The almost overnight adoption of smart phones and tablets by consumers over the last few years brought huge security adjustments for businesses. The biggest problem enterprises have been left to face as a result of their integrating personal mobile devices is knowing where their data is at any given time.
You have to understand that you have to accept the risks, especially if there's a business case for it.
director of security operations, nCircle Network Security
That process was much simpler a few years ago, when most employees who needed mobile access to work-related documents, contacts or email were provided with BlackBerrys. It was even easier when work was done only at the office, and companies felt their data was safe in the data center behind locked doors and firewalls.
"What has happened is everyone started building castles around your data and assumed that the data was going to be contained within the network. …Then it became very apparent that that's not going to be a solution for the long term. Now we need to protect the data wherever it is," said Andrew Storms, director of security operations at nCircle Network Security, a San Francisco-based security auditing firm.
SearchSecurity.com conducted a mobile security survey of more than 400 IT and security professionals in the second quarter of 2012. The survey asked about their mobile security concerns in the workplace, mobile security policies and the mobile security technologies being implemented at their company.
Of those polled, 53% indicated their company allows personal devices to connect to corporate networks. Supplying devices to provide that access for everyone increases productivity, but can be very expensive for an employer, Storms said. In that way, bring your own device (BYOD) lowers costs for the company.
Mobile security survey
Survey results: Audio slideshow of the SearchSecurity.com 2012 enterprise mobile security survey.
Mobile device security policies should be revisited and revised often: A survey by SearchSecurity.com shows that 64% of companies have a written mobile device security policy.
Smartphone, BYOD security risks fuel interest in MDM platforms, survey finds: Device loss tops a growing list of concerns, but the potential for malware and data leakage fuels interest in platforms to control personal devices.
"It's easier to let people manage their own contracts and pay their own bills," Storms said, especially when it allows people to choose which device they want to use every day. "We're more than likely to see fewer and fewer companies supplying those," he said.
That's the good news for employers. The survey found, however, that there could be some overlap with 83% of companies supplying employees with mobile devices. The finding is a bit confusing, said Lisa Phifer, a mobile security expert and owner of Core Competence Inc. It could represent the financial and government sectors, where major investments in BlackBerry Enterprise Server mean many organizations are still providing those devices, she said.
Mobile device management has been gaining a lot of momentum as corporate IT teams figure out how to manage the influx of personal devices, Phifer said. Another option, virtual desktop infrastructure, or VDI, is seen widely in such sectors as finance and health care as a result of its ability to access the required data but never store it on a device.
Theft and loss of a device are still the top concerns, according to the survey, but application security and data leakage also are a growing problem. Despite the increased risks associated with BYOD, the survey found that 74% of respondents indicated that the benefits of mobility outweigh the risks.
Many of the risks of BYOD have been overstated, admits Marcus Carey, a security researcher at Boston-based vulnerability management vendor Rapid7 LLC. Access to corporate resources should be kept to email and calendar items, he said. That limits the ability of the attacker to use the device as a steppingstone to more valuable assets. "If [an attacker] takes over an iPhone, you can't pivot to the corporate infrastructure like you could with a desktop system," he said. "That's where I think the mobile malware threat is a bit overblown."
If an attacker can use the device to steal an employee's legitimate credentials, he would have all the privileges granted to that employee without the threat of being detected by antimalware security measures, nCircle's Storms said. The attack techniques used to steal account credentials -- spear phishing and spoofing, for example -- are still far easier on Windows desktop systems, he said.
Upper management needs to understand that it's necessary to calculate and accept the risks associated with BYOD. "With the recent breaches that we've seen, it's not okay to say, 'We were breached, we've tried to do our best.' … You can take risks and just be honest about it," Storms said. "But you have to understand that you have to accept the risks, especially if there's a business case for it."