Building a Comprehensive Mobile Security Strategy

Transcription

1 WHITE PAPER Building a Comprehensive Mobile Security Strategy A key to safeguarding data and apps is finding the right partner. protecting mobile environments has become more complex. Fortunately, solutions and services are available that can help organizations address the increasingly difficult task of securing their mobile environments. The key is to find an experienced and reliable partner that can help not only with security product selection but with the implementation and ongoing maintenance of the tools as well. The importance of putting a strong mobile security strategy in place cannot be overstated. With the large and growing number of smartphones and tablets in the workplace and the rise of bring-your-own-device (BYOD) programs at organizations, enterprises are facing a significant risk management challenge that must be addressed. As companies rely more heavily on mobile devices and apps for critical business functions, there is admittedly an increased sense of urgency to get mobile security right. Many are implementing security tools and policies that can help keep valuable corporate data safe from loss or theft. But there s plenty of room for improvement in mobile security efforts, according to a 2014 survey from IDG Research Services. Getting it right is no easy feat. Attacks against networks and applications have grown more sophisticated, and» Current State of Mobile Security Clearly, information security remains a high priority for many organizations. New data from research firm Gartner Inc. shows that worldwide IT security spending will reach $76.9 billion in The increasing adoption of mobile technology, cloud services, social media and big data/analytics will drive the use of new security technology. The need for better mobile security is particularly acute. In another recent report, Gartner notes that through 2015 more than 75 percent of mobile applications will fail basic security tests. That s while workers can easily download mobile applications to access corporate networks or support business functions. As a result, companies are exposed to attacks and violations of their corporate security policies. Those organizations that embrace mobile technology and launch BYOD programs are vulnerable to security breaches unless they deploy methods and technologies for mobile application security testing and risk assurance, reports Gartner. However, most companies lack experience in mobile application security, with testing often conducted casually by developers who are focused mainly on enhancing application functionality. By 2017, the Gartner report predicts, the focus of endpoint security breaches will transfer to devices such as smartphones and tablets. Already there are three attacks on mobile devices for every one attack on a desktop machine.

2 2 MOBILE SECURITY STRATEGY And through that year, the firm predicts, three-quarters of mobile security breaches will be the result of mobile application misuse such as the use of personal cloud services through apps on smartphones and tablets.» Building a Mobile Security Strategy Despite the potential threats, mobile strategies are expanding at organizations of all sizes in all types of industries, and mobile devices and apps are continuing to play an increasingly important role in corporate IT strategies although organizations still struggle with several persistent challenges. That s the primary finding of the 2014 survey by IDG Research Services. According to the IT and security professionals surveyed, improving employee and process productivity is the main driver of investments in mobile solutions for about a quarter of the respondents. Other reasons for adoption include bringing more business value to customers, reducing costs and boosting employee satisfaction. Biggest Concerns Regarding Mobile Security Data leakage Lost or stolen devices Unsecure network access Malware on devices Unsecure Wi-Fi 41% 53% 56% The High Museum of Art in Atlanta, for example, is relying increasingly on mobile technology for its operations, including accommodating the needs of customers who prefer mobile platforms for conducting interactions. We have been solely focused on providing better mobile services to our customers and have seen an increase of over 200 percent [in online ticket sales] from our customers through the mobile channel, compared to our offerings when we didn t provide a mobile-optimized experience, says Adam Fenton, Web manager at the museum. 71% 74% Companies today have numerous concerns when it comes to the security of mobile devices such as smartphones and tablets and the apps and data they house. Data leakage tops the list for about three-quarters of the survey respondents. This shouldn t be surprising, given that the information stored on devices such as customer contacts and interactions with clients and colleagues is often highly valuable to companies. Device loss or theft is close behind on the list of mobile security concerns for a strong majority of the respondents. We enable kill switches where possible and mostly ignore the other risks of device theft, says Leif Johnston, managing partner at Technology Catalyst, a technology consulting firm in Fredericksburg, Va. Although we require notification of device loss, we trust and hope that we can kill access. It s not a great answer, since some data persists, but we don t have a technical requirement to do more. These top two concerns are followed by unsecure network access, malware on devices and unsecure Wi-Fi. We re primarily concerned about breaches due to malware and spyware on employee-owned devices, says Fenton. We re seeing increased access to our network from non-work-supplied computers on which we don t have control over security settings. Interestingly, most survey respondents indicated that the protection of all aspects of mobile security was either critical or highly important, but the protection of data again seems to stand out. For example, 87 percent of the respondents said that data protection is a critical or high priority, compared with 71 percent who feel the same about network protection, 61 percent about devices/endpoints and 54 percent about applications. A huge majority of the respondents are from organizations that have created formal mobile security strategies. In fact, only 13 percent are unsure of what s included in the strategy or are from organizations that do not have a formal strategy in place. For those that do have a strategy, the most common components are policies that govern device usage, data access and permissions outlining which data can be accessed via mobile devices and Wi-Fi usage. Given the rise of BYOD, it should not be surprising that device and application usage policies are important to companies.

