One Mobile Device Security Threat You Haven't Considered - InformationWeek
05:50 PM
Connect Directly
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

One Mobile Device Security Threat You Haven't Considered

Remember that Dilbert cartoon where the waitress comes back wearing a fur coat? Wireless store employees may be the next ones wearing mink, thanks to your data.

Whenever I talk with clients or other industry folks about mobile security, they inevitably ask, What is the No. 1 threat to mobile devices? Is it new Trojans for Android, or perhaps theft?

Until now, my stock response has been that every organization has a unique risk profile, and that's still true. There's no way around performing a mobile security risk assessment to determine what threats your organization is most vulnerable to. Uncurated app stores, phones left in taxis, public hotspots -- there are lots of ways employees can be tripped up. But lately, I’m recommending that infosec teams add a new danger they may not have considered: the wireless store.

The announcement of the iPhone 4S means wireless stores and kiosks across America are amping up operations to handle an influx of customer orders from those who have to have the newest thing. Sprint is reportedly betting its business on iPhone sales. And don't forget that Android devices are also selling like hotcakes. So what do our employees -- who are consumers, remember -- do when a new phone comes out? They buy it. Your CFO may, as we speak, be handing a helpful employee his old iPhone 4 or Android device. The helpful employee walks in the back room and transfers data to the new phone.

But are you sure that "old" phone didn't contain any scrap of confidential corporate data? Or that it can't give a wireless store worker access to your network? How do you know, when that data transfer is being done, that the helpful employee isn't helping himself to everything on the device?

You don't, unless you have policies in place and spend some time educating your users and help desk staff. Make it clear that before any device is upgraded or discarded, it must be wiped of sensitive data. That's for the employees' benefit as well as the company's. And back up that advice with a policy that disallows registering a new phone on the network until you're satisfied the old one isn't a threat.

That means that, before people start snapping up new high-powered mobile devices like the iPhone 4S and Samsung Galaxy S II, you need to analyze your device registration process. If you don't have one, now is the time to develop one. If yours is a "bring your own device" shop, this is essential to managing the madness -- especially if you don't have mobile device management software in place, as new phones inevitably lead to new help desk calls.

Here's a quick checklist of things that must be part of your registration process:

1) Make sure each device is tied back to a user -- not just a cost center. This adds accountability.

2) If you have MDM software, prevent a new registration until you confirm that the old device has had its data erased.

3) If you don't have MDM software, implement a default-deny policy for new devices connecting via ActiveSync or BES (both have that capability) so that users MUST contact the help desk to get corporate email or network access on their new phones. I discuss more ways to control access here.

4) DOCUMENT THIS PROCESS! And communicate that this is how any new activation will occur, so your co-workers don't head to the AT&T store and claim the phone isn't working. This is where education pays off.

5) Train the help desk to handle these situations. It will get support calls as consumer mobile devices permeate the business. When an employee says, "This doesn’t work," sending her off to the carrier store is asking for trouble (see No. 4). While there are thousands of phones and tablets, focus your efforts on the top sellers, and remember: Android is Android. There are more than 214 flavors across all the carriers, so having the help desk know Android will go a long way. Ditto for iOS. Every help desk has a person who enjoys playing with new hardware, so tap him to be the mobile research manager and, if you org is big enough, pay for new phones and use him to train others.

6) If you do have MDM software -- and you should -- have a plan for when a user brings in a device the MDM suite doesn't support. Most likely, it will happen. Do you deny or allow? If you allow, must the employees agree to conditions, such as they can use the phone but corporate email will be denied, or they can use the phone but won't receive support for it until the MDM suite can support it? Depending on your organization, these may not fly (especially when an executive is the one with the new phone), so we against strongly suggest your help desk be on top of things.

7) Stay up to date on new malware and other threats to major new releases, like the Apple iPhone and iPad, and major Android phones. I recommend tracking the popular HTC Evo and Samsung Galaxy lines, at minimum.

If you haven't invested in MDM, get it in next year's budget so your security policy can be backed up with technology.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/12/2011 | 1:24:57 PM
re: One Mobile Device Security Threat You Haven't Considered
Bprince is right. Show of hands here...... How many folks have a drawer somewhere with old, retired devices in it?
User Rank: Apprentice
10/7/2011 | 12:04:51 AM
re: One Mobile Device Security Threat You Haven't Considered
Interesting. A mobile phone retirement process is something that I can see easily slipping below the radar at most organizations.
Brian Prince, InformationWeek contributor
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll