidents In A Canadian PHIPA Regulated Environment With An Employee-Based Risk Management Strategy – http://spectrum.library.concordia.ca/981740/1/22Vol90No2.pdf