While mobile working offers many compelling benefits, there is a problem in that it blurs the line between workers’ personal and professional lives. This overlap is nothing new and employees simply want the tools they use at work to be as intelligent, familiar, and easy-to-use as the technology they use at home.
However, it can lead to significant vulnerabilities in the enterprise. Many CIOs claim that smartphone manufacturers are aware of the value of the enterprise market, and so are continually improving and updating their OS security features. While this is true there are other areas of vulnerability, not least consumer apps.
Clearly, many organisations recognise the value of these apps, especially cloud storage apps. To protect themselves, enterprises typically incorporate these apps into enterprise file and sync sharing services. However, users often use the consumer versions of these apps.
The challenge with employees bringing consumer file and sync applications to work is that once corporate data goes into these apps, it is outside of IT’s protection and visibility.
Interestingly, under a freedom of information request, the UK’s Information Commissioner’s Office (ICO) revealed that two thirds of data loss incidents reported were a result of human error. For instance, data breaches occurred as a result of data emailed to the wrong recipient, insecure disposal of hardware loss, or theft of unencrypted devices, and failure to redact data.
Risk landscape grows
Mobile users inside an enterprise also have access to built-in features such as iCloud and Google sync services, which are part of the native experience on their devices.
This provides users with many options for data transmission and storage but it also means the attack surface gets bigger. As a result, the ICO findings revealed that many users unknowingly put corporate data at risk of loss due to unauthorised access to cloud-based files from consumer apps and device built-in data transfer services. And of course, there is a smaller but perhaps deadlier percentage that does so willingly.
Even for cloud services that an enterprise does want to allow, such as Salesforce, there are a number of mobile apps designed to interact with services that are not approved by the enterprise. Furthermore, many of these applications are designed to download all of the cloud data to the user’s mobile device, further increasing risk if the device is lost, stolen, or compromised.
Many organisations are still trying to determine how to best protect against these risks. One method that some organisations are falling back on is traditional ‘blacklisting'. This is a simple policy that allows a device to be quarantined, selectively wiped, or blocked when a blacklisted app is detected. In today’s world, with tens of thousands mobile apps, its simply no longer viable to blacklist every unsafe app because that process isn’t scalable.
Identity and access layers
What’s required is a next-generation enterprise mobile management approach that allows an IT administrator to permit approved cloud sharing apps. At the same time, the administrator can block unauthorised consumer apps from storing enterprise data in the cloud. If SaaS services are allowed, it is also critical that enterprises allow only enterprise-managed applications are allowed to connect in order to ensure that SaaS data remains under organisational control.
As an added defence, it’s also important to enforce policies to prevent devices from falling out-of-compliance. This means you can quarantine non-compliant devices, and automatically remove any enterprise data stored on the device. This is important because non-compliant devices are now a target for malicious attacks on the enterprise.
It’s well known that threats aimed at the Android platform are growing at an exponential rate. But even iOS is no longer considered safe from attack. Last year, there was a significant rise in iOS malware and some new iOS malware no longer requires that the device be jailbroken. In fact, 4,000 apps in the Apple Store were detected with malware code XcodeGhost. As clearly illustrated, non-compliant devices pose a clear and present danger.
The advantage of next-generation enterprise mobile management is to detect non-compliant devices. This ranges from disabled PINs to compromised devices to out of date policies and more. With EMM, enterprises can place devices in quarantine to block network access and wipe corporate data from the device if required. Enterprises can also protect against untrusted networks – assuring that if a mobile device does cross a network with attackers on it, there is no enterprise data sent across the network.
With the multitude of threat vectors now focused at mobile, an in-depth approach to mobile security is critical or the actual benefits of mobile computing, including increased productivity, will be lost. Enterprises must put the correct technical defences in place and recognise and adapt to new requirements and technology trends. This is not only important in highly-regulated industries, such as financial services and healthcare, but equally important across all areas of organisational endeavour to guard against growing regulatory, privacy and operational risks.
Sean Ginevan, Senior Director of Strategy, MobileIron