It’s hard to believe that in such a relatively short period of time, smartphones and other mobile devices, such as tablets, have become so tightly woven into both our personal and work lives. And unlike desktop or laptop computers that are usually company-owned, personally-owned mobile devices are often filled with company related apps, data, email and business functions. Imagine if you showed up for the first day of your new job and you brought your desktop computer with you to configure to your office’s network, or if you connected your home laptop to your company’s file server directly without some kind of buffer. Those seem like pretty unrealistic scenarios, for the most part. Most companies wouldn’t want you to allow those kinds of computing devices to have so much connectivity to company-owned data assets, and yet with mobile devices, the expectation is the exact opposite. Why wouldn’t you set up your phone to talk to the company email server, or their Dropbox account, or the CRM? From my perspective, the attitude for most organizations has been to connect the mobile devices first and figure out how to deal with managing them later. As someone whose role is to evaluate risks to an organization, it is somewhat jarring to consider that this has been the go to philosophy. Certain risk management technology tools, like antivirus, are considered no-brainers. You have to use them, and if a company isn’t using them, they are considered to be neglectful. Yet I find during many of the assessments I perform that most organizations completely neglect the management of mobile devices that intertwine with essential business systems. Why does this happen? I suspect that this is probably due to misconceptions regarding the relative security of smartphones or assumptions about the features of smartphones that may not actually be there (or active). Here are a few things to consider about smartphones:
- Did you know that Android devices get operating system updates when they are “pushed out” by the device manufacturers? Just because you and a friend may each have an Android phone, they may not be getting the same security patches at the same time. That means that you could be running an operating system with known vulnerabilities that you can’t necessarily patch up.
- While the “End of Life” for Windows XP was very public and well known, most people don’t know when their smartphone is going to stop receiving support from the manufacturer. A phone you may have bought just two or three years ago may no longer be receiving critical security updates. And these lifecycles are just shorter than Microsoft Windows operating systems, in general.
- Many basic security features, like passwords to log in, are often disabled by end users who see them as an inconvenience. And unless there is something in place to force these features to be enabled, the user can simply turn them on and off at a whim.
- Savvy smartphone users love to “jailbreak” or “root” their phones. While I can certainly appreciate the desire to personalize and experiment with computing devices, (I do it all the time myself.) someone could easily be savvy enough to modify their phone to make it “better” for them but more vulnerable to threats.
- These devices are generally not encrypted. If you are on a public WiFi network, there is often not much stopping the bad guys from reading data on the phone, whether that’s personal or work data.
- Furthermore, transmissions from the phones (like text messages) are usually not encrypted either unless certain tools or features have been installed and enabled. Some people send sensitive information to others via text message under the false impression that it is safer than sending a regular email. And perhaps even worse, text messages are usually not logged and stored when they can contain data you may want to refer back to in the future. If a staff member texts company-relevant information to someone else, and then leaves the organization for whatever reason, those texts are basically lost for future reference.
This is just the tip of the iceberg. The good news is that there are ways to evaluate the security, proper roles and policies regarding mobile device use throughout your organization. These devices need to be considered as part of your overall system management, which means they need to be subject to company security and risk management policies, Your end users also need to be educated when it comes to their own responsibilities regarding their use of these devices in a safe and productive fashion.
About the Author: Ben Schmerler is a vCIO Consultant at DP Solutions, one of the most reputable IT managed service providers (MSP) in the Mid-Atlantic region. Ben works with his clients to develop a consistent strategy not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
