By Julian Weinberger, NCP engineering From apps that know our every move to cookies that track each browsing session – our smartphones are constantly spying on us. These days, most people accept that their mobile phones are not great at keeping personal data safe. What they don’t generally know, however, is what causes data to leak and what they can do to stop it. The truth is, mobile users are the weakest link. Businesses must recognize the multitude of security risks that go hand in hand with mobile devices and put security policies in place to reduce risky practices, especially for corporate-owned devices. BYOD Policies To drive operational efficiency, productivity, and to enhance customer service delivery, businesses need employees to access company data in real-time, from anywhere and at any time. While some businesses operate on a ‘bring your own device’ (BYOD) policy, others provide workers with company-owned equipment. Surprisingly, more than a third (36%) of businesses don’t make employees take mobile security courses. Given that user ignorance is a major mobile security risk, the proportion of businesses imparting basic best practices to their employees should be a lot higher. Basic security practices include password-protecting phones, turning off Bluetooth, downloading apps from only approved sources, updating the operating system regularly, and understanding the risks of using public Wi-Fi. App Hazards Employees are by no means the only risk. Unfortunately, any mobile app, even one that is well respected, can leak information. It only takes a single bug in a software update to expose the data. It might be an app that synchronizes with contact lists and tracks geographic positioning, or it could be a mobile messaging service that offers predictive texts via the cloud. According to a study by Arxan Technology, 90% of enterprise mobile apps featured two out of the Open Web Application Security Project’s (OWASP’s) ten biggest security risks. The top four threats in the list are data leakage, phishing attacks, insecure apps, and spyware. If mobile communications are not properly secured, all these things can expose confidential information to third parties such as marketers or even cybercriminals. Even Apple’s FaceTime video chat app is not immune. A flaw in the software, ironically discovered on Data Privacy Day, allows group chats calls to activate a recipient’s microphone even if they don’t accept the call. Mobile spy hazards even go beyond apps. Following last year’s reversal of the Net Neutrality Agreement carriers have begun selling customers’ location data, effectively allowing phone tracking data to be available to anyone willing to pay for it. Secure Communications To eliminate the security risks, IT admins first need to be able to see what network services employees are connecting to with corporate-issued devices. You cannot be confident of managing remote connectivity securely unless you have some insight into what’s going on. Remote mobile devices should also have an automated means of verification – such as two-factor or multi-factor authentication– before they are allowed to connect with the company’s systems. Enterprises should also insist that employees use an encrypted connection such as a VPN to prevent cyber attackers from intercepting communications between the device and back-end services. Enterprise-grade VPNs allows central IT support teams to manage and authenticate any number of remote mobile devices remotely to ensure data is encrypted and company confidential information remains private. The preferred VPN policy is for “always on” remote communications. Where this is not practical, because of low battery life, for example, the VPN connection should be activated automatically whenever a threat risk is detected – such as when using public Wi-Fi in a coffee shop or airport. In summary, smartphones are an indispensable part of today’s workplace, but they are also a risk. From careless user behavior to bug-ridden apps, the mobile phone is the mole in your pocket indiscreetly disclosing personal, sometimes highly sensitive information to complete strangers. For this reason, many enterprises are implementing centrally managed VPN software to manage how mobile devices connect to corporate networks and to maintain secure communications. About the Author Julian Weinberger, CISSP, is Director of Systems Engineering for NCP engineering. He has over 10 years of experience in the networking and security industry, as well as expertise in SSL ‐ VPN, IPsec, PKI, and firewalls. Based in Mountain View, CA, Julian is responsible for developing IT network security solutions and business strategies for NCP.
Read the full article