Establishing Digital Trust: Don't Sacrifice Security for Convenience
In both the public and private sectors, workers are increasingly creating and sharing information with mobile devices, including smartphones and tablets. It is not uncommon to see employees using these devices to accomplish work for their employers. While this is increasing productivity, without the right protections in place, it can also introduce cyber security threats.
At the same time, the rapid growth in mobile device usage has made the proper configuration of security solutions for multiple mobile platforms a top issue for CIOs and IT managers.
“More and more frequently, employees are linked to sensitive data via a number of different devices, providers, and operating systems,” said Will Hedrich, a security architect at CDW-G. “If laptops, tablets, and smartphones are left unattended for even a few minutes, you are at risk.”
Anyone can download an application for $50 to $150, for example, that will allow them to listen to phone conversations, listen to anything around that phone even when it’s not on a call, view the camera, swipe files from the phone, or access the corporate network. They can download, view, or listen to this information wirelessly using the phone’s public IP address, Bluetooth or Wi-Fi. After the program is downloaded on to it, the person would never know it is on his or her phone.
Recently, for example, an employee of a large enterprise left a smartphone in the car while shopping. The phone, which was stolen, contained the social security numbers and other personal information of company employees. Because the phone was not equipped with any security measures, the information was easily accessed.
Most company employees do not even have basic firewall or password protections on their phones, so they are risking this kind of data loss on a regular basis.
The financial consequences can be severe. The government fines companies $204 or more per piece of personal information leaked, such as a social security number, credit card information, and other personally identifiable information (PII) or payment card industry (PCI) compliance information.
“It is important to have a mobile management security strategy in place to prevent data loss and malicious attacks,” said Hedrich. “The strategy should extend to devices, the data center, and cellular carriers.”
He added that a comprehensive solution for locking down the mobile workforce did not exist until recently. Such solutions, now becoming available from a variety of vendors, should encompass a four-pronged approach.
Physical security - Devices accessing the network need data encryption and multi-factor authentication, which includes a user name, password, and a series of PIN numbers, such as a four digit personal PIN and a six digit code that is generated automatically and changes every minute. Device certificates are also important.
Content security - If appropriate security protocols are in place, anyone trying to access information via the public IP address of an encrypted device will find that the information is completely scrambled. A combination of anti-malware, content filtering, encryption, data loss prevention (DLP) software, and intrusion prevention software installed on all devices will prevent unauthorized access to data.
“If a phone, tablet, or other device falls into the wrong hands, you want to be sure that data on it cannot be accessed,” said Hedrich. “Data encryption and multi-factor authentication are crucial to ensuring that only the authorized user can access the information on the device.”
Device management - Organizations should also set access levels and permissions for each person or group on the network, such as legal, marketing, IT, etc. These access policies control the data they can access via their devices and the functions they can perform remotely.
“Centralized device management allows IT to update access rights as well as roll out updates to operating systems and applications from one central console,” said Hedrich. “And, if a device is lost or stolen, the IT manager can wipe the device remotely to prevent data loss.”
Identity and access - The management console allows the IT manager to set up user profiles to determine specific settings for each employee. Access permissions can be set for business critical applications, folders, and files to be saved, read, edited or emailed. These settings can be changed on the fly by the IT administrator.
“Organizations should also make sure their cellular carriers have security built in to their networks, including anti-malware and anti-spam software, hosted public key infrastructure (PKI) encryption, two-factor authentication support and fraud detection,” added Hedrich.
For content filtering, he said, organizations should also look at Blue Coat, Cisco, McAfee, Symantec and Websense, which all rank highly in Gartner assessments.
Drew Robb is a freelance writer based in Los Angeles specializing in technology and engineering. He has a degree in Geology/Geography from the University of Strathclyde in Scotland. He is the author of Server Disk Management in a Windows Environment, as well as hundreds of magazine articles.