Creating A Data-Safe Employee Mobile Device Policy

Transcription

1 Creating A Data-Safe Employee Mobile Device Policy Building a Defensive Strategy To Protect Sensitive Data By Daniel B. Garrie, Esq. March 2014 Mobile digital devices are not exempt from the rapid increase of malware threats that affect desktop and laptop computers. In fact, more than 75 percent of IT security professionals believe that mobile devices present the greatest threat to endpoint security in So, how does an organization effectively deal with the variety of new mobile devices being used by their workers and the concurrent threats that are intrinsic to their use? Written for business and technical decision makers, this white paper explores the core security threats posed to IT and business systems and offers a sensible, straightforward path to proactively averting the dangers of cyberattacks before they arise.

2 Originally published online at Law 360 ( in March The opinions expressed are those of the author and do not necessarily reflect the views of the firm, its clients, or Law 360 (Portfolio Media Inc.), or any of its or their respective affiliates. This white paper is for general information purposes only and is not intended to be and should not be taken as legal advice. Forensic Scan and Virus Inspectors are trademarks owned by Forensic Scan, LLC. All other trademarks are owners by their respective companies. For more information about Forensic Scan cyber security solutions, specifically Virus Inspectors based on patent pending technology please visit Daniel B. Garrie and Forensic Scan, LLC.

3 Introduction It s wintertime, the holidays have come and gone, and your employees and contractors are walking around with brand-new Apple iphones and Google Androids in their pockets, and maybe an occasional Microsoft Windows 8 phone or Surface table as well. Maybe they ve added present-to-myself games or a New Year s resolution app to their old phones. Your workers are happy they can switch between reading work-related s and playing Solitaire in high resolution while they wait on the platform for their train or bus to arrive. This is a fairly common scenario in today s modern, tech-savvy workplace. Sounds pretty nice, right? Well, it is great for workers, but it s a nightmare scenario for information security professionals. Bring Your Own Device Increasingly, many workers prefer to bring their own mobile smartphone, digital tablet device or laptop personal computer to work and enjoy having the flexibility of round-the-clock access to their work. This phenomenon is known as BYOD, or Bring Your Own Device. It makes sense who wants to use a slow, antiquated laptop when they own a faster, lighter model? It s not just social media marketing managers who want continuous access, either. As employees look for more room to adjust hours and scheduling, BYOD enables them to easily bring work to home and home to work. This seems like a simple, generally positive change for both the organization and the worker. Companies often save money as workers opt-out of using company-issued computing devices in favor of their own newer, faster and often easier-to-use digital technology. This comes with an additional direct cost-benefit to companies: they pay for fewer mobile cellular data plans and less coverage as BYOD technology generally has user-paid plans. Workers have all About 68 percent of respondents in the 2013 Cost of Cybercrime Study reported that their mobile devices have been targeted by malware of some variety in 2013, but less than half of those respondents also say outright that they have no policy or ability to manage employee-owned mobile devices. their s, files and calendars in one place or stored in the cloud and accessed from multiple devices and can reach them at any time. The resulting increases in 1

4 productivity and lower costs are direct benefits that even the most seasoned C-level executive would love. So why do over 75 percent of IT security professionals believe that mobile devices will present the greatest threat to endpoint security in 2014? According to the Ponemon Institute in their 2013 Cost of Cybercrime Study, about 68 percent of respondents reported that their mobile devices have been targeted by malware of some variety in 2013, but less than half of those respondents also say outright that they have no policy or ability to manage employee-owned mobile devices. 1 In fact, the Ponemon Institute found that 2013 is the fourth consecutive year of increase in costs, time to resolve and frequency of cyberattacks to U.S. organizations. What exactly are security professionals so worried about? Let s look at a few examples of places where BYOD can lead to significant issues for any size organization, whether business, non-profit, education or government. Mobile Devices Deliver Malicious Malware Today, many workers who are very technology savvy (i.e., they have the newest devices and know how to use them, but are likely not very experienced in software) are not necessarily knowledgeable on the details of evaluating security on applications that they download from the cloud. More importantly, they might not know the difference between a secured and unsecured network. Downloaded applications are usually safe. According to Google s Android Security Chief, Adrian Ludwig, data has shown that due to the complex defenses in place on Android-powered devices, less than percent of app installations cause harm to users. But, and this is a big but, harmful apps are sometimes hard to spot, because they can pose as legitimate or more effective versions of a legitimate app and ultimately trick users into downloading them. Some apps, such as an Android malware-checker that fails to offer effective protection, aren t actively harmful to a user s device, but they give the user a false sense of security Cost of Cybercrime Study, Ponemon Institute, sponsored by HP Enterprise Security 2

