In today’s environment of ever-evolving online security threats, corporate data security has become the number one issue plaguing the minds of many IT managers. From hacks and security breaches through to malicious employees and accidental loss, insufficient data security can bring with it some serious penalties for a modern business. Not only is customer data today protected by a stack of rules and regulations, each bringing stiff costs for failure, but sensitive corporate data leaks can spell ruin for a business.
Just as the tools used by would-be hackers evolve over time and the threat posed to businesses continues to grow, so does the landscape in which IT professionals work. One of the latest shifts in the workplace is the rise of mobile working. Being able to work remotely using laptops, phones and tablets is now expected by many employees, as is a degree of device freedom. And though mobile working brings many benefits, which we’ll cover later, it does also introduce a new set of vulnerabilities to corporate security.
The pace of change in the IT industry has left many businesses working overtime to catch up. Devices today are more varied and used away from the business and use more applications and networks than ever before, bringing many new challenges to face.
In this article, we’ll be taking a close look at mobile security and exploring the threats you face and the tools you can use in your defence.
To counter the many and varied threats brought about by mobile work, many businesses have adopted mobile device management (MDM) practices, allowing remote control of device security, control over applications on devices, and other powerful tools like access controls too.
MDM solutions are a core element of mobile security, securing a business against many of the major risks that business devices face. Without proper security, threats from malicious applications, unsafe WiFi networks and phishing scams from web pages and email remain issues that most businesses just aren’t equipped to deal with - and this comes at a time when phishing and malware attacks are on the rise around the world. Because hackers and other malicious third parties know that businesses simply aren’t investing in mobile in the same way as they are traditional IT security, it’s often viewed as a weak link ripe for attack.
Securing your business against such attacks requires device security, network security and application security. Together, these three elements form the backbone of corporate mobile defences, and all three are needed to guarantee the security of your business, with each encompassing a range of weaknesses that need to be resolved.
Device Security - The physical and software security of your business devices. This covers choosing the right device, maintaining a secure environment, keeping devices updated and safe, and educating users on security best practice with their chosen phone or tablet.
Network Security - Many of the threats encountered by mobile devices stem from unsecured networks. From hacked home networks to unsafe coffee shop WiFi, transmitting business data without the proper network security in place is a recipe for disaster, exposing your business to any number of ‘man-in-the-middle’ attacks.
Application Security - Applications are where business is done - your emails, web browser, and mobile access to whatever cloud applications your business uses day to day. Malicious applications and malware are everywhere today, stealing corporate data, collecting user information and credentials, and even using mobile devices as a gateway into the rest of your company.
Taking command of these three areas is essential for any business looking to plug the gaps in their mobile security policy. Investment is needed by any company serious about combating malware, phishing, device weaknesses and other mobile threats, and throughout this guide we’ll be covering each topic individually to help you get started.
The use of work devices outside of the office, and the ability to use personal devices for simple work tasks like sending and checking emails is almost expected by many employees now. Most of us are now so used to being always connected that we find it limiting to have no access to work outside of the office - and this has given rise to a great increase in mobile working.
The ability to work away from the office and the implementation of ‘device freedom’ - choosing what device you use - has many benefits for a business. Research has shown that a “bring your own device” environment in which employees have freedom over the tools they work with boosts both productivity and staff morale. It can save businesses time and money too, relying on personal devices rather than buying devices and training staff to use them.
- For more on the pros and cons of a BYOD environment, check out this blog post on the topic
But introducing multiple different devices into your business, all running different software and used in different ways is difficult for IT teams and traditional ways of working to keep up with. Inconsistent mobile security has led to a world in which 18% of Irish mobile devices are attacked each month, and 12% are victims of webpage-based malware attacks.
For any business holding private and sensitive information, attack rates this high are unsustainable - which is why proper device security is so important. Good device security stems from these tactics:
Device selection - Whether you allow device freedom or not is a big consideration for a business. On one hand, freedom has proven benefits for a business in staff happiness and productivity. On the other, having all of your staff use the same model of phone or computer, running the same software in the same environment removes a lot of variables for your IT team to manage.
Device auditing - Just as with any other IT security, regular auditing is essential. Keeping on top of evolving threats, adjusting to staff usage patterns and addressing any issues that arise are key, as is keeping devices up-to-date and as secure as possible in line with the threats you face.
