OPINION / Mobile Communication: New weakest link to enterprise security

By Chris Herndon
 
As government organizations are becoming increasingly mobile and relying on on-the-go access to agency networks, they are finding themselves face-to-face with new, more sophisticated threats – via mobile devices. Although increased mobility – reflecting the rapid growth in smartphone usage over recent years – enables government to embrace telework and enhance productivity, it also often means secure networks are being accessed from unsecured locations, and potentially less secure or even compromised devices. As the government continues to shift its focus toward cyber-security, evident in the President’s recent budget proposal, it is critical for the government to think beyond the traditional implementation of security solutions and focus on changing the culture of the organization – starting with management. Below are three steps government IT managers can take to combat cyber-threats introduced to the network via mobile devices:
 
1. Locate the epicenter
 
Most smartphones were not designed with enterprise security needs in mind, and most carriers have not yet put in place security measures that protect users from these threats. Identifying these vulnerabilities and understanding the ease with which confidential information can be accessed from mobile devices are important first steps in protecting the network. Understanding the source and scope of mobile phone security often comes down to awareness of the vulnerabilities of the network and how devices can be compromised. Just as we saw an influx of new threats introduced by spam onto personal computers, we are now seeing this trend with mobile devices. Text messages, foreign service providers, even social networks are a significant entry point for malware, a trend that will only get worse as hackers become more sophisticated and attacks become more targeted.
 
In addition to understanding where the threats are coming from, it is also crucial to be cognizant of the risks involved with storing sensitive information on mobile devices. Many users don’t consider what information is being stored, or that it’s being stored at all. Small gestures, like turning off the Bluetooth function when the phone is not in use can prohibit attackers from implanting malware onto an open device. U.S. business and government travelers are more likely to fall victim to these exploits when these devices are used outside the U.S., so policy needs to mandate leaving personal or agency devices behind and either renting one abroad or using a “travel pool” of devices that can easily be re-imaged upon return there by reducing the threat to the enterprise.
 
2. Change the culture of the agency
 
Providing employees with the tools and resources needed to understand the importance of security and implement best practices is one of the strongest ways to solidify network security. The biggest challenge when educating the agency is that most of us don’t see the smartphone as a serious threat because we don’t have a reason to. There has not yet been a major attack – at least, not one that has been made public.
 
We have, however, witnessed the consequences when agency networks are exposed to threats from laptops and computers. Agencies at large need to begin evaluating the security of mobile devices with the same consideration as we do with individual computers. Just as infected computers accessing the network expose the entire network to its vulnerabilities, a mobile device carrying malware can provoke the same consequences. Before placing complete faith in mobile security solutions, it is important to implement the necessary policies and awareness programs needed to educate network users. Understand that voice calls are never confidential and information transmitted via text message and unencrypted email can be easily accessed by unsophisticated attackers using readily available tools.
 
3. Take action
 
Security solutions for mobile devices are emerging, but will take time to evolve to the level of protection needed to keep up with rapidly evolving threats. Recent developments in the UK –  a device that sounds an alarm when a handset is taken out of range, or electronically matching a handset to a SIM card, protecting data using a password and encryption – are promising advances in the field of mobile security, but have not yet been widely considered for government networks.
 
In the meantime, agencies can take critical steps toward controlling devices entering the network and limiting the amount and type of information that can be stored on mobile phones. Most organizations today prohibit employees from connecting personal laptops or PDAs to agency networks. But the same employee can easily use a personal phone for official email, or the personal laptop to access the agency’s VPN from off-site locations. This practice is often overlooked and poses one of the most significant threats to the agency. Mobile security policies have to keep up with the changing threat vectors, making the appointment of an agency evangelist essential to spearhead the education and awareness of these threats. Providing the resources needed to promote awareness and an understanding of the issues can amplify security by eliminating the primary source of the exposure to the enterprise.
 
 
Chris Herndon is chief technologist at MorganFranklin. He can be reached at: chris.herndon@morganfranklin.com.