Don t Lose the Data: Six Ways You May Be Losing Mobile Data and Don t Even Know It

Transcription

1 WHITE PAPER: DON T LOSE THE DATA: SIX WAYS YOU MAY BE LOSING MOBILE DATA Don t Lose the Data: Six Ways You May Be Losing Mobile Data and Don t Even Know It Who should read this paper CIO, CISO, VP IT Operations, Mobile Architect, Mobile Program Manager. This paper briefly reviews the top six threats to your mobile workforce, matching real-world hazards with really helpful ways you can take action and achieve the security your business requires.

2

3 Content Introduction Device loss and theft Data leakage Malware and malicious attacks Shared devices and passwords Jailbreaking and rooting Wi-Fi and wireless snooping

4 Introduction When your workplace is mobile, will your business get carried away? The mobile devices your employees love to use on their own time have now also become the business tools they use on your dime. Our recent research tells the story: 65 percent of our surveyed companies give employees network access through their own devices; 80 percent of the applications these employees use are not based on-premise, but in the cloud; and 52 percent regularly use, not one, but three or more devices. Sure, these mobile devices including smartphones, laptops and tablets open up new opportunities for portable productivity. But by their very mobile nature, they also open new vulnerabilities: new ways to lose data, lose protection and lose confidence in the security of your company network. Fortunately, productivity and protection can travel together if you fully understand what the risks are and what you can do to mitigate them. This paper briefly reviews the top six threats to your mobile workforce, matching real-world hazards with really helpful ways you can take action and achieve the security your business requires. 1. Device loss and theft The most obvious risk is often met with the most obvious response: anticipate replacing lost devices. But many working devices are owned by the employees themselves the "bring your own device" phenomenon. More importantly, it's what is on the device, not the device itself, that truly matters. Every lost device is a potential portal to your company's applications and data. Think we're overstating the issue? In 2012, we put our concerns to the test. In a project we called, "Operation Honey Stick," we "lost" ten smartphones in each of five major cities: Los Angeles, San Francisco, Washington D.C., New York City and Ottawa, Canada. Every phone was loaded with simulated corporate data and applications, and then abandoned in high-traffic areas. In the plus column for humanity, attempts were made to return half of the 50 phones. But from there, the numbers reveal a much bleaker picture of human nature. On 89 percent of the devices, attempts were made to access personal apps or data which suggests that even the erstwhile do-gooders were tempted to do some bad. A total of 83 percent showed attempts to access corporate-related apps or data. A "saved passwords" file was accessed on 57 percent of the phones; on 49 percent, finders took a poke at a "Remote Admin" app that simulated access to the corporate network. Lesson learned: instead of focusing on lost devices, companies need to protect sensitive data that could be potentially lost. Basic device management must be complemented with policies for app and data protection. At one level, this means having the ability to quickly locate lost devices and perform remote data wipes; for protection at a deeper level, businesses should secure apps and encrypt corporate data on the move. 2. Data leakage Much has been said about threats from "malevolent insiders" who deliberately seek out and share confidential business information. But the greater threat may be from benevolent, well-intended employees who use cloud-based services, such as and online collaboration tools, to simply get more work done more quickly. On the ever-evolving pathway toward greater ease of use (also known as: "consumerization"), employees feel comfortable working with applications designed for the convenience of consumers, not for the security concerns of corporations. 1

5 But once in the cloud, your business data may be beyond your control. The popular file-sharing and document editing programs employees like usually lack the access and authorization protocols businesses need for data protection. Without deliberate controls, data can "leak" out of the corporate IT sphere and into the less secure world of risks Appropriate app and data protection must take a two-pronged approach to security: 1) enforcement of an application blacklist that prohibits access to non-approved applications; and 2) deployment of controls that prevent business data from being copied, pasted and/or otherwise shared via online applications. Relevant app and data protection capabilities include: App-specific authentication Data encryption Copy/paste blocking Disabling document sharing Blocking access to modified (rooted or jail-broken) devices 3. Malware and malicious attacks In hard numbers, many more malware attacks threaten PCs than mobile devices. But the amounts of attacks on mobile devices are growing at a much faster rate. While traditional IT professionals are not paying much attention to mobile malware, the bad guys see mobile as their next big growth opportunity. At risk: identity theft, information exposure and data loss incurred by malicious attacks from trojan horses, monitors, and malware hitchhikers. Of these, the biggest threat may be "spoofed" apps; under the camouflage of a popular game or application, and the lure of a free download, these apps sneak malicious code into the device that can skim money from accounts or extract data from business networks. So-called "security" freeware lacks sufficient brawn and brains to address constantly mutating malware and ever evolving efforts to break business data barriers. Truly effective threat protection must account for the variations in risk profile among different platforms, and apply coordinated action to secure business assets against external attacks, rogue apps, unsafe browsing, and even poor battery use. 4. Shared devices and passwords According to recently published studies, near half of all employees share their devices with friends and family; another 20 percent share their passwords. Unfortunately, casual sharing of accounts represents the majority of workforce security breaches. Protecting mobile devices means much more than applying a screenlock. Before users can access business data and applications, it may be prudent to authenticate their identities. Consider applying a two-factor approach to authentication the key to successful user and app access management, and app and data protection that combines something the user knows (like a password) with something the user has (such as a token, a fingerprint or a retinal scan). 5. Jailbreaking and rooting In a BYOD world, it's easy for an employee to introduce a "jail-broken"/"rooted" device into the corporate environment. Such device modifications can circumvent security protocols, uninstall security features, and open access to previously protected file systems and data controls. 2

6 Businesses need to apply device management policies that apply consistent standards for configuration and security across all devices, whether they are owned by the company or the employees. Devices that have been modified should be identified and denied access to protect the corporate network. 6. Wi-Fi and wireless snooping If it's "free," it's probably fake; any hot spot that conspicuously calls itself "free" is likely to be fishing for data on the move. Users often do not recognize their vulnerability, and companies have no control or visibility into 3G, 4G and 4G LTE channels. Complete app, data, and device management policies should protect at two levels: Communication, such as corporate , through secure SSL or VPN connections Encryption of corporate data when it is in transit and at rest within mobile devices To learn more about enterprise mobility that offers complete protection without compromising the user experience, visit 3

7

8 About Symantec Symantec protects the world s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 1/