For those of us who remember the days when mobile phones weighed two pounds and were roughly the size of a large flashlight, it can be tempting to marvel at how we have managed to get so much computing power in a device tiny enough to fit in our pockets.
Nevertheless, here we are, with smartphones that are used not only for personal calls but also as means to access corporate networks and data. This new reality means that corporations need to secure a perimeter that now extends beyond the desktops in office cubicles to the iPhone and Android devices being used by employees as they sit in the airport. This explosion of devices accessing corporate data has created a new challenge for security professionals that mandates they not only focus on the user's device, but also on protecting the data itself.
[ Is it time to take a more integrated approach to security? Read It's Not 'Mobile Security,' It's Just Security. ]
Failing to do so can have significant consequences. A Check Point survey of 790 IT professionals around the world revealed that while 67 percent allow personal devices to connect to their corporate network, 63 percent of companies said they do not manage corporate information on their employees' personal devices.
A separate study by Javelin Strategy & Research found that 7 percent of smartphone owners surveyed were victims of identity fraud, an incidence rate one-third higher than the rest of the public. Part of this was believed to be due to user behavior -- 32 percent admitted to not updating their mobile operating system, and 62 percent said they did not use a password on their home screen.
These statistics alone should emphasize the importance of focusing on data. Because many users are not keeping up with security in basic ways, corporations need to be ready to look out for themselves. But even when device locks and passcodes are used, they are only partial solutions. After all, the amount of malware targeting mobile devices is on the upswing. If a device is compromised by malware, a passcode is not going to stop an attacker from making off with everything from the victim's email contact list to their location data. A hacker needs only to attempt a maximum of 10,000 tries on a phone protected with a 4-digit passcode (0000 through 9999). Even fingerprint entry has recently been hacked, although this is quite a bit more difficult.
One of the longstanding answers to the challenge of securing data has been mobile device management (MDM), which allows organizations to manage mobile devices user in the organization and set a security policy for the entire device. But MDM can appear to be heavy-handed security for employees and contractors. After all, employees are purchasing their own smartphones for their personal use. MDM can seem intrusive if a company now can manage and control a personally owned device. For enterprises, this is what makes focusing on the data so important.
Three ways of dealing with the issue come to mind: containerization of business data, user authentication, and data encryption.
- Business data containerization ensures that corporate data such as email, contacts, documents, etc. reside in a separate, encrypted area on the employee's smartphone. It also permits enterprises to apply policy controls only when accessing this data specifically as opposed to controlling the entire device. Business data stays in that particular container, reducing the chance of malware infections compromising information.
- Authentication and encryption offer additional layers of protection. By protecting enterprise data with additional authentication requirements above and beyond what is needed to access the device, organizations can enforce an extra layer of protection in the event a device falls into the hands of an attacker.
- Likewise, enterprises should consider protecting sensitive data both at rest and in transit with encryption.
Effective enterprise security requires the ability to monitor and compare anomalous behavior over time, connecting the dots among multiple events. Given the sophistication and volume of the attacks seen today, this is no small task. The EvaluatingAnd Choosing Threat Intelligence Tools report looks at the types of products available that will help you fight back and offers recommendations on how to evaluate and select them. (Free registration required.)