Risky Business: The Mobile Device Security Disconnect
By Tyson Greer
CEO, Ambient Insight
See other Viewpoint articles.
On any given day, do you know how many mobile devices are on your network? Can you tell which are authorized and managed and who is using them at any given moment? Do employees in your company know the first thing they should do if they “misplace” their smartphone or PDA?
It’s no longer true that what happens on the network stays on the network. IT administrators are keenly aware of the potential risks lurking in lightweight devices. Many smartphones now sport 128 MB of onboard storage and 8 GB storage cards, plus Wi-Fi and 3G chips with high-speed data transfer rates capable of downloading 2–6 Mbps from a corporate network. That’s a lot of data in your pocket. As more and more out-of-office employees are accessing mission-critical applications on small devices, more and more sensitive corporate data is flying in "the cloud" and this is driving the need for organizations to take protective action.
Mobile devices are easy to love and easy to lose. Unattended mobile devices are also fine targets for theft by those who want the device or by those who want to steal the data. Device thieves want to make calls on your dime or to sell the device for quick cash. Data thieves want access to your data themselves or to sell it for a handsome profit. Data thieves may target specific individuals to obtain credit and banking information, personal information, military secrets, or corporate espionage. Obviously, these are the ones that have me worried.
Imagine the mobile device that any one of your C-level executives carries and what data he or she has or can get access to on that device. Think: competitive intelligence, customers and/or employees’ personally identifiable information (PII), business contact details, notes for strategic meetings, proprietary schedules, governance issues, and marketing campaigns—just to name a few. Now imagine what happens if he or she parts company with that device at an airport lounge, in a bar, or in a taxi.
You know that device is worth a whole lot more than the $500 or so purchase price. Think: priceless intellectual property, incalculable competitive advantage for whoever now has the data and the potential to access more, and according to Gartner analyst Jack Heine, as cited in the article “What’s the Cost of Lost Phones and PDAs?”,at least $2,500 expense of compromised data1. (And the thought of the “new owner” infecting your network with malware is another thing to keep you awake at night.)
The risk of data loss or exposure (read: “reputation loss or lawsuit”) extends far beyond the C-levels in your organization. In a 2006 survey by the Business Performance Management Forum (BPMF), nearly half the respondents reported that at least 25 percent of all mobile devices in their organizations carry mission-critical information and applications.
According to the BPMF report “Comply on the Fly,”2 40 percent of enterprises do not yet have mobile device security policies in place. Sixty-five percent of the respondents said it was because senior management is focusing on other areas of compliance. Other areas of compliance? The irony is seldom lost on IT. Those companies that do not have measures in place to manage mobile data tracking, back-up, and retention cannot get in compliance with regulations that call for data protection. In my view, these companies are playing Russian roulette with legal risks. More than half of the states in the U.S. have laws on the books that require public disclosure of lost data.
IT department managers see the risks of not including mobile device usage in compliance planning and training. C-level executives see the productivity benefits of mobile device proliferation, not the risks. I see one of the disconnects that has impeded progress on securing mobile device endpoints in an enterprise network.
Another risky disconnection is the behavior of the organization’s mobile device users—especially those 25 percent with mission-critical data access3. Many users are unaware of the big risks inherent in the little devices. And of those that are aware, the need for speed can override caution. In 2007, InsightExpress conducted an online survey, commissioned by Cisco Systems and the National Cyber Security Alliance (NCSA), of 700 mobile workers in seven countries and found that 73 percent of mobile users were unaware of security risks and best practices. Of those who had received training on security and were aware of the risks, 58 percent in China, 55 percent in India, and 43 percent in the United States admitted a consistent lack of vigilance. That lack of vigilance can be expensive.
The Cost of Loss
The Wisconsin Technology Network estimates that more than 250,000 mobile phones and handheld devices will be left behind at U.S. airports alone this year and only 25-30 percent will be reunited with their owners. Authorities at the London Underground report that about 100,000 devices are found on their tube trains each year.
The research firm Gartner estimates that the cost of each unrecovered mobile phone or PDA is $2,500 because of proprietary data it contains. Gartner forecasts that companies with more than 5,000 employees could save $300,000 to $500,000 each year by tagging and tracking the devices. That should be enough to hire a few people, create a strategy, and implement a governance plan. It seems like a reasonable ROI, even if you don’t factor in the price of a company’s reputation or the value of its brand.
Technology Alone Is Not Enough
The 10th Immutable Law of Security, handed down from the Microsoft Security Response Center (MSRC), still rules today: “Technology is not a panacea.”
