Digital Convergence has brought many benefits to business. The growing availability of WiFi in public spaces and other areas such as hotels and restaurants has made it increasingly easier for the road warrior to communicate with head office and customers. In addition, the ability to use smart devices as network devices made it even easier.
In the past ICT Departments had control of what attached to their networks, but the increasing incidence of BYOD and the use of smart devices has blown that out of the water. Many organisations are using BYOD as a vehicle to reducing the operating costs of the ICT infrastructure by in effect handing over the costs of supply to the user.
Organisations however, need to be aware that by adopting BYOD, they are reducing the control they have over their corporate networks.
As an example, many common apps downloaded from online stores, though to be well over 500 in number contain malicious code, most of which comes from Russia or China.
All this has brought about an increasing need for IT Security to block potential attack vectors coming in over remote connections from mobile devices.
Even if an organisation doesn’t take BYOD seriously, Mobile Device Management and Security need to, and an organisation must invest time in developing a security policy in regard to mobile devices.
Here are three suggestions for IT Security to consider when looking to protect corporate assets from mobile malware.
-
Usage Policy
Even with BYOD, businesses need to be able to manage the devices attached to their networks. This generally implemented in the form of an acceptable use policy (“AUP”). Employees are given guidance on what to do and not to do with their own devices when processing corporate and personal data.
Although employees are using their own devices, they are using corporate network resources and accessing corporate data. The business needs to ensure that their information is secure, even if the device is lost or stolen.
The AUP needs to spell out to users that their devices will be managed to protect corporate resources and data and if they do not comply, then their devices will be blocked.
A major support issue for ICT is for BYOD devices that can’t or won’t connect to the corporate WiFi network. Many hours of valuable support time can be spent trying to connect devices that are cheap clones of regular devices. A good UAP will recommend devices that will connect to WiFi without major efforts and define limitations to the support that ICT will provide.
-
Education
User awareness is a key factor is minimising malware risks in a BYOD environment. For example, while the major app stores try to ensure that apps are malware free, users can still download compromised apps from other sites that are not managed in the same way.
Some organisations set up their own App Store to ensure that all downloadable apps conform to corporate standards.
A good example is to make sure users understand the dangers of using Public WiFi services in places like malls, restaurants, hotels and airports.
Public WiFi services that do not a password are particularly dangerous and an ideal configuration for man-in-the-middle attacks. They probably don’t have encryption and are therefore very insecure, even to the extent that the user isn’t aware that their data is being compromised.
Organisations should always use a VPN that require the supply of credentials and provides encryption as the connection mode.
This is in addition to the malware appliances and software in place in the network to manage and monitor network traffic.
-
Device Management
Even if an organisation develops an AUP, IT Security needs to take steps to ensure that it is generally observed, and to prevent misuse.
Smart phones need to be encrypted, and be fitted with a remote wipe facility, if only to clear corporate data off the device when the employee leaves the company. Installation of an anti-malware app must be part of the update.
Configuration should take place automatically the first time the device is connected to the network. If the user refuses the update, then the device should be blocked until reconfiguration takes place.
A second key activity is to make sure that the Android OS is up to date. Current estimates are that only around 4% of Android devices have an up to date OS. Again, this can be achieved using remote management. While IoS malware is not so common, it does exist, and IoS devices should be treated equally with Android devices.
The increasing prevalence of BYOD and the increasing incidence of remote workers using public networking services to connect to the corporate network brings new challenges to IT Security. Currently, many organisations are ignorant of the dangers or complacent about them. That must change.