1 WHITE PAPER: DON T LOSE THE DATA: SIX WAYS YOU MAY BE LOSING MOBILE DATA Don t Lose the Data: Six Ways You May Be Losing Mobile Data and Don t Even Know It Who should read this paper CIO, CISO, VP IT Operations, Mobile Architect, Mobile Program Manager. This paper briefly reviews the top six threats to your mobile workforce, matching real-world hazards with really helpful ways you can take action and achieve the security your business requires.
3 Content Introduction Device loss and theft Data leakage Malware and malicious attacks Shared devices and passwords Jailbreaking and rooting Wi-Fi and wireless snooping
4 Introduction When your workplace is mobile, will your business get carried away? The mobile devices your employees love to use on their own time have now also become the business tools they use on your dime. Our recent research tells the story: 65 percent of our surveyed companies give employees network access through their own devices; 80 percent of the applications these employees use are not based on-premise, but in the cloud; and 52 percent regularly use, not one, but three or more devices. Sure, these mobile devices including smartphones, laptops and tablets open up new opportunities for portable productivity. But by their very mobile nature, they also open new vulnerabilities: new ways to lose data, lose protection and lose confidence in the security of your company network. Fortunately, productivity and protection can travel together if you fully understand what the risks are and what you can do to mitigate them. This paper briefly reviews the top six threats to your mobile workforce, matching real-world hazards with really helpful ways you can take action and achieve the security your business requires. 1. Device loss and theft The most obvious risk is often met with the most obvious response: anticipate replacing lost devices. But many working devices are owned by the employees themselves the "bring your own device" phenomenon. More importantly, it's what is on the device, not the device itself, that truly matters. Every lost device is a potential portal to your company's applications and data. Think we're overstating the issue? In 2012, we put our concerns to the test. In a project we called, "Operation Honey Stick," we "lost" ten smartphones in each of five major cities: Los Angeles, San Francisco, Washington D.C., New York City and Ottawa, Canada. Every phone was loaded with simulated corporate data and applications, and then abandoned in high-traffic areas. In the plus column for humanity, attempts were made to return half of the 50 phones. But from there, the numbers reveal a much bleaker picture of human nature. On 89 percent of the devices, attempts were made to access personal apps or data which suggests that even the erstwhile do-gooders were tempted to do some bad. A total of 83 percent showed attempts to access corporate-related apps or data. A "saved passwords" file was accessed on 57 percent of the phones; on 49 percent, finders took a poke at a "Remote Admin" app that simulated access to the corporate network. Lesson learned: instead of focusing on lost devices, companies need to protect sensitive data that could be potentially lost. Basic device management must be complemented with policies for app and data protection. At one level, this means having the ability to quickly locate lost devices and perform remote data wipes; for protection at a deeper level, businesses should secure apps and encrypt corporate data on the move. 2. Data leakage Much has been said about threats from "malevolent insiders" who deliberately seek out and share confidential business information. But the greater threat may be from benevolent, well-intended employees who use cloud-based services, such as and online collaboration tools, to simply get more work done more quickly. On the ever-evolving pathway toward greater ease of use (also known as: "consumerization"), employees feel comfortable working with applications designed for the convenience of consumers, not for the security concerns of corporations. 1
5 But once in the cloud, your business data may be beyond your control. The popular file-sharing and document editing programs employees like usually lack the access and authorization protocols businesses need for data protection. Without deliberate controls, data can "leak" out of the corporate IT sphere and into the less secure world of risks Appropriate app and data protection must take a two-pronged approach to security: 1) enforcement of an application blacklist that prohibits access to non-approved applications; and 2) deployment of controls that prevent business data from being copied, pasted and/or otherwise shared via online applications. Relevant app and data protection capabilities include: App-specific authentication Data encryption Copy/paste blocking Disabling document sharing Blocking access to modified (rooted or jail-broken) devices 3. Malware and malicious attacks In hard numbers, many more malware attacks threaten PCs than mobile devices. But the amounts of attacks on mobile devices are growing at a much faster rate. While traditional IT professionals are not paying much attention to mobile malware, the bad guys see mobile as their next big growth opportunity. At risk: identity theft, information exposure and data loss incurred by malicious attacks from trojan horses, monitors, and malware hitchhikers. Of these, the biggest threat may be "spoofed" apps; under the camouflage of a popular game or application, and the lure of a free download, these apps sneak malicious code into the device that can skim money from accounts or extract data from business networks. So-called "security" freeware lacks sufficient brawn and brains to address constantly mutating malware and ever evolving efforts to break business data barriers. Truly effective threat protection must account for the variations in risk profile among different platforms, and apply coordinated action to secure business assets against external attacks, rogue apps, unsafe browsing, and even poor battery use. 4. Shared devices and passwords According to recently published studies, near half of all employees share their devices with friends and family; another 20 percent share their passwords. Unfortunately, casual sharing of accounts represents the majority of workforce security breaches. Protecting mobile devices means much more than applying a screenlock. Before users can access business data and applications, it may be prudent to authenticate their identities. Consider applying a two-factor approach to authentication the key to successful user and app access management, and app and data protection that combines something the user knows (like a password) with something the user has (such as a token, a fingerprint or a retinal scan). 