White Paper Data Security The Top Threat Facing Enterprises Today
CONTENTS Introduction Vulnerabilities of Mobile Devices Alarming State of Mobile Insecurity Security Best Practices What if a Device is Lost or Stolen? Further Recommendations Mobile Device Management (MDM) Mobile Application Management (MAM) Dual Persona Approach Looking Forward About JourneyApps 01 02 03 03 04 04 04 05 05 05 06
Data Security: The Top Threat Facing Enterprises Today Mobile devices are ubiquitous and are enabling enterprises to be more productive and efficient than ever before. But they also pose a great threat to the data security of companies as devices have access to sensitive information such as business plans, intellectual property and personal information. The threat to data security is growing daily, and enterprises have reason to be concerned. A whopping 63% of enterprises surveyed, listed security as their biggest current concern. According to a recent IDG Enterprise survey, security is currently the top mobility challenge facing enterprises. A whopping 63% of enterprises surveyed, listed security as their biggest current concern. The top challenges with regard to ensuring and maintaining security of mobile data are: Data leak prevention (52%) Intrusion detection/prevention (48%) Managing access to data (48%) Preventing data loss due to lost mobile devices (47%) With so many threats to mobile security, it is understandable why a great deal of companies have been affected by data breaches. In a report commissioned by the security firm Lookout, almost three-quarters (74%) of the major firms surveyed said that they had suffered a mobile breach. Unsurprisingly, the ability to meet security requirements is now a critical factor when evaluating possible mobile vendors. The Lookout study was based on a survey of 100 IT leaders and IT security executives at companies from a range of industries with an average of 23,000 employees. An important point raised in the results, was that companies often don t discover security vulnerabilities until it is too late. One of the respondents, an IT leader of a mid-level professional services organization, tells of how they only discovered a breach more than a month after it had occurred. It initially appeared as if someone was leaking sensitive data, but eventually malware was discovered on a company-owned mobile device used by one of their executives. According to the IT leader mentioned above, they are still going through the due diligence process to determine the particulars around how the malware ended up on this device. However, it definitely opened our eyes to the dangers of allowing users to access data from their mobile devices. 01
Vulnerabilities of Mobile Devices According to the Lookout report, the most common issues encountered by companies in the past were: Mobile apps that contained security vulnerabilities Apps containing malware Unsecured Wi-Fi connections The installation of malware is a common cause of data breaches, and phones are now more likely to be hacked than ever before. If malware is opened, it exposes corporate data via the device. Malware can spread when employees download games, click on untrusted links or connect to free Wi-Fi. Recent examples of vulnerabilities include the ios malware XcodeGhost, which made its way into the ios App Store and steals data and personal information from devices. Another example is Stagefright 2.0, which allowed hackers to take over Android devices remotely. It is estimated that more than 1 billion Android devices were made vulnerable by this malware. Device loss and theft is another cause for concern. Employees who use mobile devices can work remotely and this can greatly increase productivity. Some enterprises issue employees with company devices, while others employ a Bring Your Own Device (BYOD) policy. BYOD policies save companies money and can increase employee satisfaction, as employees sometimes prefer to work on their own mobile devices rather than on company-issued devices. It also lowers the strain on IT departments as the responsibility for maintenance and upkeep lies with the employee. And the likelihood of employees working after hours also increases. Putting devices into the hands of employees increases the risk of loss and theft, which can lead to a breach in security. But putting devices into the hands of employees increases the risk of loss and theft, which can lead to a breach in security. Whether devices are company-owned or BYOD, they should be treated in the same way, from a security perspective, as desktop computers. 02
According to Forbes, enterprise IT departments still devote almost three quarters of their security resources to perimeter controls, and this is no longer the right balance. People, devices, and data are the new perimeter, according to Naresh Persaud, senior director of Oracle s security product marketing. Mobile devices are more vulnerable and enterprises should apply security measures at device level, application level, as well as data level. Alarming State of Mobile Insecurity Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data. What is very worrying, is the fact that nearly 40% of large companies, including many Fortune 500 companies, aren t taking the right precautions to secure the mobile apps that they build for customers. According to a study by IBM Security and the Ponemon Institute, organizations are poorly protecting their corporate and BYOD mobile devices against cyber-attacks and this opens the door for hackers to easily access user, corporate and customer data. With a growing security threat, it is surprising that so few companies conduct proper testing on apps that they build. The Ponemon Institute and IBM Security study looked at the security practices in over 400 large organizations and found that the average company tests less than half of the mobile apps that they build. Also, 33% of companies never test apps and 50% of organizations devote no budget towards mobile security. Companies spend more money after data is stolen than they are spending to secure data in the first place. Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data, said Caleb Barlow, Vice President of Mobile Management and Security at IBM. Among organizations surveyed, an average of $34 million was spent annually on mobile app development, but only 5.5% of this budget is being allocated to securing apps against cyber-attacks before making them available to users. 03
