With greater connectivity, comes a greater risk.
This can be a cause of concern and stress for many of us. In a world that expects us to be connected anywhere and at any time, we often fail to understand that this means we are also at risk – everywhere and at all times.
As our work and personal environments become increasingly blurred, the challenge for organisations today is to achieve the correct balance between security and openness to staff working flexibly – especially when using mobile devices. A huge variety of ‘things’ are being connected to the Internet – and with data being stored in multiple environments, the risk factor is increasing. Smartphones are becoming one of the biggest risk tools – and businesses need to understand how to minimise this as a potential vulnerability.
Who’s on your phone right now?
According to research from McAfee Labs, more than 16 million mobile malware infestations were detected in the third quarter of 2017 alone. This is nearly double the number from the prior year. Gartner forecasts a third of all malware will be mobile by 2020. It’s clear that as more of us join the digital revolution, the bait for malware authors to attack our mobile devices is heightened.
Malware can take many forms including spyware that monitors a device’s content, programs that harness a device’s internet bandwidth for use in a botnet to send spam, or phishing screens that steal a user’s logins when entered into a compromised, legitimate app.
With all this evidence, you would think that companies would ensure that any device which touches their network is checked and verified? But unfortunately not, and you’ll find that most are only secured using simple password-based security measures, and this is simply no longer fit for purpose. Fraudsters have had an easy life gaining access to corporate data via poorly secured devices, apps missing strong security protection and masquerading as genuine services such as public Wi-Fi hotspots.
The boundaryless society
For too long, companies have assumed that securing the boundary with a good firewall will provide the required protection. The issue is that we don’t know where the boundary is anymore.
Let’s take flexible working as an example. In today’s increasingly connected society, flexible working has become more widespread and is steadily being implemented more successfully. In fact, according to our research, 73% of employees believe they have a good flexible working policy. In order for these employees to work remotely, they are relying heavily on mobile technology. This means that there is no physical boundary but instead, the employee becomes the boundary, and any individual can form the edge of the network.
We therefore now live in a borderless society. With employees capable of connecting to workplace tools, apps and information via any unsecured network, anyone can infiltrate the connection. What’s more – if we were to lose our mobile devices, most of us have our sensitive apps readily logged in and available for anyone to steal and wipe the data they want.
The battle to achieve greater smartphone security
In order for business leaders to protect their most valuable asset – company data – they must develop strategies that establish trust through the processes that collect, capture and transfer sensitive information between those, both inside and outside of the organisation. They can do this by ensuring they’re Secure by Design and implementing a security methodology which takes into account all aspects of the solution.
Our Secure by Design methodology has 4 key principles:
- Defence in depth – using a series of different defences together rather than a single point solution. There’s a wide range of Commercial Off the Shelf or COTS solutions, but the key is to understand how these can be combined together with traditional network security to provide a truly holistic solution. This is where you need a managed security service provider (MSSP) to deliver security solutions across multiple products and services.
- The weakest link – you can’t secure what you can’t see, meaning companies need to know who is connecting to the network. We see a lot of discussion around zero trust but often we suffer from zero visibility. Identity and Access management not only checks that you can see who’s connecting to what, but it can even monitor behaviour to see if the end user or device is acting suspiciously. Was that a sudden unplanned trip to a foreign country or has someone stolen your account details?
- Security is a process – security is not a product or a one-time goal, it should continue throughout the lifetime of the service and constantly evolve to meet and defeat the latest threats. Next generation technology can now be deployed to mobile devices, ensuring that they are protected with a multi layered defence. This allows for updates and adaptions as required, without needing to suffer the big bang change that so often restricts many.
- Keep it simple – security should never compromise usability. Solutions need to be secure enough, then maximise usability without the need for extensive configuration. ‘Keeping it simple’ means we can keep tech flexible and are able to adapt to changes in the way we work. Where before we saw every device a liability and everyone with them a security issue waiting to happen, initiatives like BYOD no longer result in nervousness.
With the principles understood and the security design created, businesses can then roll this out to employees and ensure all security policies are communicated back to staff. By communicating and listening to staff, employers can explain the rationale behind the business’ security plan, and employees will respect and adhere to the plan if they understand the reasons for doing so.
Security is still trying to catch up with new working practices – we’ve embraced the latest technologies, without fully taking into account the risk. With our workplaces situated very much in the mobile world, it’s time to prioritise security and protect the edge of our networks, wherever that may be.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.