Yes, there have been significant improvements in security architectures, policies, and features. Windows Vista, Windows Mobile 6, the Messaging and Security Feature Pack (MSFP) for Microsoft Exchange Server 2003 SP1, and Microsoft Exchange Server 2007 have provided IT with more granular controls and better management tools than previously available. Also, more and more developers are practicing safe coding practices such as employing the principle of least privilege and avoiding issues such as buffer overruns, cross-site scripting, and other input trust issues that back in 2001-2004 comprised about 47 percent of all vulnerabilities listed in Common Vulnerabilities and Exposures (cve.mitre.org).
Of course, the sophistication of malicious hacking for fun or profit tends to keep pace. The current trend in scams is a dangerous mixture of harvesting readily available public information and social engineering that specifically targets C-level employees through e-mail. This increases the criticality of protecting data at every point. If you haven’t yet read Steve Riley’s Viewpoint article, Protect Your Data—Everything Else Is Plumbing (June 2007), I encourage you to do so.
Some organizations, or sectors within an organization, depend on IT to enforce security by instituting stringent centralized control of their fleet of mobile devices. Others, however, still rely on a mixture of technology-based protection and users’ common sense. But good technology cannot trump bad—or missing—security policies, practices, and procedures.
Mitigating Risk: A Seven-Stage Mobile Device Security Strategy
The simple question: “What do we need?” elicits the obvious answer: “That depends.” It depends on your industry’s compliance requirements, your organization’s data protection needs, your network capabilities, the devices that connect, and your users. The Meta Group estimates that only 10 percent of organizations have a formal and comprehensive mobile security policy. A survey of 2,035 IT professionals in the U.K. conducted by Orange PLC and Quocirca Ltd showed that one in five companies with wide deployments of mobile devices had no policies in place for mobile security. Of those that did have policies, more than 60 percent say their policy is not enforced.
A strategic security policy begins with risk assessment and includes inventory, monitoring, and management. In the analysis, you should:
Establish a sensitivity classification scheme. Classifications such as public, confidential, restricted, or controlled will be mapped to trust levels appropriate to the sensitivity of the data.
Follow the data flow. Create schematics showing data at rest and data in transit throughout the data lifecycle. An entity-relationship (ER) diagram can illustrate the interrelationships between data stores and the input-output flows of data across your databases. Chart your business processes to identify where mobile device users become endpoints in your network.
Maintain an inventory of devices. Asset management is a core aspect of security. Don't overlook the fact that employees may be using their personal devices to access corporate assets. Is this acceptable to your company?
Craft a matrix of controls. Determine what technology and practices need to be implemented to control different classes of information that mobile devices can access or store. Build a matrix for each trust level, including restricting certain information types from mobile devices. Whether you need disk-level encryption or more flexible file-based encryption depends on the sensitivity of the data that needs to be protected. The practice of allowing both corporate and personal data to mingle on a device adds another layer of complexity in designing protection.
Decide on device types. Evaluate the native security strengths and vulnerabilities of device types in relation to the individual’s job role. Some devices may need additional software protection, such as personal firewalls or two-factor authentication. Then there will be tradeoffs: if the user routinely performs back-ups and synchronizes with a computer with up-to-date antivirus protection, then antivirus software may not be required on the device.
Design training plans. For technical employees, a skills gap analysis should be followed by a personalized learning plan that is tied to annual performance measurements and ultimately to professional advancement. For nontechnical employees—meaning mobile device users—training should be required in security features and practices. Eighty percent of the businesses surveyed by Orange PLC and Quocirca Ltd also reported that their employees were their greatest threat to mobile security.
Rinse and repeat. A strategic security plan is a living plan not a dead document. It must adapt to new technologies, cultural shifts, and new vectors of threats. Security threats evolve, so security strategies must.
An important ingredient in the plan, of course, is a threat analysis that includes the attack path, the likelihood, and the consequences. Developing these scenarios from a business perspective is more likely to achieve buy-in and funding. The process of threat modeling is a structured, iterative approach to identify, evaluate, and mitigate risks and can be used effectively when building new applications or updating a system. Threat modeling begins with identifying the business objectives, origin, and use of data. “Threat trees” illustrate the flow and points of vulnerability.
Closing the Training Gap
Formal training on how to secure mobile devices and networks is readily available for IT professionals and developers. There’s "Microsoft E-Learning Course 5145: Managing Enterprise Security for Microsoft Windows Mobile Devices" and an instructor-led "Clinic 2807: Microsoft Security Guidance for Developers II," plus numerous other learning events. Vendors, such as Core Competence, also provide podcasts, webinars, and quizzes for technical professionals. What is harder to find is off-the-shelf training for end users.
Traffic laws have helped spur the growth of Bluetooth headsets and created a new breed of threats. As of October 2007, 28 states in the United States and 25 other countries had laws on the books that govern handheld cell phone use while driving. (So far, Washington State is the only state to explicitly outlaw texting while driving.) As use of Bluetooth headgear grows, so will the incidents of Blue-something attacks unless users become attuned to safe practices and get software updates when they become available.
