Tips to Increase Your Mobile Security
Whilst lost devices raise serious privacy concerns websites are successfully being attacked on a daily basis. This at a time when Bring Your Own Device (BYOD), longer value chains and a bigger diversity in devices, protocols and file formats generate more risk to your enterprise.
Michel De Goede, Strategy Consultant and Enterprise Architect at Alliander has put together some tips on how to enhance your security while keeping your budget low!
Krank down on rogue employees
41% of IT Security professionals view rogue employees as their biggest risk against 31% who blame malware and targeted cyber-attacks.(1) These employees may be employed by your organisation, or be working in the capacity of subcontractors or temping.
This image shows the type of crimes that staff may engage in:
(source: Spotlight On Insider Threat from Trusted Business Partners (2012), CERT)
External cyber attacks may target staff
Organised criminals will go for easy money and easy victims where the numbers make up for the lower quantity of gain per victim. Who hasn't seen a bank scam asking to fill out account number and pin code? If you didn't, chances are that your staff's mobile devices contain exploits scanning years of your email, phone numbers, and contact information helping criminals to get to your money or monetisable information. (2)
Or will the villains target the consumer?
Besides infected email and malicious websites, 2012 also was the year of increase of targeted attacks against small businesses (typically < 2,500 employees) the small (< 250 employees) being the most hit due to a lack of consistent security measures and existing vulnerabilities especially on mobile / BYOD devices. Crime also seems to have 'moved downstream' from government and public organisations to manufacturing. As infected email or material from malicious websites spreads thanks to contact lists, ultimately the impact may be put on you!
(source: Internet Security Threat report (2013), Symantec) (3)
Get your strategy together
Your organisation may suffer from the potential impact of a security risk. Instead of primarily investing in 'barrier enhancement' (expensive: trying to avoid impact by placing a barrier such as a virus scanner, sandboxes or Identity and Access Management tooling) more clever options, like maximising the transferrable amount of your mobile banking app to $250 can save a bundle. The six known risk strategies are:
- Ignore the head in the sand, 'see-no-evil-hear-no-evil' tactic
- Accept the potential impact of some risks to your organization ;
- Reduce the potential impact or probability of a risk occurence, like the banking app mentioned above
- Transfer use insurance or subcontracting to transfer potential consequences of risks
- Avoid not entering the type of business that may incur potential risk impact deemed too high
- Exploit risk is also an opportunity and high risk investments may yield high returns
Plot your mobility risks
Apply the referenced literature to your organisation, the diagram below will lead you to the appropriate course of action.
More measures, lower security budget
Thinking of barrier enhancement solutions seems to be a default attitude when looking at mobile security. However, this will lead to paid probability reduction only and therefore to higher-than-necessary costs. Here are some take aways to avoid fast growing budgets:
- Transfer a portion of your mobile risk portfolio to business partners.
- Be Aware. Educated staff will reduce the number of security incidents
- Withdrawal of authorisations and access rights will reduce the probability and potential impact of your business partners' rogue actions
- Screen business partners with advanced system privileges (probability reduction)
- Enhance monitoring of business partners / employees with an impeding or ongoing issue
- Protect the device, sandbox or virtualize apps, encrypt data or the device and add MDM software with passwords
- Monitor logs and/or subscribe to monitoring and defense party (probability and impact reduction)
Mobile devices introduce additional risks in your organisation. With an adequate risk-addressing strategy however, quite a few measures can be found that are either free or relatively cheap to implement: more security measures may actually lead to lower security budgets.