Enterprise mobile security still lagging: Experts

• Many enterprises still do not have coherent mobile security strategy
• Processes, people, technology & enforcement needed to make it work

THERE is no doubt that mobility was a dominant theme last year as smartphone and tablet sales grew exponentially. But one theme connected closely with mobility that did not receive as much spotlight was security.
 
According to market researcher GfK, smartphone ownership continued on its uptrend across South-East Asia, with total sales rising in the last 12 months in the seven markets of Singapore, Malaysia, Thailand, Indonesia, the Philippines, Vietnam and Cambodia to a high of nearly 120 million units.
 
Similarly, media tablet volume sales was up 41% in South-East Asia for 2014, noted another GfK report.
 
Although the growth of mobility has been nothing short of phenomenal, two industry experts Digital News Asia (DNA) spoke to believe that mobile security trends have not yet been fully absorbed or practised by enterprises, resulting in several challenges.
 
Maneesh Chandra, associate director of cyber-security at PwC Malaysia, believes that many enterprises still do not understand general mobility trends, let alone mobile security.
 
Speaking to DNA via email, he argued that initially, when the bring-your-own-device (BYOD) trend started to become popular, a number of enterprises reacted wrongly and tried to ban the use of personal devices in the workplace.
 
However, this has not worked, he noted.
 
Maneesh (pic) pointed out that while some companies have their own BYOD policies, others have not created any but have merely set up some basic processes to manage their users’ mobile use.
 
“The approach, in general, is a mix of processes and technology, with policies being created for users to understand and follow,” he said.
 
“But I feel that the best way to approach mobile security is to first create a mobile security strategy, and then implement it in a structured manner.
 
“This involves instituting the BYOD policy, then working out and implementing the technology, especially mobile device management (MDM) and encryption technologies, and related processes,” he added.
 
Maneesh said noted that accompanying this must be the education of users – this this is the most important part of the process as the devices are ultimately in their hands, and they should be responsible for such use.
 
Asked for a good example of a framework that an enterprise could follow, he suggested the Guidelines for Managing and Securing Mobile Devices in The Enterprise, released as a draft by the National Institute of Standards and Technology (NIST), which is part of the US Government.
 
“NIST’s draft policy for securing mobile devices supplements its already-published general security recommendations for any information technology,” he said.
 
Goh Su Gim, Asia security advisor for cybersecurity firm F-Secure Corp, concurred with Maneesh, saying that building awareness of the security risks associated with using and downloading apps on mobile devices was “highly imperative.”
 
“The security mindset of the user must change,” he said via email. “All employees should be responsible for the security of their portable devices, rather than them putting all the responsibility on an enterprise’s security administrators.”
 
Goh also suggested that enterprises have strict MDM policies to help to control what apps can be installed and what corporate data needs to be protected or ‘sandboxed’ – apps that are kept separate from other running apps – in a secured environment.
 
“Enterprises should have an MDM policy to manage all mobile devices used by their employees for corporate purposes.
 
“That includes mobile security software for malware/ spyware protection; anti-theft features to prevent data leakage should a phone get stolen or lost; and a manageable central interface to ensure all portable devices are protected,” Goh said.
 
Jailbreaking and rooting?
 
One of the more popular things consumers like to do with their smartphones is ‘jailbreaking’ or ‘rooting,’ something that should not be encouraged with enterprise users, said Maneesh and Goh.
 
According to Wikipedia, jailbreaking is the process of removing limitations on iOS, Apple’s operating system, on devices running it through the use of software and hardware exploits.
 
Similarly, rooting is a process used to attain privileged control (known as ‘root access’) within the Android operating system’s sub-system.
 
Maneesh said a jailbroken phone pretty much allows the user to have access to all areas on the phone, and this can potentially open security holes that may have not been readily apparent, or which may undermine the device’s built-in security measures.
 
Meanwhile Goh (pic) said that F-Secure always advises against rooting, to keep the phones secure, because many malware or any trojan-based app on an infected jailbroken or rooted smartphone is able to gain administrative privileges to do more than the Android or iOS security framework is designed to protect against.
 
“For example, they can download more malicious apps and payloads into the phone, access resources, and alter system settings,” he said.
 
Maneesh went a step further, saying that introducing a jailbroken or rooted phone into a corporate network poses a severe risk as the user could override the original configuration provided by the organisation.
 
This could lead to data leakage as jailbroken and rooted phones are much more susceptible to viruses and malware, he added.
 
“It also allows users to download files from un-trusted sources which will avoid the Apple and Google application vetting processes,” he added.
 
Best practices
 
At the end of the day, security is only as good as its processes and enforcement, a philosophy that Maneesh said must be driven home within the enterprise and with its users.
 
Asked what could be done to mitigate mobile security risks, he advised companies to carry out a risk assessment and identify the areas or functions where personal devices are not allowed.
 
For instance, enterprises should consider what level of security is required for various resources such as financial applications, data, calendar, email, and human resource applications, he said.
 
“Decide on the [level] of access that would be provided using mobile devices – this could include a two-factor authentication process as required,” he argued.
 
Maneesh also suggested that enterprises work out the technology and processes required to ensure the above processes are followed, considering the short lifespan of mobile devices.
 
This, he said, includes centralising MDM technologies; instituting a mobile device security policy; and implementing a prototype of the mobile device solution before putting it into production.
 
“Other steps include securing each organisation-issued mobile device before allowing a user to access it; periodically reviewing mobile device security; and creating the awareness required for implementing the strategy via campaigns, policies, training,” he recommended.
 
F-Secure’s Goh added that other new protection services for portable devices such as encrypted VPN (virtual private network) services are also available in the market, and should be considered by enterprises.
 
“For example, our new Freedome app gives users a more invisible presence on the Internet without leaving digital footprints for cookie-infested websites that are designed to track users and their online habits,” he said.
 
Related Stories:
 
Beware ‘street BYOD,’ say Gartner analysts
 
As mobile usage grows, so should security: IDC
 
Security is a process
 
Information security is about you … yes, you!
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.