Mobile security risks and challenges
Nat Kausik, the CEO at Bitglass, offers advice to organizations moving to an increasingly mobile workforce and discusses the most common mobile security pitfalls.
Some consider mobile security to be an oxymoron. What do you think?
If employees were prohibited from accessing corporate data, there would be no security issues, but there also would be no productivity. Mobility allows employees to be more productive, since they have access to corporate data at all times, no matter where they are. The side effect of always-on access is the potential for always-on leakage of corporate data.
One key challenge for a security solution is to protect corporate data while allowing employees to be productive anywhere they go. Since employees often use the same mobile device for both work and life, a second challenge for a security solution is to protect corporate data without invading the user’s privacy. Users reject security solutions that invade privacy as soon as alternatives become available, e.g. users rejected the Blackberry when the iPhone came along.
BYOD and the mobile workforce are not going away. This means there has to be a way to balance the security needs of IT with the mobility and privacy needs of. Mobile security is certainly challenging, but not impossible, and it is an area that must grow and innovate as the modern workforce becomes increasingly mobile.
Based on the analysis of your client’s devices, what are the most common security pitfalls?
The most common security pitfall we see is allowing highly sensitive corporate data to flow to mobile devices in the first place. At the end of the day no security solution can prevent a rogue employee from taking a screenshot or other reproduction of sensitive data and sharing it on social media.
The challenge then is to minimize risks through a combination of technical and procedural controls. Procedural controls must revolve around end-user awareness and training. The more employees know about the security being deployed on their mobile devices the more comfortable they will be with respecting corporate security policies. Automated controls such as data leakage prevention technologies and access control engines ensure that corporate data is safe, even if employees accidentally or intentionally leak confidential information. And when the automated controls respect employee privacy, employees have no incentive to defeat those controls.
Procedural and automated controls can help mitigate the security vulnerabilities that are an inherent part of mobile data access.
How worried should organizations be when it comes to the security of their mobile devices? Do mobile devices require the same level of security as desktop computers?
I would advise clients that all mobile devices — be they smartphones, tablets or laptops — need to be treated as hostile devices. Contrary to popular perception, a laptop can be much more dangerous than a smartphone since it can carry a lot more data and it can also process and move that data much faster than a smartphone. I doubt that Snowden carried away loads of data from the NSA on his smartphone.
However, as we all know, mobile devices are by their very nature easy to lose or misplace. They can be left on the seat of a taxi, on a restaurant table or on a bench at the airport. This ease of misplacement makes them prime targets for a data breach. Many people do not take proper precautions to secure their mobile devices, such as ensuring all devices are password protected and that corporate data can be remotely wiped in the event of loss or theft.
What advice would you give to an organization moving to an increasingly mobile workforce?
The conventional approach of locking down mobile devices with software agents is not practical in a world with hundreds of different devices, BYOD and so forth. Corporations must focus on protecting their data, no matter whether it is on the device, in the cloud or anywhere else on the Internet. For example, a financial services organization is best advised to keep sensitive data off mobile devices. One way to do this without impacting productivity is to dynamically redact or mask sensitive data as it flows to mobile devices, e.g., mask all but the last four digits of Social Security numbers or credit numbers.
Likewise, a doctor affiliated with two different hospitals cannot carry three mobile devices, one controlled by each of the two hospitals and one for personal use. The productivity of the doctor would be much enhanced if she could use her personal mobile device for personal use, as well as for her work at both hospitals. Of course, each hospital would need to ensure that their sensitive patient data is dynamically redacted or masked as it flows to the personal device, so that data is meaningful without compromising security. And neither hospital should use technology that invades the physician’s privacy.
The above requires the organization to enforce several of the processes I have already mentioned, including educating their workforce both on the need for security and how they can help to keep corporate data safe. Education helps dispel fear, and employees who understand the security technology on their devices will be free to focus on work, rather than being worried that IT is snooping on their personal and private information.
In short, I would advise organizations to increase productivity by encouraging mobility, while protecting their data against leakage through a combination of user training and data security technologies that respect employee privacy.