How many of your end users know how to guard against being victims of BlueBug, BlueDump, BlueJack, BlueSmack, BlueSnarf, or BlueStab? My guess is they wouldn’t know a BlueStab, which employs badly formatted names to crash a device during Bluetooth discovery, from a BlueSmack, which retrieves contact and calendar data from a Bluetooth device. Yet, the growing proliferation of Bluetooth devices (such as headsets) and services (such as printing from a mobile device) introduce new vulnerabilities. In our company, our Bluetooth policy is simple as a kitchen stove: if you’re not actively using it, turn it off and keep it off.
The battle between user convenience and security was first waged on the desktop. Unfortunately, desktop users still circumvent the secure password requirement by writing that strong password on a sticky note on the side of their monitor or keep it handy in the top drawer of their desk. People seem to go through five stages—awareness, avoidance, anger, acceptance, adoption—before they are fully on-board with security practices. Well-designed training programs can shorten the cycle. I stress “well-designed” not meaning “eye-catching,” but meaning effective because we’ve all had the experience of seeing fantastic TV ads, but later couldn’t remember the product they were selling.
Results from the study commissioned by NCSA and Cisco Systems show that 39 percent of mobile workers in the United States said they never received security training from IT, and 14 percent don't remember whether they received training. I would speculate that this means that organizations treat security training as a one-time event: You take it. You pass it. You’re done.
Mobile device users need training that starts with risk awareness and the critical role individuals play in preventing unauthorized access to their network. Training needs to include the “why”, the “how,” and the “when”—such as how and why to set passwords; and how, why, and when to use security features on their device for encryption, authentication, or Microsoft Office Information Rights Management (IRM). And, of course, it needs to cover what to do when a device is lost or stolen. It may not be an easy call to make—to report that you lost your smartphone in the hotel bar—but, you wouldn’t be the first.
Most of all, employees need help with an attitude adjustment—to think of mobile device security as part of their job. If you lost your wallet, you’d be less concerned with replacing the wallet, than what’s inside—the credit cards, the bank cards, the medical insurance card, and the identity cards such as smartcard and drivers license. These items and the access privileges they convey are at risk long after the initial loss or theft. Employees need to make the connection: Loss or theft of their mobile device means more than the inconvenience, lost work, or physical value of the device; it means the risk of exposing corporate sensitive data and intellectual property.
Security training is not complete until every attendee—and that means everyone who carries a mobile device—signs a security agreement. I do mean “sign.” A certificate of completion is a nice wall decoration and a checkmark in the Human Resources file, but signing the document has more meaning to an individual. Then, each year at a minimum, mobile device users need to "renew their vows."
The bottom line is: Until upper management gets behind security training, it will not move forward effectively.
Security Is Good Business
Malicious code and unauthorized access are constant threats. As devices continue to increase in capacity and continue to decline in price, they are more and more attractive to use but still easy to lose—or lose control of altogether. On October 15, 2007, the Microsoft.com home page promoted Windows Mobile devices with this very appealing tag line: “Do budgets. Do e-mail. Do lunch.”
The good news is—and you knew you were hoping to get some good news at some point—that all the players along the mobile device service/supply chain are getting into the protection business. One vendor offers a package of 44 ready-to-customize policies, four of which relate to mobile device use. Security vendors are expanding their offerings to include policy-based management; antivirus vendors are offering device-level protections; cellular companies provide new managed service packages and are making strides to prevent network access by stolen devices; VPN vendors offer “digital watermarking” to prevent unauthorized access; and OEMs are equipping handsets with integrated device management and promoting safe practices to end users. When I opened the box of a new HTC “Touch” Windows Mobile device, it pleased me to see that the second item on the Getting Started pamphlet was about basic security settings.
The bad news is: It will take time for each organization to sort out the options and match the right vendors’ services and hardware to the needs of their business processes and network infrastructure. But, tomorrow is another day. Security never sleeps.
Add this to your “to do” list: Do what you can to help your organization connect the dots and enjoy a secure, productive mobile computing environment.
1 According to Gartner analyst Jack Heine, as cited in the article “What’s the Cost of Lost Phones and PDAs?”
2 Report by the Business Process Management Forum, “Comply on the Fly: Keeping Pace with the Management Challenges of Mobile Data Management” (November, 2006)
3 Report by the Business Process Management Forum, “Comply on the Fly: Keeping Pace with the Management Challenges of Mobile Data Management” (November, 2006)
Tyson Greer is CEO of Ambient Insight LLC, an integrity-based market research and analysis firm specializing in wireless productivity tools and mobile products and services.