3 3 MOBILE SECURITY STRATEGY Mobile Security Solutions % Currently or Planning to Deploy User or system authentication 72% 18% 9% 1% 90% Data encryption 53% 24% 17% 6% 77% MDM (mobile device management) Antivirus protection Installed a full VPN on mobile devices Data loss prevention (DLP) Host intrusion prevention 50% 58% 40% 30% 40% 29% 19% 16% 24% 22% 4% 14% 25% 3% 32% 9% 33% 8% 35% 9% 74% 72% 59% 59% 56% Larger organizations (1,000 or more employees) are significantly more likely than others to have host intrusion protection in place (47% versus 19%) Currently in place Planning to deploy over the next 12 months No immediate plans to deploy Don t know Organizations have a variety of mobile security solutions in place or on their radar. User or system authentication is by far the most common, with 90 percent of companies using it or planning to deploy it. Again, with so many employees using their own devices to access corporate networks and data, it makes sense that authentication would be indispensable. Data encryption, mobile device management and antivirus protection are also prevalent, whereas virtual private networks, data loss prevention and host intrusion prevention are less commonly used. Companies see several business benefits to be gained by ensuring the security of mobile data and applications. The protection of customer, customer or patient data was most often cited by survey respondents (80 percent). Maintaining compliance and being prepared for compliancerelated audits proved to be a distant second. Other benefits cited include protection of intellectual property, protection of the company s reputation, preventing or detecting advanced threats, avoiding downtime or outages and avoiding litigation. For the High Museum of Art, among the biggest benefits of mobile security is the ability to comply with the Payment Card Industry Data Security Standard (PCI DSS) and therefore lessen the risk and potential penalties of not conforming, Fenton says.» Challenges to Overcome As the research data indicates, many organizations have made valiant efforts through a variety of technology implementations and the creation of usage policies to bolster security for their mobile environments. But the task of ensuring that these fast-growing mobile environments are truly secure can be complex and fraught with challenges. As a result, existing mobile security efforts have not been sufficient, in many cases, to safeguard data. We do not look below the application layer and might be at risk there, Johnston says. My biggest concern is whether the kill switch idea is implemented effectively and controlled well. I don t think we are there yet, although we have triggered one kill on a lost device that was found after being stolen. The survey data bears this out. For example, companies confidence in their current mobile security measures is fairly low across the board, most dramatically regarding the prevention of malware attacks. But that s hardly the only area where confidence is lacking. This is also the case with the prevention of data leaks to unauthorized third parties or applications, prevention of access to the Internet via unencrypted public wireless access points and data protection when mobile devices are lost or stolen. In terms of improving on those confidence levels, orga-

