Earlier this summer, Aaron Rhodes of Neohapsis talked to CSO about five things to consider when developing mobile security policies. Today, moving that discussion forward, Pankaj Gupta of Amtel talks to us about five myths in mobile security.
In business both large and small, mobile devices are being used to access mission-critical data that must be protected. As mentioned in our previous article, mobile is the new endpoint when it comes to security.
The most common use for mobile in the business world is access to corporate email, which contains sensitive information and is often subject to regulatory compliance. However, Pankaj Gupta, the CEO and founder of Amtel adds that mobile users routinely share and access sensitive business files and documents for collaborative problem solving, and proprietary transaction data is captured by new mobile payment methods.
Despite these known usage patterns, some organizations struggle with their BYOD policies and their mobile planning. Some of those struggles center on a few false notions, which Gupta addressed in an email to CSO. With that said, here are his thoughts on five myths about mobile security and their actual realities.
Myth #1: Mobile devices don't store sensitive corporate data.
The basic line of thought with this myth is that access to email and files from mobile devices is sporadic. So when access happens, it's only occurring for short periods of time, and sensitive information isn't always accessed. Thus, the risk of inadvertent disclosure or loss of business critical data is low.
"Mobile access is now pervasive, whether using smartphones or tablets," says Gupta.
"A lot of information is usually cached in modern high capacity devices, in the form of emails and saved files. If sensitive data are not protected with access controls and encryption, these can easily end up in the wrong hands."
Myth #2: Strong authentication schemes, password management controls, and device PINs are sufficient to prevent unauthorized access.
"A well-known problem with complex passcodes that are changed frequently is that users find it hard to remember them," Gupta explains.
For some, this means they opt to write their passwords down, which defeats the entire process of authentication schemes and password management. This is why organizations should have additional authentication and access control mechanisms.
"Two factor authentication is worth a look for authorizing access to corporate apps. Modern schemes for this have replaced token generators by out of band scheme for pin delivery to a phone number via text message."
Myth #3: Users are running the latest versions of iOS and Android, so they're up to date with bug fixes and other security patches.
It may be hard to believe, but there are organizations out there that honestly believe that carriers produce prompt over-the-air (OTA) updates. The reality is that nothing is further from the truth.
When it comes to Android, there are millions of devices on the market today, and on your network, that are using outdated software packed with known vulnerabilities. Google releases fixes constantly, but the carriers would rather people purchase new devices, so it's rare to see a full OTA push for security issues, unless they are major problems that impact wide swaths of the public — and even then there is no guarantee.
"The OS version that a user is running is unfortunately tied to the device. For example, the latest iOS version may be available only on new or recent iPhones and iPads. Also, users may turn off the auto update option. The situation is not good in Android land either. According to Google reports, less than five percent of users are running the latest version of Android," Gupta said.
"Delay in carrier rollout of upgrades is one reason for this, but users dont even upgrade to the latest Android version available from their carriers. By proactively managing mobile OS upgrades, you can mitigate up to three fourths of existing malware threats."
Myth #4: Public app stores like Apple's App Store and Google's Play are safe sources, because they verify apps and block malware.
This is a myth, and it's unclear why anyone would think that way. While attending a security conference recently, your CSO reporter heard this exact myth out of the mouth of an infrastructure manager. The looks of shock, confusion, and total disbelief from those surrounding this person at the dinner table were understandable, but they were confident that malicious apps simply cannot exist within official channels, and news stating otherwise was all marketing hype.
"Apple polices its apps and Google does some high level sanity checks but they cant stop many malware apps from entering the market," Gupta said.
"Its up to you, the IT mobile operations manager in the enterprise, to employ whitelist and blacklist policies to take control of mobile apps and allow only the apps that can be run safely."
Myth #5: Secure access is not possible using public Wi-Fi network.
"Employees on the move are constantly using public Wi-Fi networks at airports, hotels, restaurants, and cafes," Gupta explained.
While some organizations issue Mi-Fi cards to mobile workers or enable tethering on devices (Mobile Hot Spots), that could be an expensive option for some companies, especially from a data usage standpoint. The best plan is to require Virtual Private Network (VPN) connections for all access from outside your corporate office.
"VPNs use a combination of dedicated connections and encryption protocols to generate virtual point to point connections and can enable secure access over public Wi-Fi networks."