White Paper: Mobile Security

1Mobile Security that helpS buSineSS Grow

ROGERS WHITE PAPER

MOBILE SECURITY THAT HELPS BUSINESS GROWProduced by IT World Canada For Rogers Communications. May 2011


TABLE OF CONTENTS

page 2

Changing the Traditional Security Mindset 3

Highlights of the CIO Security Study 2010 4

Mobility’s Built-in Benefits 6

Emerging Threat Vectors 7

Types of Threats 8

7 Steps to Better Mobile Security 9

Building a Culture of Mobile Security 11


CHANGING THE TRAdITIONAL SECURITY MINdSET

If you drive down certain country roads in rural Canada, you may be occasionally greeted by a sign that says “ACCIDENT – It’s Only A Word Until It Happens.” You could say the same thing about the way most companies treat IT security.

When data is compromised and customer information makes its way into criminal hands, or viruses temporarily shut down operations, most organizations are quick to respond. They will consult the experts, conduct a post-mortem. The larger ones will hire or appoint a chief security officer, if they don’t already have one. Smaller ones may undergo in-depth security training and purchase expensive software to protect themselves. Security strategies are never more thorough than when they are reactive.

The advent of mobile computing, which began with laptops but which is quickly moving to smart phones and tablets, presents the dire possibility that history will repeat itself – that companies will wait until something terrible happens involving a mobile device before taking steps that could prevent the worst from happening. Yet much has been learned from IT security trends that first surfaced in the PC era that can be applied to mobility, and there are many security experts who are quick to point out the safeguards as well as the vulnerabilities inherent in most mobile devices.

From CRM to authorizations to business intelligence, mobile applications help organizations better support on-the-go workforces and engage more effectively with customers. Security allows us to capitalize on these opportunities.

IT World Canada and Rogers have had the benefit of talking with countless CIOs, IT managers and technical staff who are already investigating these issues. The smartest people among this group see security as a way to move business forward, rather than a series of “no’s” which create a barrier to innovation. They see good IT security as a way of making the business case – of arguing, for example, that a company can allow more choice of mobile device to employees and greater use of software that extends their capabilities across geographies.

We also have the benefit of our affiliation with other members of the International Data Group (IDG) News Service who report on these issues, and the joint research projects we conduct to probe these issues in greater detail. This white paper brings together all these resources to help articulate a realistic vision of how mobile security needs to be considered, in a way that allows IT departments to be positive contributors to their company’s business objectives.

page 3


Mobility is only one aspect of a challenging slew of IT security issues facing companies of

all sizes. In order to hone in on the ways potential threats around mobile devices can be

addressed, it’s important to understand how CIOs, IT managers and other technology staff

are setting their priorities and allocating the resources available to them. The approach

of these enterprises can be an early indication of how SMBs will likely deal with the same

problems.

Every year IT World Canada, in cooperation with our International Data Group affiliates in

90 countries around the world, conducts an in-depth research survey of chief information

officers focused on security. Here are some key findings from that research.1

Endpoints Enter The Picture Although most CIOs see their security budgets remaining flat or enjoying very moderate

growth in 2011, the top five technologies they invest in to protect corporate data include end

user firewalls, biometrics, data leakage protection, locks and keys for computer hardware

and encryption for removable data. This last area is of obvious importance as more users

plug USB keys into their laptops while out of the office. We expect that more mobile-specific

security tools – which are already being released by the likes of Symantec, McAfee and other

major players – to join this list in 2012.

Pressure Trumps Policy As Investment driver When we asked CIOs why they invest in the security technologies they do, the most-cited

answer was “legal and regulatory requirement,” which has probably been true ever since

Sarbanes-Oxley, legislation to protect against the kind of accounting scandals perpetuated

by the likes of Enron and WorldCom, was enacted. “Client requirement” came second, but

“professional judgement” came third, followed by “common industry practice” or “potential

liability or exposure.”

page 4

1 The survey results, which are obtained in collaboration with consulting firm PricewaterhouseCoopers, include more than 12,000 responses, including a small portion from Canada.

HIGHLIGHTS OF THE 2010 CIO SECURITY SURvEY


It may be that, as new security threats continue to proliferate (particularly on mobile devices),

it is becoming so difficult for IT administrators to keep up that they lack confidence in their

professional judgement. If the main drivers of good security practices come from outside

forces, however, it’s hard to imagine protection of company data as anything other than a

chore. It should be the goal of an IT department – or an organization as a whole – to be

more self-directed in this area, as part of an overall strategy for business growth.