Staff training - An educated workforce is one of the best weapons against security threats. Teaching your employees how to spot and avoid phishing scams, malware and unsafe networks is a simple and efficient way of reducing your exposure to risk.
Access controls - As well as trusting staff to get it right, you should employ access controls to limit what staff can do, and when and where they can do it. Ranging from limits on the networks they can use right through to location limits and remote shutdown of compromised devices, the tools made available through MDM platforms are powerful.
Data protection - If all else fails, you need to be sure that your business’s data is secured whether it’s on a device or in transit. Again, MDM and rights management tools allow you to secure and encrypt data so that even intercepted emails or compromised devices don’t give up your business’s secrets to hackers.
Guaranteeing the ongoing security of your devices, especially in an environment with tens or hundreds of different devices, models and platforms, can be tough. But, following these steps and finding out more about device security through our other blog posts - like this one - is a great place to begin.
Though keeping devices and applications secure is obviously important, something often overlooked is keeping them safe while in use out in the wild. Network security covers maintaining mobile security on business networks and public WiFi alike, and mitigating the risks attached to unsecured networks.
If you allow your staff to work remotely, you’ll need to be prepared for their devices to use less secure networks than you’re used to in the office. Most problems related to this stem from unsecure public networks, such as in coffee shops, libraries and shopping centres.
The problem with public WiFi networks is that you simply don’t know who else is connected, or who might be listening in to the traffic heading to and from your device. So-called “man-in-the-middle attacks’ involve a third party intercepting data from other users on a public network - getting their hands on everything coming to or from the device. The cost of this can obviously be enormous for your business, from leaking sensitive plans or financial information to having customer details stolen, with all the penalties which that carries.
While many of us already know not to trust public networks, all too often convenience and cost are the deciding factors when employees have work to do on the move. As more and more businesses expect their staff to be available via email while out of the office, or their workflows rely on 24/7 access to business data and cloud applications, this problem is only growing.
Staying Secure In Public
Outside of insisting that your employees never use unsecured networks, or any network outside of your office, which is obviously a cumbersome approach to this problem, there are several ways to secure traffic on any network.
VPNs are the first port of call, providing a secure connection between a device and your business’s servers, applications and cloud storage. A properly configured VPN on a laptop, phone or other device can shield any data being transferred, preventing the ‘man in the middle’ from ever seeing or intercepting it. With one, staff can use any network to transmit business data without fear of interception, allowing them even more freedom in how they use their device on the go.
Businesses can also make use of access controls and data security on mobiles. Access controls, as outlined under device security above, can be used to limit what networks business devices can use, cutting out the risk of unsecured networks altogether.
Data security puts access controls on the files and data itself, encrypting it against access from anyone without sufficient rights. Tools like Azure Rights Management from Microsoft can provide this, ensuring that even intercepted data cannot be accessed by unauthorised third parties.
We go into more detail on the risks of unsafe WiFi networks in this post here.
The third pillar of mobile security is focussed on applications. Today, most of us make use of cloud applications or cloud storage for our work, and we all use email and chat apps and a variety of web browsers. Each of these is vulnerable in its own way, from malware to hacking and DDoS attacks.
From malware disguised as applications through to phishing scams that steal app user credentials, applications are targeted in many different ways. Because of this, and the wide range of applications, platforms and devices in use by most businesses, the solutions to security problems need to be flexible and customisable.
In many cases, application security begins with threat detection, particularly for cloud-based applications and storage. When 24/7 uptime is important for your business, and staff need round-the-clock access to data, being able to proactively stop threats is much more valuable than simply responding to problems.
Threat detection software and professional services exist to provide real-time detection and protection against threats like DDoS attacks.
Read more about mobile threat detection right here.
The tools used for both device security and network security can be used to protect application and data too. Access management, mentioned earlier, can be used to authenticate users before granting access to sensitive data, networks, locations and device types can be blacklisted, and compromised devices can be remotely shut down if a breach of cloud data is detected.
Likewise, VPNs are useful here too, both protecting user credentials and sensitive data being transferred to and from apps and cloud storage or servers.
