Mobile is the new endpoint. But how can IT administrators guarantee mobile security? Many people claim that their workstations are locked down, but that's only half of the battle. From personal firewalls to antivirus to privilege management to data loss prevention -- the technologies are in place, and policies and processes exist to ensure that those endpoints are secure. The problem is that we still seem to be ignoring all of the mobile devices floating around the enterprise.
In any organization, an untold number of mobile endpoints is in use at any given time. These systems represent literally hundreds, if not thousands, of islands of information that likely fall outside of traditional endpoint controls. Asking yourself a few simple questions can help bring the issue to light and, therefore, increase mobile security:
- Are employees, contractors and consultants using their phones and tablets for business purposes? Even if you think they're not, odds are good that they are -- somehow, some way. Thus, mobile security should be established to protect any enterprise information from being accessed via those mobile endpoints.
- What mobile platforms are being used? It's easy to assume that only Apple or only BlackBerry devices are in use. What about Android-based systems? Symbian? What about others you've never even heard of but that can still access and store sensitive data that your business can't afford to have compromised?
- What applications are being used? What data is being accessed from and stored on mobile endpoints? Odds are good that people are using/accessing email, the virtual private network, intranet portals, customer relationship management systems, PDF files, spreadsheets and the like -- all from their mobile devices. They're sitting on users' desks, in pants pockets and in purses waiting to be exploited.
- What endpoint controls are installed across all mobile endpoints? This is where things get tricky -- and ugly. Some may have passwords. Some may use encryption. Some may be getting backed up. Still, you probably don't have nearly the security controls on your mobile devices that you do on your desktops.
I'd venture to guess that practically any given business has at least a handful of mobile endpoints with a severe lack of security controls that you wouldn't fathom being absent from any given laptop or desktop computer. The data breach headlines and studies confirm this.
For example, the 2011 Ponemon and ID Experts' Second Annual Benchmark Study on Patient Privacy & Data Security found that 81% of health care organizations use mobile devices to collect, store and/or transmit some form of protected health information, while only 51% are actually doing anything to protect these devices. I suspect that of the devices being "protected," many of them can still be exploited because of weak passwords, lack of encryption, mishandled backups and so on.
So, why aren't mobile endpoints getting the protection they deserve? Is it because they're so small -- out of sight and out of mind? Maybe it's because they're so pervasive? Perhaps it's because they're personally owned, and management wouldn't dare tell people what they can and can't do with their own devices?
Corporate IT can't afford to ignore the complexity of endpoints and the importance of mobile security. We shouldn't let our guard down with a "good enough" approach -- good enough hardly ever is -- nor can we afford to let management and users continue to dictate how mobile devices will be secured. This is why you must ensure that mobile endpoints get the same level of protection (or better) than traditional workstations.
Mobile devices have redefined IT's responsibilities, not only in how we manage our enterprise desktops but also as they relate to overall compliance and information risk management. The question is: What do you plan to do about your mobile security?
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. Beaver has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. You can reach him through his website www.principlelogic.com or follow him on Twitter at @kevinbeaver.
This was first published in January 2012