In terms of cybercrime’s impact, financial loss is the No. 1 worry, followed by intellectual

property theft and compromising one’s brand or reputation. All this suggests that security

continues to be driven by costs, but perhaps there’s another way to look at this. Good

security not only prevents financial loss, but allows companies to grow revenue through the

ability to capitalize on new opportunities through technology – in other words, mobility.

page 4

top SpenDinG “JuStiFicationS” in 2010 2007 2008 2009 2010

1. Legal & regulatory requirement 58% 47% 43% 43%

2. Client requirement 34% 31% 34% 41%

3. Professional judgment 45% 46% 40% 40%

4. Potential liability / exposure 49% 40% 37% 38%

5. Common industry practice 42% 37% 34% 38%

6. Risk reduction score 36% 31% 31% 30%

7. Potential revenue impact 30% 27% 26% 27%

buSineSS iMpactS 2007 2008 2009 2010

Financial losses 6% 8% 14% 20%

Intellectual property theft 5% 6% 10% 15%

Brand/ reputation compromised 5% 6% 10% 14%


BUILT-IN BENEFITS OF MOBILE SECURITY

Some senior executives are immediately worried about arming their employees with devices

that allow, in effect, for sensitive business information to walk out the door. What they may

not realize is that mobile devices have some advantages over their desktop predecessors

– advantages that may not last forever but can, for the moment at least, offer some

justification for further mobile investments.

oS variety:1. Unlike PCs, which were dominated by Windows, mobile devices run on

multiple platforms, limiting the ability for malware to infect all phones. Although some

businesses may prefer to standardize on one platform to simplify support, consumers are

bringing in a plethora of other devices, creating challenges in IT departments as well as

this benefit.

Mobile architectures:2. These tend to be more closed than their PC counterparts, with

limited access to documentation and debugging tools, making it more difficult (at least

initially) to identify the vulnerabilities necessary for malware to propagate.

apps stores:3. RIM’s BlackBerry App World, iTunes App Store and those offering apps

for Android devices present the most popular or, in some cases, the only avenue for

deploying new software on mobile devices. This limits the ability of a worm to propagate

by directly installing executable code on a mobile device. It also adds a layer of review

that software is subject to before it can be deployed on a device.

page 3


EMERGING THREAT vECTORS

Even experts can’t agree on how big the security issues around mobile devices are.

Mformation, which provides mobile device management technology, commissioned

researchers Vanson Bourne to survey more than 300 IT managers across North America and

the U.K., and found that 78 percent of respondents don’t know what devices are connected

to the corporate network.

Seventy-six percent said that employee-owned mobile devices are creating security

headaches, while only 56 percent said they would be able to secure a device that has been

lost or stolen.

Others worry that the range of devices will make patch management much more difficult,

and that developers aren’t doing enough to build security into their applications. So far, some

of the biggest holes include the following:

Social networking:�� A study from Google showed that almost one quarter of users who

fell for a recent scam on a social network did so from their mobile device.

Games:�� Monkey Jump and other games are being illegally copied and repackaged with

code designed to steal personal info (source: Lookout Mobile Security).

Malware:�� Gemini, botnet-like malware built to lift and transmit personal data from a

user’s phone and ship it to a remote server, surfaced late in 2010.

There is perhaps no bigger threat, however, than employees. This has always been true in the

desktop era, but mobility potentially increases the amount of danger individual staff can do

to a company’s data.

The “consumerization” of IT, for example, means that staff are becoming responsible for

purchasing their own devices – and aren’t always telling their IT company about what

they’re doing with them. Loss or theft of devices means greater access to business as well as

personal data. Internal threats from rogue or ex-employees are heightened by the range of

applications and functions available through mobile phones – and weak security procedures.

page 3


TYPES OF THREATS

Once you’ve identified the biggest areas where security can be compromised, you need to

know what those compromises will look like. They can be broken down into three main

categories:

traditional malware:1. Applications such as rogue dialers, which will send SMSes to

premium-rate numbers owned by the fraudsters. Other threats include worms spread

by communication protocols such as Bluetooth. Major security firms such as Symantec,

McAfee and Trend Micro are all beginning to offer specific anti-virus software to assist

mobile users.

privacy, data collection issues:2. Mobile applications can also have other privacy-related

risks such as collecting, transmitting or storing data. Advertising networks and mobile

application developers are often highly interested in metrics around how and where

people are using their applications. Data may include information identifying a specific

device, with users unaware they are being tracked. Companies should not only work

hard to understand what apps employees are using but be prepared to conduct a privacy

impact assessment and offer training on the privacy vulnerabilities to employees.

Social engineering:3. Just like on desktops and laptops, fraud doesn’t have to involve a

technical trick. Phishing -- the practice of using a fake website to trick users into revealing

sensitive information -- is as much or more of a threat on mobile devices. People often

trust their mobile device more than their computer and are therefore more vulnerable to

phishing. Many firms will need to update their security policies and training programs to

educate their users on these expanded risks and provide examples of what such phishing

sites or e-mails might look like.

page 3


7 STEPS TO BETTER MOBILE SECURITY: AN IT AdMINISTRATOR’S CHECkLIST

Armed with this background data, what can you do today to begin creating a culture of

mobile security? As always, it all starts with training and education. Get your coworkers

focused on these common sense (but often overlooked) areas.

Secure your Device with a password:1. All major smartphone platforms have built-in

password options, and the majority of newer feature-phones, or non-smartphones, also

offer some sort of password protection. Mandate that employees break out their phone’s

user guide or search for it by model number online and help them to assign a password.

