The standard way to address risk--whether malicious mobile apps or how wireless stores can steal your data--is to start with an assessment. We've discussed getting rational about risk, but this is a new challenge: How do you perform a risk assessment on a technology that changes weekly and that you might not even own? Many companies, including just recently VMware, are going to a "bring your own device" model, which adds a whole new wrinkle.
For this column, I'm focusing on data security, not the myriad other risks presented by mobile devices, such as eavesdropping, availability and reliability of coverage, even the use of these devices for corporate disaster recovery--though those are all worth thinking about.
The first issue: We don't have cold, hard data on how to best reduce risk, because mobile security as a discipline hasn't been around long enough to prove how effective, or ineffective, any given control is. The answer, for now, is to look inward. Focus on the effectiveness of the control in your environment and the likelihood that your users will comply. Be prepared to ask a lot of questions and test your theories before assigning a risk to a specific threat or scenario.
I recommend you split up your mobile security risk assessment into four categories: sensitive data access, device risk, management risk, and awareness. For each area, develop interview questions to draw out employee feedback. Mix up the questions. Go beyond simple yes/no, and include open-ended and likelihood formats--for example, "On a scale of 1 to 5, with 1 being never and 5 being very frequently, how often do you let your child download apps?"
One technique I use is the "11 questions" exercise. When you're meeting with people, have them provide a list of 11 or more questions they would ask if they were in your chair. This gets difficult after the first five or six, but you would be amazed at how often you'll uncover risks you didn't suspect existed. Document them, and use that info to guide the rest of your risk assessment interview process. One of my favorites from a risk assessment interview: "How do I stop my husband from looking at dirty websites on my iPad?"
1. Sensitive Data Access
The top-level concern about mobile devices is that they can access sensitive data and potentially cause a breach or leak of this data to the public. But can they really? For example, a company we performed a risk assessment for didn't even know what it considered sensitive data. Once we identified that (it was the financials), we were able to point out that the accounting software the company used ran only on Windows, wasn't reachable via mobile devices, and just six of 400 employees even had access rights. The real risk was reports containing financial data being generated and emailed around.
To document which sensitive information a mobile device has access to, start by building data flows based on data classifications, and document who touches what, when. Here's a 10-step process for classifying data. In larger organizations, check for documented business workflows that you can review. For each spot where sensitive data "changes hands" (either via a human or a system), interview the folks involved to discuss if and how that data could land on mobile devices.
Our experience shows that most mobile devices don't have direct access to sensitive data. Rather, they have peripheral access (like our email example above), and existing security systems, such as data loss prevention, identity management, and access control, can usually address those sources.
2. Device Risk
Device risk is where most of the media spreads FUD: 200% increases in mobile malware! Less than 50% of mobile device users employ passcodes! While scary stats are fun to talk about and easy to sensationalize, evaluating risk is not nearly that simple. Each mobile device operating system has unique vulnerabilities and offsetting controls.
When looking at device risk, in my report, 5 Top Mobile Security Threats for 2012, I recommend you spend less time worrying about viruses and Trojans and more time worrying about how you'll encrypt the sensitive data we talked about, guard against theft of the device, educate the help desk, and extend the reach of your mobile security technologies. When we analyze the coverage of most mobile device management suite deployments, for example, clients are surprised to see that there are devices that bypass their MDM software and go directly to ActiveSync, use legacy IMAP or POP3, or have VPN access into the network and users don't even realize their devices are connected. You can't foresee the next threat coming down the pike, so focus your efforts on making sure you have as many capabilities as possible to secure as many mobile device types and platforms as possible.
3. Management Risk
Mobile security is difficult because of the thousands of devices being traded in, lost, stolen, and updated with new apps and firmware every day. You're always going to struggle to keep up with the velocity of change, so make sure you have a process to quickly analyze the risk any given mobile threat presents to your data, and to evaluate new operating systems and devices. Do you have a person or team responsible for monitoring the latest malware notifications or evaluating popular new platforms for vulnerabilities? The recent discussion of the security implications of the Kindle Fire is a great example. The day the Fire was released, it began accessing corporate email and Wi-Fi networks. How would you handle 20% of your company's workforce logging on using a new, unknown mobile device with an untested version of Android? Also, as we mentioned before, mobile devices are traded in, damaged, and stolen--a lot. Do you have a policy to make sure they're wiped first?
Analyze the processes you'll use to deal with malware alerts and end user problems. How likely is it that you can consistently execute these processes? Be honest--are resources allocated properly? Do you have enforcement mechanisms for mobile security policies?
The first and last line of defense for mobile devices is the user. Users are running at admin level and have the ability to install and delete apps, reconfigure settings, back up data or not. How well are you informing them about risks? A handout as they go through new-hire training isn't enough. They need to know exactly what to do when they see something suspicious going on with their mobile devices. Comprehensive mobile security awareness training is very effective at reducing risk. I believe it is one of the strongest security controls you can invest in outside of MDM technology, but many companies I work with aren't prepared to talk with employees about these risks in an ongoing way.
Mobile security risk assessments provide great insights into where the organization is likely not to succeed when implementing mobile security and addressing the risks head-on while working with your mobile security council to determine what controls will most effectively reduce risk. Once you have some idea of how you want to go about reducing your risks, don't be afraid to perform some trial and error. Getting the right mix of risk reduction and good mobile experience is vital to the success of a mobile security program.
Get our in-depth report on strategies to reduce mobility risks to enterprise data free (registration required). Michael A. Davis is the CEO of Savid Technologies, a technology and security consulting firm based in Chicago.