In 2014 alone, over 1 billion pieces of personally identifiable information were compromised as a result of cyber-attacks, according to IBM X-Force research. Given the growing data security threat and the alarming state of mobile insecurity, it is no surprise that companies will be stepping up their investments in mobile security infrastructure over the next year. Security Best Practices In 2014 alone, over 1 billion pieces of personally identifiable information were compromised as a result of cyber-attacks. There are many steps that enterprises can take to secure their data. When choosing a hosting solution, enterprises should choose a provider with world-class security measures and certifications for infrastructurelevel security. All cloud servers should have protections and access controls built in to ensure that no unauthorized access to data can occur. Data should be backed up at least daily, encrypted and stored off-site in a secure data centre. Enterprises should also think carefully about who will have access to data. Access and security policies for staff performing maintenance on infrastructure should conform with the highest industry security standards. Hosting solutions should make use of audit trails so that any data modifications are recorded and can be retraced. Furthermore, servers should be equipped with firewalls to restrict network access, and they should be penetration-tested. Operating system upgrades, patches and infrastructure software updates should be applied on a regular basis. Lastly, all communication between mobile devices and servers should occur over a Transport Layer Security (TLS) encrypted channel and data should be protected in various states: At rest in the cloud, on the device, as well as in transit. 04
What if a Device is Lost or Stolen? One of the weakest links in the security chain is still the user. Luckily there are various ways to secure data if a device is lost or stolen to ensure that unauthorised people don t get access to sensitive company information. Enterprises can configure operating system level security settings on mobile devices. This includes requiring a user to authenticate using a PIN code every time when the screen is unlocked, as well as wiping the device if a predefined number of incorrect PIN attempts are made. The entire file system can also be encrypted to make sure that unauthorized users don t get access. Further Recommendations Maintaining appropriate levels of data security will remain one of the biggest challenges for enterprises in the future. Enterprises can also use third party Mobile Application Management (MAM) or Mobile Device Management (MDM) services, or Dual Personas, to further increase security. MDM is used to ensure that employees do not breach corporate policies and can apply virtual geographic limits for devices. This includes monitoring capabilities that allow enterprises to track and report on information about mobile devices across the enterprise of both company owned and BYOD devices. It also allows enterprises to remotely wipe data or locate devices. MAM enables IT administrators to distribute, update and manage secure applications, as well as configure apps and provision users. MDM and MAM solutions should install malware protection on the device that scans for viruses and quarantines affected applications and files on devices. If companies do enforce a BYOD policy, they can use a Dual Persona Approach. This means on one device there can be a work persona for all work-related tools and communications, and a separate one for personal communication. Organizations can secure work-related content and comply with security policies, and also remotely wipe only work-related content. By doing this, the organization respects the employee s privacy and can even create separate phone numbers for work and personal use. 05
Looking Forward Mobile devices are rapidly becoming productivity tools and have access to large amounts of enterprise data, and it could be detrimental to a business if security is compromised. Various threats and vulnerabilities are appearing daily. Hackers often target mobile devices and employees sometimes lose devices or click on malicious links or download malicious software. Enterprises should combine security measures on app, device and data level. They should ensure that data is encrypted and that only authorised users have access. They should also have contingency plans in place for when devices get lost or stolen. Maintaining appropriate levels of data security will remain one of the biggest challenges for enterprises in the future. 06
About JourneyApps At JourneyApps we build mobile apps that are customised to suit your unique business processes. If you have a mobile workforce, we can help you find efficiencies and address specific business challenges. The JourneyApps mobility platform helps you build robust applications on Android, ios and Chrome. We have years of experience in building mobile apps and understand your needs. Our team of engineers will help you brainstorm around your processes and will provide a simple and easy-to-use solution. And we build fast, so we will assist you in proving success quickly and can iterate and deploy on-the-go. We have deployed solutions in sectors such as financial services, asset management, logistics, field service, healthcare, agriculture and market research. Each month thousands of people use JourneyApps solutions and tens of thousands of documents, such as job cards, delivery notes, and incident reports are processed. Enterprises can rest assured that their data is safe with JourneyApps. We adhere to the highest security standards built into the JourneyApps Platform, meaning all apps built on the JourneyApps Platform benefit from these world-class security measures by default. If you you are interested in the technical details of how JourneyApps protects your data, read our Technical Data Security White Paper. You can also talk to one of our mobility experts today about how we can help your mobile workforce become more efficient. Learn more about JourneyApps hello@ 07
Creating business solutions with mobile apps. Fast. United States 973 E. San Carlos Ave. San Carlos California 94070 Phone: +1 (650) 353-3292 South Africa Unit 109, Block C Bosman s Crossing Square Distillery Road Stellenbosch, 7599 Phone: +27 (0)21 880 8250 Australia Level 20, Tower 2 201 Sussex Street Sydney 2000 Phone: (+61) 1300 780 319