To find out more about mobile application security, head to his post here where we cover the must-know details.
Of course, maintaining the security of your mobile devices is about more than just keeping your data out of the hands of hackers. Today, in countries around the world, various regulations exist governing data security that bring steep penalties to businesses that don’t keep up with IT security best practices.
The most well known of these regulations is GDPR, a ruleset from the EU that came into force in May 2018. The purpose of these rules is to make sure that businesses are responsible with the data that they hold, protecting things like identity, location and financial details from unauthorised access. The cost of breaching GDPR rules is high, ranging from fines of 20 million Euros up to 4% of a business's annual global turnover.
Similar rules, and the associated penalties, apply in countries and industries around the world, from healthcare-specific to rules governing financial data.
No matter which rules apply to your business, the cost of being non-compliant can be serious - financially and legally:
The financial cost of non-compliance stems from the fines levied against your business - and these alone can be high. Financial costs are also a result of the long-term reputational damage to your business. If word gets out that your business is leaking sensitive data, customers and businesses may be less inclined to do business with you, leading to reduced income over time.
Tied to the damage to your business’s reputation is the legal implication and cost of non-compliance. Many large data breaches or cases of non-compliance today are met with large class-action legal cases, often brought by rights groups or the people affected by the breach.
Depending on the size of your business and the scale of the compliance breach, the resulting financial cost of a lawsuit can be enormous, sometimes even bigger than the regulatory fines you’d already be facing. Of course, large and high-profile legal cases lead to further reputational damage - so it’s easy to see how one lapse in compliance can lead to ongoing financial and legal troubles that might plague your business for years to come.
How To Deal With Non-Compliance
We know the costs of non-compliance, but how are businesses supposed to prevent issues in today’s fast-moving landscape of threats?
The strategy here can be divided into two - spotting issues and handling them:
Just as we said with threat detection earlier in this article, it’s often better to identify and solve issues rather than wait for the damage to occur and later try to put things right. With that in mind, spotting compliance issues early is the key to remaining consistently compliant with whatever rules govern your business.
Primarily, this can be achieved by auditing your business and devices regularly. Whether you do this yourself or opt for third-party help is up to you, but routinely checking that your security is up-to-scratch and that you’re still following best practice is the best way to keep your mobile devices secure.
Solving Compliance Issues
Once you’ve got a system in place for identifying compliance issues, the next step is to put them right. In this case, again, some businesses opt to use the services of third-party experts. In many cases, third parties bring experience that your in-house team may lack, and can look at your business from a fresh perspective - helping them to spot problems you may have missed.
In the next section, we’ll take a look at solving and mitigating compliance risks. If you want to know more about the pros and cons of using third-party experts to help with auditing and solving compliance issues, take a look at this blog post here.
Mobile security is a complex topic, bringing together different areas of IT security and new solutions to counter ever-evolving threats. From training staff to protect against phishing scams, through to DDoS detection and VPNs to secure against hackers, there’s a lot for you to take on board if you’re going to secure each of the three D.N.A pillars of mobile security.
The solution to many of the issues we’ve raised in this article is the use of Mobile Device Management. MDM platforms are a collection of tools designed to boost the security of a business’s devices across the board. By giving total control over a businesses devices, and providing IT teams with the power to roll-out flexible security policies easily, monitor security, and control system access, MDM is the best tool for ensuring compliance with the latest data protection rules.
The Microsoft MDM platform provides all the tools that a business needs to secure its mobile devices, corporate data, and entire IT infrastructure. We go into a lot of detail on the features of Microsoft’s MDM platform [in this article here]. In it, you’ll find all the details you need on topics like Azure Rights Management, system access controls and data encryption.
As we mentioned above, once you’ve settled on an MDM solution that fits you, you’ll need to decide whether to go it alone or rely on help from the experts. We got into detail on which you should choose [here], but in short engaging professional help is a great way to round off the total protection you get from your chosen tools.
Third parties, just like us, can help you to manage and monitor your security, maintain compliance, and spot and solve any and all issues that occur.
For more information on any other topics covered in this post, take a look at the links below to find more in-depth articles on mobile security.
Or, if you can’t find what you’re looking for, get in touch with our team today for advice on your mobile security needs. Just head to our contact page to get started.