White Paper: Mobile Security

  • Published on

  • View

  • Download

Embed Size (px)




  • 1. Mobile SecurityThat Helps Business Grow 1ROGERS WHITE PAPERMOBILE SECURITYTHAT HELPS BUSINESS GROWProduced by IT World Canada For Rogers Communications. May 2011

2. page 2 Mobile SecurityThat Helps Business Grow 2 1. Introduction TABLE OF CONTENTSChanging the Traditional Security Mindset3Highlights of the CIO Security Study 2010 4Mobilitys Built-in Benefits6Emerging Threat Vectors7Types of Threats87 Steps to Better Mobile Security9Building a Culture of Mobile Security 11 3. page 3Mobile Security That Helps Business Grow 3 Changing the Traditional Security MindsetIf you drive down certain country roads in rural Canada, you may be occasionally greeted by asign that says ACCIDENT Its Only A Word Until It Happens. You could say the same thingabout the way most companies treat IT security.When data is compromised and customer information makes its way into criminal hands,or viruses temporarily shut down operations, most organizations are quick to respond. Theywill consult the experts, conduct a post-mortem. The larger ones will hire or appoint a chiefsecurity officer, if they dont already have one. Smaller ones may undergo in-depth securitytraining and purchase expensive software to protect themselves. Security strategies are nevermore thorough than when they are reactive.The advent of mobile computing, which began with laptops but which is quickly moving tosmart phones and tablets, presents the dire possibility that history will repeat itself thatcompanies will wait until something terrible happens involving a mobile device before takingsteps that could prevent the worst from happening. Yet much has been learned from ITsecurity trends that first surfaced in the PC era that can be applied to mobility, and there aremany security experts who are quick to point out the safeguards as well as the vulnerabilitiesinherent in most mobile devices.From CRM to authorizations to business intelligence, mobile applications help organizationsbetter support on-the-go workforces and engage more effectively with customers. Securityallows us to capitalize on these opportunities.IT World Canada and Rogers have had the benefit of talking with countless CIOs, IT managersand technical staff who are already investigating these issues. The smartest people among thisgroup see security as a way to move business forward, rather than a series of nos whichcreate a barrier to innovation. They see good IT security as a way of making the businesscase of arguing, for example, that a company can allow more choice of mobile device toemployees and greater use of software that extends their capabilities across geographies.We also have the benefit of our affiliation with other members of the International Data Group(IDG) News Service who report on these issues, and the joint research projects we conduct toprobe these issues in greater detail. This white paper brings together all these resources to helparticulate a realistic vision of how mobile security needs to be considered, in a way that allowsIT departments to be positive contributors to their companys business objectives. 4. page 4 Mobile SecurityThat Helps Business Grow 4 Highlights of the 2010 CIO Security Survey Mobility is only one aspect of a challenging slew of IT security issues facing companies of all sizes. In order to hone in on the ways potential threats around mobile devices can be addressed, its important to understand how CIOs, IT managers and other technology staff are setting their priorities and allocating the resources available to them. The approach of these enterprises can be an early indication of how SMBs will likely deal with the same problems. Every year IT World Canada, in cooperation with our International Data Group affiliates in 90 countries around the world, conducts an in-depth research survey of chief information officers focused on security. Here are some key findings from that research.1 Endpoints Enter The Picture Although most CIOs see their security budgets remaining flat or enjoying very moderate growth in 2011, the top five technologies they invest in to protect corporate data include end user firewalls, biometrics, data leakage protection, locks and keys for computer hardware and encryption for removable data. This last area is of obvious importance as more users plug USB keys into their laptops while out of the office. We expect that more mobile-specific security tools which are already being released by the likes of Symantec, McAfee and other major players to join this list in 2012. Pressure Trumps Policy As Investment Driver When we asked CIOs why they invest in the security technologies they do, the most-cited answer was legal and regulatory requirement, which has probably been true ever since Sarbanes-Oxley, legislation to protect against the kind of accounting scandals perpetuated by the likes of Enron and WorldCom, was enacted. Client requirement came second, but professional judgement came third, followed by common industry practice or potential liability or exposure. 