Whenever I talk with clients or other industry folks about mobile security, they inevitably ask, What is the No. 1 threat to mobile devices? Is it new Trojans for Android, or perhaps theft?
Until now, my stock response has been that every organization has a unique risk profile, and that's still true. There's no way around performing a mobile security risk assessment to determine what threats your organization is most vulnerable to. Uncurated app stores, phones left in taxis, public hotspots -- there are lots of ways employees can be tripped up. But lately, I’m recommending that infosec teams add a new danger they may not have considered: the wireless store.
The announcement of the iPhone 4S means wireless stores and kiosks across America are amping up operations to handle an influx of customer orders from those who have to have the newest thing. Sprint is reportedly betting its business on iPhone sales. And don't forget that Android devices are also selling like hotcakes. So what do our employees -- who are consumers, remember -- do when a new phone comes out? They buy it. Your CFO may, as we speak, be handing a helpful employee his old iPhone 4 or Android device. The helpful employee walks in the back room and transfers data to the new phone.
But are you sure that "old" phone didn't contain any scrap of confidential corporate data? Or that it can't give a wireless store worker access to your network? How do you know, when that data transfer is being done, that the helpful employee isn't helping himself to everything on the device?
You don't, unless you have policies in place and spend some time educating your users and help desk staff. Make it clear that before any device is upgraded or discarded, it must be wiped of sensitive data. That's for the employees' benefit as well as the company's. And back up that advice with a policy that disallows registering a new phone on the network until you're satisfied the old one isn't a threat.
That means that, before people start snapping up new high-powered mobile devices like the iPhone 4S and Samsung Galaxy S II, you need to analyze your device registration process. If you don't have one, now is the time to develop one. If yours is a "bring your own device" shop, this is essential to managing the madness -- especially if you don't have mobile device management software in place, as new phones inevitably lead to new help desk calls.
Here's a quick checklist of things that must be part of your registration process:
1) Make sure each device is tied back to a user -- not just a cost center. This adds accountability.
2) If you have MDM software, prevent a new registration until you confirm that the old device has had its data erased.
3) If you don't have MDM software, implement a default-deny policy for new devices connecting via ActiveSync or BES (both have that capability) so that users MUST contact the help desk to get corporate email or network access on their new phones. I discuss more ways to control access here.
4) DOCUMENT THIS PROCESS! And communicate that this is how any new activation will occur, so your co-workers don't head to the AT&T store and claim the phone isn't working. This is where education pays off.
5) Train the help desk to handle these situations. It will get support calls as consumer mobile devices permeate the business. When an employee says, "This doesn’t work," sending her off to the carrier store is asking for trouble (see No. 4). While there are thousands of phones and tablets, focus your efforts on the top sellers, and remember: Android is Android. There are more than 214 flavors across all the carriers, so having the help desk know Android will go a long way. Ditto for iOS. Every help desk has a person who enjoys playing with new hardware, so tap him to be the mobile research manager and, if you org is big enough, pay for new phones and use him to train others.
6) If you do have MDM software -- and you should -- have a plan for when a user brings in a device the MDM suite doesn't support. Most likely, it will happen. Do you deny or allow? If you allow, must the employees agree to conditions, such as they can use the phone but corporate email will be denied, or they can use the phone but won't receive support for it until the MDM suite can support it? Depending on your organization, these may not fly (especially when an executive is the one with the new phone), so we against strongly suggest your help desk be on top of things.
7) Stay up to date on new malware and other threats to major new releases, like the Apple iPhone and iPad, and major Android phones. I recommend tracking the popular HTC Evo and Samsung Galaxy lines, at minimum.
If you haven't invested in MDM, get it in next year's budget so your security policy can be backed up with technology.