Mobile devices (phones, tablets etc) are everywhere. Giving in to the wave of pressure and recognising the productivity improvements that are possible through the use of mobile devices, companies have increasingly begun arming their staff with mobile devices or allowed them to use such in performing their work. Undoubtedly companies have experienced a performance boost. No longer are customers told that the person didn't see the email because they weren't in the office or that they'll get a response on Monday when the person goes to the office.
Mobile devices are a tremendous benefit to Caribbean companies but they carry a risk that many aren't recognising. This risk is compounded as employees often bring their own devices to work and use them for work purposes. Some employers view this bring your own device (BYOD) approach as cost savings to the organisation because they think that they don't have to incur the cost of purchasing and maintaining such devices.
The risk that some Caribbean companies aren't recognising is that mobile devices, if not properly configured, can open up unauthorised means of access to company information leading to damaged reputation, corporate espionage, loss of revenue etc. Unauthorised access can also lead to the introduction of viruses and malware on a company's system which can shut down a company's IT system and cripple its operations.
The risk is magnified because as employees, in seeking to reduce the usage of their data plans and save on their personal cost, will frequently use open wireless networks that they discover and often have their mobile devices configured to search for such and use those first. These networks are often unsecured and thus frequented by hackers looking for victims.
There are several measures that companies should have in place when allowing the use of mobile devices. The first and simplest method is that anybody who wants to use a mobile device to access the Internet and company network should have installed and regularly updated antimalware software for their device. Second, mobile devices should be configured to avoid unsecured wireless networks. Third, Bluetooth should be hidden from discovery; when not in active use for headsets and headphones, it should be disabled altogether. These are just good first steps. Companies should take other measures.
Increasingly individuals have realised that they cannot have mobile devices open to be picked up and used by anyone. People have learnt that if their mobile device is stolen anyone finding it can access their personal information and use their device and incur charges that they'll have to pay. As such, most individuals have configured their mobiles to require a password.
Where a mobile device is being used for work purposes, access-granting should go beyond just a password to ensure that possession of a mobile device doesn't automatically grant access to important information and systems. Most modern mobile devices now include local security options such as built-in biometrics–fingerprint scanners, facial recognition and voiceprint recognition–and companies should require the use of one of these plus the password.
Experts recommend that "all mobile device communications be encrypted...simply because wireless communications are so easy to intercept and snoop on... (They) recommend that any communications between a mobile device and a company or cloud-based system or service require use of a virtual private network (VPN) for access to be allowed. VPNs not only include strong encryption, they also provide opportunities for logging, management and strong authentication of users who wish to use a mobile device to access applications, services or remote desktops or systems."
The difficulty that's faced when companies opt for the BYOD route is that the user owns the device, not the organisation, which makes security somewhat trickier for IT to establish and maintain. Other experts recommended that in those situations, companies should "require such users to log into a remote virtual work environment. Then, the only information that goes to the mobile device is the screen output from work applications and systems." This means the data doesn't remain on the device once the connection to the company's network is terminated. Since accessing a remote virtual work environment invariably occurs through VPN connections, communications are secure as well.
For companies that want to go further, they can implement mobile DLP technologies as they provide data classification features to label messages and documents (metadata labeling), as well as features that analyse and filter content when a mobile device interacts with a corporate server. They can prevent information that's been classified as Sensitive or certain types of emails from downloading to a mobile device. Some of the DLP (Data Leakage Prevention) products prevent sensitive information from being transferred to devices based on a user or group rather than a device ID.
Along with technological measures, companies need to educate users on the dangers of data leakage, what's considered sensitive and confidential information, and about security of devices. Employees should be taught about the implications of data leakage not only to the organisation but also to their own job security. Most employees will help protect an organisation's assets once they understand what constitutes "confidential" information and the consequences of its leakage plus the risks that organisations face through unauthorised mobile access.
Brian Ramsey, MBA, Chairman, CISPS
�2 The Caribbean Institute for Security and Public Safety is a registered institution with the Accreditation Council of Trinidad and Tobago (ACTT). Tel: 223-6999, 299-8636, info@caribbeansecurityinstitute.com or www.caribbeansecurityinstitute.com