4 4 MOBILE SECURITY STRATEGY nizations say they face several challenges. At the top of the list is the cost of maintaining security (cited by 63 percent of the respondents). That shouldn t come as a surprise, considering how many organizations are up against tight technology budgets. As important as security is, security expenditures often get scrutinized when it comes to doling out funds. Most Challenging Aspects of Mobile Security Cost/budget Providing securty across multiple mobile platforms Finding the right technology Developing mobile security strategy Finding and sourcing the right IT security skill sets Gathering security requirements Other significant challenges loom: providing security across multiple mobile platforms (cited by 54 percent), finding the right technology (45 percent), developing a mobile security strategy (39 percent) and finding and sourcing the right IT security skill sets (37 percent). Interestingly, several of the challenges cited in the study are related to the need for mobile-security-related skill sets and knowledge. This indicates that many organizations could benefit strongly from outside help when it comes to addressing mobile security challenges. One challenge Fenton cites is the need to educate people about security technology capabilities. The tool sets and functionality offered by one solution may also work for other issues. But unless those capabilities are known by all involved, the opportunity might be missed, Fenton says. The consequence is purchasing a solution that isn t needed. So far we ve been lucky in this regard, primarily due to good communication and the fact that we have a small IT department. 24% 39% 37% 45% 54% 63% But this situation was just recently narrowly avoided at the art museum, because someone at a meeting raised an issue and someone else knew that the solution designated for a different issue was capable of solving this other issue as well, Fenton says. Organizations are a mixed bag when it comes to security for application development. For instance, one-third of the organizations surveyed consider data security from the start of the mobile application development process. But another one-third add security to applications via mobile device management tools or encryption after the fact. Perhaps most concerning: Despite the growing importance of strong security for mobile environments, a majority of the survey respondents (68 percent) said they were only moderately investing in mobile security solutions such as mobile device management, network access control and encryption. In fact, a mere 7 percent said they were making heavy investments in mobile security, and about a quarter of their organizations are making few to no investments in this area. These findings show that, in addition to lacking in-house security expertise, many organizations might not be putting sufficient financial resources into their mobile security efforts.» The Need for a Strong Security Partner Many organizations concede that they cannot go it alone in developing and implementing a mobile security strategy. That s especially true of companies that lack the internal resources needed. In light of the recent large data breaches in the retail industry and other factors related to the security of payment cards, it would be wise to hire a consultant to do a review of our systems, which would include methods for ongoing monitoring and protection against malware on POS [point-of-sale] devices, Fenton says. Lessons and experiences from this process could help drive change and strategy for how mobile technology is supported moving forward. The August 2014 report by Gartner notes that many organizations continue to lack the skills to define, implement and operate appropriate levels of data protection and privacy-specific security controls. This lack of skills leads enterprises to partner with firms that specialize in

5 5 MOBILE SECURITY STRATEGY data protection and security risk management to address regulatory compliance demands and enhance information security. Not having mobile security expertise in-house would drive 52 percent of the organizations represented by the IDG survey respondents to outsource mobile security. Another 43 percent see cost-effectiveness as a reason for outsourcing. Clearly, business partners experienced in mobile security can help organizations with product and service selections, implementations and ongoing maintenance. They have a deep knowledge of the existing technology and how it can best be applied to an organization s specific needs or weaknesses. When selecting a good partner for security, organizations should look for providers that offer a range of services such as risk assessment, creation of a security program and implementation of vendor solutions. Some companies provide security assessment teams that can work with organizations to identify and prioritize any gaps in their mobile security strategy. It s also important that a security partner embrace a holistic security approach when it comes to mobile environments. For example, when discussing a mobile security About CDW CDW is a leading security solution provider. The company is a trusted third party that can look critically at a company s systems, processes, procedures and policies to help identify weak points and solutions. CDW s approach to security extends to the mobile workforce, ensuring secure protection for your networks, applications, data and devices. Its vendor partnerships with industry-leading brands and its expertise in security technology, including data loss prevention (DLP), help organizations achieve stronger security. Tapping into the leading brands of DLP technology, CDW helps customers secure their core IT environment, identify vulnerabilities, prevent data loss and secure the mobile environment solution, the partner should review opportunities for mobile device management, authentication, encryption, endpoint security, virtual private network architecture and other areas. The security assessment team can help provide a gap analysis with vulnerability testing to ensure that all areas are covered.» Summary and Conclusion: Why Effective Mobile Security Is Vital The explosion in the number of mobile devices and applications continues, and there are no signs that the trend will slow down anytime soon. If anything, with the advent of the Internet of Things, in which many objects will be connected via networks, mobile devices will become even more prevalent. Many companies have addressed some of their mobile security needs, but providing comprehensive strategies that cover a variety of areas remains a struggle for a lot of organizations perhaps because they don t yet have the bandwidth or specific expertise in this evolving environment to do this on their own. Companies that are lacking internal expertise and are concerned about their level of risk should look for a partner with the experience as well as the vendor connections to develop a mobile security strategy that secures devices, the data they carry and the corporate networks they can access. Much is at stake, but with the right partner, companies can rest assured that they are doing everything they can to protect these growing and increasingly important components of their IT infrastructure. To learn more about security hardware, software and services, please visit