Mobile devices definitely play a big role in blurring the boundaries between work and personal life. However, sharing business and personal data on one device can be a recipe for disaster if employees don't appreciate how hackers are targeting mobile devices and taking advantage of the more-relaxed nature of mobile communications to infect their devices. Improving user behavior as part of a mitigation strategy is vital and will have a big impact on the overall success of mitigating this growing threat. This technical article provides some ideas of how to change user behavior and limit the chances of malicious mobile apps making their way on to employees' devices.
Without the proper enforcement of mobile polices, users will quickly discard best practices.
According to the recent IDG Global Mobility Study, 70% of employees surveyed access the corporate network use a personally owned smartphone or tablet. The use of personal mobile devices for work will only continue to grow, and the productivity benefits make it worth the effort to ensure they don't jeopardize data security. Due to the diversity of mobile devices, it is often more effective to focus on educating users, and managing and tracking access to network resources, rather than on trying to control each device.
Many users see bring your own device (BYOD) policies as a chance to escape the restrictions of network-enforced security. They don't appreciate that cybercriminals are increasingly targeting mobile users to take advantage of those who let their guard down. However, established and successful attack techniques such as spam and phishing are being adapted for the mobile environment to trick users into providing confidential information and downloading malicious apps. Users need to understand this and know how to avoid becoming a victim.
Existing security awareness training tends to be based around the desktop user. It must be updated to reflect the marked differences in how employees use a mobile device compared to a desktop and the greater risks associated with downloading mobile apps. For example, mobile users download dedicated apps to access content and perform specifics tasks; they don't use search engines and a browser nearly as much as desktop users. Also, many mobile users are unaware of how to configure the built-in security and privacy settings of their devices, and to turn off features such as location tracking.
Mobile device security training must stress the importance of only downloading apps from trusted sources and avoiding those that request excessive privileges. Tapping "Continue" during the installation process without checking what's being accepted is a habit that has to be stopped. Users should consider app ratings and read reviews, as they often flag apps that should be avoided. Security controls such as encrypting personal data are important features to look for in app descriptions. Any apps that try to imitate other well-known apps or vendors should never be installed.
Hackers have plenty of opportunities to trick mobile users when they surf the Web, as it's far harder to verify a site's URL. Users are accustomed to redirects to pages optimized for mobile devices, and many URL links are shortened, hiding the real destination. Nor can a user hover over the link in an email to see the true URL. These aspects of mobile surfing mean that users have to exercise more caution when a site asks for personal details or prompts them to download an app.
While mobile devices may introduce a more informal method of communicating and working, security policies and disciplinary measures can't be relaxed. Without the proper enforcement of mobile polices, users will quickly discard best practices. The deployment of a mobile device management system to require passcodes and encryption, and to remotely wipe lost devices, can help counter careless use while providing IT visibility into what apps are accessing corporate data.
New techniques for attacking mobile users will continue to emerge, making regular training updates essential. Mobile security policies won't be effective if organizations don't pay attention to the user experience and prepare security training to reflect the different threats and attack vectors that a mobile user faces. To help embed security into employees' everyday work life, mandate training for new hires prior to allowing them mobile access to network resources. Make sure they can identify signs of infection; degraded battery and processing performance, and problems with frozen apps, are common ones. Also restrict certain activities or services for users who do contravene policy to show that security is taken seriously.
Failing to incorporate training specific to mobile use will leave users and their devices as the biggest hole in network defenses. Improving their security posture is the most efficient way to protect enterprise assets from the inevitable rise in the use of mobile devices.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.