5 Apple ios-based devices are also subject to these same risks. While there have historically been fewer hacking attacks aimed at Apple's operating system, it is not exempt. In the coming months and years it is likely that attempts to target Apple devices will ramp up in intensity and frequency as their ios devices are used by greater numbers of consumers and business users. It is also common for malware to be spread via downloads in text messages and other communications. Let s say that a worker gets a text message from a work colleague, friend or family member with a link to a funny video. The worker opens the link and follows it to a website, which asks them to tap on an image to open the video. They tap rapidly through a number of screens until the download starts. When it finishes, the video pops up on their screen, they text a funny thank you back to their friend back and move on. What they doesn t know is that in the process of downloading the video file, the smartphone also acquired an executable file that is able to operate on his phone without their knowing it is even there: malware. Cell phone viruses or worms (both are considered by the more inclusive term malware) spread primarily through exactly that type of Internet download, multimedia messaging ("MMS"), where the MMS recipient has to download a file to see the image, and Bluetooth transfers. That said, viruses that are spread phone-to-phone are currently fairly rare. In this scenario, that worker s phone now has a virus. This may or may not be a big deal. Sometimes users of infected phones don t even notice that their phone is carrying malware, unless they happen to notice dramatically shorter battery life or unusual glitches. If they don t have an anti-virus program on their phone, they might not notice until complications occur. Some malware is basically benign, designed more to prove that a phone can be infected than to cause malicious harm. What happens if the malware has a target? Well, the analogy that a smartphone is a computer in your pocket holds true here as well. If a virus can infect a computer, it can probably infect a smartphone. Infections can influence many aspects of systems operations including sending out spam using your contacts list to deleting files to causing system crashes or battery 3 Kaspersky Lab says it detected more than 143,000 new modifications of malicious programs targeting mobile devices in 2013, a year in which more than 3.9 million installation packages were used to distribute malware.

6 malfunctions. These problems can escalate out of control with large direct costs to the user including data usage overruns, long distance calls and even the potential to permanently lock a phone s firmware, rendering it unusable. Recently, the security firm Kaspersky Lab says it detected more than 143,000 new modifications of malicious programs targeting mobile devices in 2013, a year in which more than 3.9 million installation packages were used to distribute malware. Some real world examples of malware threats in 2013 include Svpeng, which spreads via text-message spam and tries to steal money from people s bank accounts; Perkele, which uses quick response codes to infect smartphones being used for mobile banking; and Wroba, which replaces banking apps on a device with counterfeit versions that steal users logins and passwords and then stop working. These are just some of the viruses that target banking, but it is not a stretch or uncommon for mobile malware to target specific companies or lawyers, business executives or The two most common government officials that have sensitive data. How, ways that malware is then, should one protect against these potentially spread into a workplace disastrous smartphone viruses? network are: (1) as a result Most companies purchase anti-malware or antivirus software for their computers. It seems logical synching with a computer, of cabled or wireless to extend that policy to their mobile devices as or (2) through file-sharing, well. Why not invest in protecting your worker s whether by peer-to-peer or devices? By extension, protecting worker devices over a network. provides insurance for the security of a company. Such protection kicks in where policy around BYOD is imperfectly followed, which is unfortunately the norm in 99 percent of workplaces today. As an attorney who has advised clients dealing with mobile spyware attacks that obtained valuable data, I am well aware of the pitfalls to companies that fail to take stock of the reality that BYOD is here to stay and do not develop policies, implement technologies or persistently manage the mobile devices interacting with their corporate systems whether inside or outside the corporate firewall. In my capacity as a partner at Law & Forensics we have been retained by many companies and organizations to investigate, secure, remediate and resolve malware 4