5. Jailbreaking and rooting In a BYOD world, it's easy for an employee to introduce a "jail-broken"/"rooted" device into the corporate environment. Such device modifications can circumvent security protocols, uninstall security features, and open access to previously protected file systems and data controls. 2
6 Businesses need to apply device management policies that apply consistent standards for configuration and security across all devices, whether they are owned by the company or the employees. Devices that have been modified should be identified and denied access to protect the corporate network. 6. Wi-Fi and wireless snooping If it's "free," it's probably fake; any hot spot that conspicuously calls itself "free" is likely to be fishing for data on the move. Users often do not recognize their vulnerability, and companies have no control or visibility into 3G, 4G and 4G LTE channels. Complete app, data, and device management policies should protect at two levels: Communication, such as corporate , through secure SSL or VPN connections Encryption of corporate data when it is in transit and at rest within mobile devices To learn more about enterprise mobility that offers complete protection without compromising the user experience, visit 3
8 About Symantec Symantec protects the world s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 1/
SOLUTION BRIEF: 5 MUST-HAVES FOR AN ENTERPRISE MOBILITY......... MANAGEMENT.............. (EMM)...... SOLUTION........... 5 Must-Haves for an Enterprise Mobility Management (EMM) Solution Who should read
10 must-haves for secure enterprise mobility White Paper The 10 musthaves for secure enterprise mobility A security framework and evaluators checklist 2 Becoming a mobile enterprise means new opportunities
WHITE PAPER: TWO-FACTOR AUTHENTICATION: A TCO VIEWPOINT........................................ Two-Factor Authentication Who should read this paper This whitepaper is directed at IT, Security, and Compliance
Symantec Control Compliance Suite Overview Addressing IT Risk and Compliance Challenges Only 1 in 8 best performing organizations feel their Information Security teams can effectively influence business
Identity and access management as a driver for business growth February 2013 Identity and access management (IAM) systems are today used by the majority of European enterprises. Many of these are still
2014 DATA BREACH INVESTIGATIONS REPORT Executive Summary INSIDER MISUSE DOS ATTACKS MISCELLANEOUS ERRORS PHYSICAL THEFT AND LOSS CYBER-ESPIONAGE CRIMEWARE PAYMENT CARD SKIMMERS WEB APP ATTACKS 92 % THE
october 2012 Peer Research Report Insights on the Current State of BYOD Intel s IT Manager Survey Why You Should Read This Document Find out how IT managers across four countries are looking at Bring Your
10 Things Your Next Firewall Must Do Introduction Without question, your network is more complex than ever before. Your employees are accessing any application they want, using work or personal devices.
Introduction.... 1 Emerging Trends and Technologies... 3 The Changing Landscape... 4 The Impact of New Technologies... 8 Cloud... 9 Mobile... 10 Social Media... 13 Big Data... 16 Technology Challenges...
White paper The future of Service Desks - vision Service Desks require strategic consideration and innovation to raise user productivity and to support business goals. Fujitsu has the experience and feedback
BEST PRACTICES WHITE PAPER A path to improving the end-user experience By David Williams, Vice President of Strategy, Office of the CTO, BMC Software TABLE OF CONTENTS EXECUTIVE SUMMARY...............................................
Mobile Apps: What Consumers Really Need and Want A Global Study of Consumers Expectations and Experiences of Mobile Applications The Difference Between a Mobile App and a Mobile Website Before we evaluate
The Hidden Truth Behind Shadow IT Six trends impacting your security posture An Executive Brief Sponsored by McAfee www.frost.com Stratecast Frost & Sullivan THE HIDDEN TRUTH BEHIND SHADOW IT Six trends
A Websense White Paper ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS: THREAT ANALYSIS AND DEFENSE STRATEGIES FOR SMB, MID-SIZE, AND ENTERPRISE ORGANIZATIONS REV 2 ADVANCED PERSISTENT THREATS AND
Research Paper Finding the Right Balance Between Personalization and Privacy Contents The Consumer Digital Footprint... 1 The footprint components and why they re important to personalization...1 Digital
State of Privacy Report 2015 SYMANTEC / STATE OF PRIVACY REPORT 2015 01 Contents Introduction 02 01 The Depth of Security Concern 05 02 The Data Trust Gap 19 03 Where Does The Responsibility Lie? 27 04
TECHNICAL BRIEF:........................................ Running Highly Available, High Performance Databases in a SAN-Free Environment Who should read this paper Architects, application owners and database
CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill Toby Merrill, Thomas Kang April 2014 Cloud computing
Card-Not-Present Fraud Working Committee White Paper: Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud Version 1.0 Date: April 2015 About the EMV Migration Forum The EMV Migration
Is Connectivity A Human Right? For almost ten years, Facebook has been on a mission to make the world more open and connected. For us, that means the entire world not just the richest, most developed countries.
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...