1The survey results, which are obtained in collaboration with consulting firm PricewaterhouseCoopers, include more than 12,000 responses, including a small portion from Canada. 5. page 4Mobile Security That Helps Business Grow5Top SPENDING JUSTIFICATIONS IN 2010 2007 2008 2009 2010 1. Legal & regulatory requirement 58%47%43%43% 2. Client requirement 34%31%34%41% 3. Professional judgment45%46%40%40% 4. Potential liability / exposure 49%40%37%38% 5. Common industry practice 42%37%34%38% 6. Risk reduction score 36%31%31%30% 7. Potential revenue impact 30%27%26%27% It may be that, as new security threats continue to proliferate (particularly on mobile devices), it is becoming so difficult for IT administrators to keep up that they lack confidence in their professional judgement. If the main drivers of good security practices come from outside forces, however, its hard to imagine protection of company data as anything other than a chore. It should be the goal of an IT department or an organization as a whole to be more self-directed in this area, as part of an overall strategy for business growth. In terms of cybercrimes impact, financial loss is the No. 1 worry, followed by intellectual property theft and compromising ones brand or reputation. All this suggests that security continues to be driven by costs, but perhaps theres another way to look at this. Good security not only prevents financial loss, but allows companies to grow revenue through the ability to capitalize on new opportunities through technology in other words, mobility.BUSINESS IMPACTS2007 2008 2009 2010 Financial losses6% 8% 14%20% Intellectual property theft 5% 6% 10%15% Brand/ reputation compromised 5% 6% 10%14% 6. page 3Mobile Security That Helps Business Grow 6 Built-in benefits of Mobile SecuritySome senior executives are immediately worried about arming their employees with devicesthat allow, in effect, for sensitive business information to walk out the door. What they maynot realize is that mobile devices have some advantages over their desktop predecessors advantages that may not last forever but can, for the moment at least, offer somejustification for further mobile investments.1. OS variety: Unlike PCs, which were dominated by Windows, mobile devices run onmultiple platforms, limiting the ability for malware to infect all phones. Although somebusinesses may prefer to standardize on one platform to simplify support, consumers arebringing in a plethora of other devices, creating challenges in IT departments as well asthis benefit.2. Mobile architectures: These tend to be more closed than their PC counterparts, withlimited access to documentation and debugging tools, making it more difficult (at leastinitially) to identify the vulnerabilities necessary for malware to propagate.3. Apps stores: RIMs BlackBerry App World, iTunes App Store and those offering appsfor Android devices present the most popular or, in some cases, the only avenue fordeploying new software on mobile devices. This limits the ability of a worm to propagateby directly installing executable code on a mobile device. It also adds a layer of reviewthat software is subject to before it can be deployed on a device. 7. page 3 Mobile SecurityThat Helps Business Grow 7 Emerging Threat Vectors Even experts cant agree on how big the security issues around mobile devices are. Mformation, which provides mobile device management technology, commissioned researchers Vanson Bourne to survey more than 300 IT managers across North America and the U.K., and found that 78 percent of respondents dont know what devices are connected to the corporate network. Seventy-six percent said that employee-owned mobile devices are creating security headaches, while only 56 percent said they would be able to secure a device that has been lost or stolen. Others worry that the range of devices will make patch management much more difficult, and that developers arent doing enough to build security into their applications. So far, some of the biggest holes include the following:Social networking: A study from Google showed that almost one quarter of users whofell for a recent scam on a social network did so from their mobile device.Games: Monkey Jump and other games are being illegally copied and repackaged withcode designed to steal personal info (source: Lookout Mobile Security).Malware: Gemini, botnet-like malware built to lift and transmit personal data from ausers phone and ship it to a remote server, surfaced late in 2010. There is perhaps no bigger threat, however, than employees. This has always been true in the desktop era, but mobility potentially increases the amount of danger individual staff can do to a companys data. The consumerization of IT, for example, means that staff are becoming responsible for purchasing their own devices and arent always telling their IT company about what theyre doing with them. Loss or theft of devices means greater access to business as well as personal data. Internal threats from rogue or ex-employees are heightened by the range of applications and functions available through mobile phones and weak security procedures. 