7 attacks some of which came from a user s infected mobile device. A company that buries its head in the sand is exacerbating the inevitable mobile malware attack. One Infected Mobile Device Can Infect the Entire Corporate Network One infected smartphone in an unsecured BYOD workplace can serve as a vector of malware to the entire corporate network. In other words, a virus can spread onto the network and infect other computers within the company's system, potentially stealing data, compromising systems and crippling the business until it is able to eradicate the issue. The two most common ways that malware is spread into a workplace network are: (1) as a result of cabled or wireless synching with a computer, or (2) through filesharing, whether by peer-to-peer or over a network. Here, again, the simplest solution seems to be a course of preventative medicine: mandatory anti-virus installation on every device that falls under the BYOD policy within the organization, workers, suppliers and vendors and a geographically distributed workplace. Managing Lost or Stolen Mobile Devices The third risk, lost or stolen mobile devices, seems very low-tech, but in some ways pose the greatest threats. When a smartphone is lost or stolen, unless the phone s owner has subscribed to a service that enables remote locking or wiping of the phone s memory, the phone contains vital and personal and work-related sensitive information including that person s bank account, details to their work computer logins, client s, sensitive trademarked data, legal files, and much more. Just think of the personal and work-related information you store on your own smartphone and consider the exponential risk of having multiple smartphones in your organization infected and you understand the complexity of device management. Modern smartphones are essentially miniature computers, and there is literally no end to the information that could be stored and stolen without appropriate safeguards. The conventional passcode key is a feeble barrier. Remotely controlled malware that looks at the marks on a screen is generally enough to replicate a swipe 5

8 pattern. This has historically been a particular risk on ios-based devices, whose passcode or other security measures are easily bypassed when users want quick access to cameras and other functions. Steps for Protection There are a number of steps that can and should be taken in order to protect a workplace from information theft resulting from inadequate protection of a worker s smartphone. First, companies should consider using encryption software in general on the mobile device, especially for sensitive or files. Ideally, any files that are work-related should be encrypted. Second, BYOD clauses should be written into each employment or contract agreement. You can use the following three points as guidelines when you develop your own policies.! Asset Tracking: Any device brought into the workplace must be registered, so that the company is able to: (1) ensure anti-virus software is appropriately installed and (2) keep track of devices that are potentially carrying proprietary and sensitive information.! Anonymous Reporting: If a device is lost or stolen, an employee must be able to report the loss without fear of punishment or repercussions. This enables the company to proactively deal with the potential problem as quickly as possible.! Right-to-wipe: In the event of a lost or stolen device, the company must have the right to wipe all data from the device remotely. Note, that you might want to include a mandatory back-up policy on company servers for organizational information so that in the case of loss or theft and the phone must be wiped remotely the company information is still intact. That said, it is the worker s responsibility to back-up his or her own personal data. These three policies combine to increase a company's awareness of potential security breaches in the form of smartphones, tablets and similar devices that are traveling in and out of its doors daily in the hands of employees, contractors or vendors. When devices are lost or stolen as some inevitably will be the company will proactively have a plan in place for responding effectively and rapidly. 6

9 Going Forward: Workplace BYOD Policies As we look forward into 2014, companies must develop BYOD policies that suit their individual needs around security and confidentiality. Our recommendation is that policies be written into employment agreements and include: (1) Mandatory registration of any digital device that enters the professional workspace, (2) Installation of approved anti-viral security software on every such device which should include the ability to remotely wipe a device s hard drive, (3) Anonymous or no-penalty reporting of loss of devices, and (4) the company s right to wipe said devices in such an event of loss or theft. Knowing that BYOD is on the rise and does carry benefits, we must also accept that it brings with it a number of attendant risks and worries for an organization and particularly the information security of that organization. The best solution seems to be that companies should work proactively to protect themselves and their workers by implementing the policies discussed herein. About The Author Daniel Garrie is a partner in Law & Forensics Seattle office, where he focuses on e- discovery and forensics and acts as special counsel to Zeichner, Ellman & Krause LLP specializing in e-discovery and cyber-security matters. Garrie is also a cofounder of Forensic Scan, LLC. 7