Make Mobile-phone backup a priority−and a habit: 2. Whatever the application, it’s

wise to get in the habit of backing up smartphones every time an employee plugs it into

their computer--or more often if they rarely connect their handhelds and PCs. Many

desktop sync programs let you set some sort of “automatic backup option so your device

backs itself up whenever connected to your PC, without any effort on your part. If a

company already has a backup policy in place for desktops, it should be a relatively simple

matter to extend this to the mobile space.

add owner info to a phone’s locked home Screen: 3. Including lost-phone-reward

info helps ensure that whoever finds a phone will also have a way to get in touch with

users to return it, should the person be so inclined, as well as an incentive, if the company

or employee decides to offer up a reward. Depending on the kind of data that may be

stored on a device, it could be well be worth compensating someone to turn a device in.

Once again, instruct employees to hit up their mobile phone’s user guide or search online

to see if their specific device has a built-in option to add owner information or a reward

offer--something like: If found, please dial 555.555.5555 for a $50 reward.

page 3


page 3

Keep list of “emergency” contacts away from phone: 4. Train your mobile workforce

to make a quick list of important contact people or companies and tuck it away in a

wallet or purse--preferably somewhere away from their cell phones, so they’re less likely

to lose the emergency contact list along with their phone.

Sample contacts to include: A significant other; nearby friends or family; the IT

department’s help desk or IT contact, if they are using a corporate-issued phone; AAA or

other roadside assistance organization; their wireless carrier’s customer information line,

should they need to freeze their account; etc.

prepare phone-location and remote-wipe Services:5. Depending on the specific

mobile phone model, it may be possible to purchase and/or employ some sort of cell-

phone tracking service to locate lost mobile phones (ie., MobileMe, BlackBerry Protect).

Some of these offerings also allow users to remotely wipe information from their device.

reduce Sensitive info, apps Stored on your Device 6. � No files named “passwords”. � No storing of payment information. � Reduce the number of one-click purchase icons.

encrypt or protect Data Stored on Media card:7. If users aren’t asked to encrypt or

otherwise protect the information stored on their media card, a malicious party could

simply remove the card from their locked and secured device and access its data from a

compatible card reader, like another smartphone or a PC.


Security should be a force of positive motivation, rather than negative necessary evil. It’s

motivating because good security is key to winning customer’s trust, which is becoming the

currency most valued by customers who perform more and more of their transactions online,

from their mobile devices.

All organizational cultures are somewhat unique, but there are standard techniques that may

help to determine the best way to not only get IT security on the radar of mobile employees,

but to turn it into something they consider a shared company value.

conduct a self-assessment1. of your traditional IT security posture in the PC/desktop

world and identify the gaps. How can these be addressed in the mobile environment?

Determine your organization’s risk appetite2. – what is necessary for business growth

and what poses a threat to customer or partner relationships?

recognize and recruit mobile security champions or ambassadors3. among tech-

savvy employees – delegate some of the messaging and communication to those who

have the respect and authority among their peers

The advice in this white paper does not guarantee that you’ll never face security issues due to

mobile devices. It can, however, be the first step towards turning security into something that

gets in the way to the most logical way forward.

For more information about rogers wi-Fi calling for business, please contact your

rogers representative.

page 3

CREATING A CULTURE OF MOBILE SECURITY


IT World Canada is the Canadian affiliate of International Data Group (IDG), the world’s largest

IT information media provider. We have been creating conversations and building relationships

with the influential network of Canada’s technology professionals, business managers and

executives for over twenty-five years by delivering timely, incisive information they can trust

through digital publications, events and print brands.

Reaching the distinct and influential decision maker in business and the business of Information

Technology, (French and English) readership totals with reach of 2.5 pass along, 300,000, and

120,000 individual IT professionals and business executives...and still growing because we at

IT World Canada are Canada’s trusted IT Media Publishers. Our mission is to inform, to teach,

to empower, to connect.

ABOUT IT WORLd CANAdA

page 12


Rogers Communications connects 1.5 million subscribers in small, medium and large businesses

and the public sector to their customers, suppliers, partners and employees with reliable

wireless voice and data services. As well, more than 130,000 subscribers rely on Rogers for

affordable and reliable small business Internet, telephone, and TV services that help improve

their customer service and bottom line. Rogers Communications wireless voice and data

services are built on Rogers proven HSPA+ network, the first in Canada and the only one

based on GSM, the global standard. Rogers phones and devices are world ready, allowing

employees to stay connected wherever their business takes them. Rocket™ internet services

enable businesses to get easy internet access where and when they need it and to remain

productive and responsive. Rogers also provides custom wireless solutions for mobile workers,

fleet and asset management, business continuity and machine-to-machine communication.

All Rogers business services are backed by 24/7 technical support.

For more information, please visit www.rogers.com/business.

™Rogers, Rocket & Mobius Design plus and related brands marks and logos are trade-marks of or used under license from Rogers Communications Inc. or an affiliate. BlackBerry®, RIM and related names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world, used under license from Research In Motion Limited. All other brand names are trade-marks of their respective owners. ©2010 Rogers Communications

ABOUT ROGERS COMMUNICATIONS

page 12

Business

White Paper: Mobile Security