8. page 3Mobile Security That Helps Business Grow8 Types of threats Once youve identified the biggest areas where security can be compromised, you need to know what those compromises will look like. They can be broken down into three main categories: 1. Traditional malware: Applications such as rogue dialers, which will send SMSes to premium-rate numbers owned by the fraudsters. Other threats include worms spread by communication protocols such as Bluetooth. Major security firms such as Symantec, McAfee and Trend Micro are all beginning to offer specific anti-virus software to assist mobile users. 2. Privacy, data collection issues: Mobile applications can also have other privacy-related risks such as collecting, transmitting or storing data. Advertising networks and mobile application developers are often highly interested in metrics around how and where people are using their applications. Data may include information identifying a specific device, with users unaware they are being tracked. Companies should not only work hard to understand what apps employees are using but be prepared to conduct a privacy impact assessment and offer training on the privacy vulnerabilities to employees. 3. Social engineering: Just like on desktops and laptops, fraud doesnt have to involve a technical trick. Phishing -- the practice of using a fake website to trick users into revealing sensitive information -- is as much or more of a threat on mobile devices. People often trust their mobile device more than their computer and are therefore more vulnerable to phishing. Many firms will need to update their security policies and training programs to educate their users on these expanded risks and provide examples of what such phishing sites or e-mails might look like. 9. page 3 Mobile SecurityThat Helps Business Grow 9 7 Steps to Better Mobile Security: An IT Administrators ChecklistArmed with this background data, what can you do today to begin creating a culture ofmobile security? As always, it all starts with training and education. Get your coworkersfocused on these common sense (but often overlooked) areas.1. Secure Your Device with a Password: All major smartphone platforms have built-inpassword options, and the majority of newer feature-phones, or non-smartphones, alsooffer some sort of password protection. Mandate that employees break out their phonesuser guide or search for it by model number online and help them to assign a password.2. Make Mobile-Phone Backup a Priorityand a Habit: Whatever the application, itswise to get in the habit of backing up smartphones every time an employee plugs it intotheir computer--or more often if they rarely connect their handhelds and PCs. Manydesktop sync programs let you set some sort of automatic backup option so your devicebacks itself up whenever connected to your PC, without any effort on your part. If acompany already has a backup policy in place for desktops, it should be a relatively simplematter to extend this to the mobile space.3. Add Owner Info to a Phones Locked Home Screen: Including lost-phone-rewardinfo helps ensure that whoever finds a phone will also have a way to get in touch withusers to return it, should the person be so inclined, as well as an incentive, if the companyor employee decides to offer up a reward. Depending on the kind of data that may bestored on a device, it could be well be worth compensating someone to turn a device in. Once again, instruct employees to hit up their mobile phones user guide or search online to see if their specific device has a built-in option to add owner information or a reward offer--something like: If found, please dial 555.555.5555 for a $50 reward. 10. page 3Mobile Security That Helps Business Grow 10 4. Keep List of Emergency Contacts Away from Phone: Train your mobile workforce to make a quick list of important contact people or companies and tuck it away in a wallet or purse--preferably somewhere away from their cell phones, so theyre less likely to lose the emergency contact list along with their phone.Sample contacts to include: A significant other; nearby friends or family; the ITdepartments help desk or IT contact, if they are using a corporate-issued phone; AAA orother roadside assistance organization; their wireless carriers customer information line,should they need to freeze their account; etc. 5. Prepare Phone-Location and Remote-Wipe Services: Depending on the specific mobile phone model, it may be possible to purchase and/or employ some sort of cell- phone tracking service to locate lost mobile phones (ie., MobileMe, BlackBerry Protect). Some of these offerings also allow users to remotely wipe information from their device. 6. Reduce Sensitive Info, Apps Stored on Your Device No files named passw...


View more >