Move securely with mobile

The mobile changes on the way represent a transformation in how organization leaders must think about security. But many organizations have failed to develop policies and plans for the use of mobile technologies in and for their operations. Instead, they are letting technology trends and individual preferences influence their direction.

For many organizations, lost amid the potential of mobile is the realization that they need a solid and comprehensive security plan for their mobile activities.

Opportunity

Fighting mobile is futile. Employees will find ways to use mobile tools to engage in work-related activities. They will log in to e-mail and work networks from their smartphones and from public computers. They will connect to unsecured wireless networks. They will use mobile apps that can help them manage their work and work-related information. Nearly one-quarter of employed Canadians use a personal device to do their jobs despite working for companies that don't allow the practice, according to a Cisco/IDC Canada security study that surveyed Canadian businesses in August and September 2014.¹ And an additional 11 percent of Canadians use a personal device for work without knowing whether their employer allows it.²

Users can be very smart when it comes to bypassing an organization's controls, and missteps along the way can leave the devices they use vulnerable to abuse. In turn, your information and your systems also become vulnerable. The potential to lose sensitive or private data—or to give unauthorized outsiders access to your information—increases as the mobile footprint of your organization grows.

Organizations can no longer ignore the problem of mobile security. To adequately address security in the mobile realm, they must think of mobile as an enabler and address the risks associated with it. A proactive approach to determining what's allowed and what isn't will help your organization shape how employees use mobile tools, guiding them toward more secure activities, devices, applications and tools.

¹New Cisco Security Study Shows Canadian Businesses Not Prepared For Security Threats. Date accessed: March 16, 2015. http://newsroom.cisco.com/release/1559272/New-Cisco-Security-Study-Shows-Canadian-Businesses-Not-_2
²Ibid

As organizations seek to impose greater order on the mobile activities that affect their operations, challenging but important questions come into play. Thinking through the questions and determining the right procedures and technologies to address them can help organizations shape plans to become more secure, more vigilant, and more resilient in the face of cyber threats.

Know the problems you are seeking to solve. Problems on the mobile front can take many forms. For example, are you trying to address workers' concerns as you push them to use corporate apps on devices besides their company-issued phones? Or are you attempting to understand threats to your organization while taking a "bring your own device" (BYOD) approach that lets workers decide which of their own mobile tools they use to do their jobs? Knowing and defining the problem provides you with a starting point to a resolution.

Have a plan for securing the development of mobile apps. Creating corporate apps to help workers perform their jobs is a smart step, but the process for developing, testing, and deploying those apps should ensure that you're not introducing new vulnerabilities.

Determine which personal mobile devices workers can use to do their jobs, and which corporate devices they can use to access specific information resources. Not all devices are created equal. For certain operations, some devices—whether employees' or corporate-owned devices—simply might not be a good fit for your mobile security plan.

Decide what kind of apps workers can use. Installing certain apps on specific devices could present vulnerabilities when it comes to privacy or data leakage. Some apps simply might not fit well with your organization's security plan.

Understand the ramifications when a "stranger" (whether a thief or an employee's family acquaintance) takes, loses, or compromises a mobile device. And decide how you will react. With some solutions, remote wiping of data can offer a solution to loss or theft of a device. But are you prepared to remotely wipe a device with an employee's personal photos on it? Do employees know when remote-wiping can occur? Thinking through questions like these will help your organization respond prudently on the security front, while also allowing you to better manage worker expectations.

Decide on the access or app downloading restrictions you will impose as part of a plan to prevent malware. Unbridled mobile access to apps and corporate information poses obvious security risks so your organization should have a clear plan that covers what's specifically restricted and how you will enforce those restrictions.

Know how you will interact with contractors, partners, and friends on the mobile front. Suppliers and vendors are using mobile too as they do business with your organization. Understand how they are accessing your information and systems. And consider how guests visiting your offices may access your systems. What devices can they bring? What resources can they access? Planning for a multitude of scenarios that involve partners and mobile tools can help you get ahead of mobile security problems before they arise.

Comprehensively address security challenges that may arise as you support more than one mobile platform for your workforce. Many organizations address security issues for iOS, Android, and Blackberry on an ad-hoc basis as new offerings crop up in the hands of their workers. A more focused and comprehensive approach to security can help address platform-associated challenges ahead of time.

Addressing security in the mobile realm involves more than developing policies. Significant technical decisions await those who seek to improve how their organizations use mobile tools. Here are a few considerations to throw into the mix as you decide how to proceed with mobile security.

Consider deploying a central mobile device management (MDM) solution. A variety of MDM solutions have hit the market to help address organizations' security needs. And they're all different. Some focus on inventory management. Others show strength in functions such as remote wiping of devices. Know what you need and know what the solutions can do.

Avoid supporting jail-broken phones. Although many individuals view jail-broken devices as more nimble and powerful, these devices can expose users and your organization to new security threats, such as malicious apps. A jail-broken product isn't worth the worries or the challenges for your organization.

Understand the challenges you will face with a heterogeneous mobile environment. The more types of devices and the more platforms you support, the more challenging your security picture becomes. A heterogeneous environment can lend itself to inconsistencies in security and policy.

Mobile is moving rapidly into organizations, and organizations must move rapidly—but thoughtfully—to address security concerns. And even though major policy and technical questions await those in search of solutions, answering those questions can position you well for the future. Businesses want to run faster and mobile is part of "faster." Waiting to address mobile security means you'll have to play catch-up later on.

Ultimately, an organization needs a consistent, pragmatic policy for mobile device management. A "keep it simple" approach can work best. But getting to simplicity takes work. Deloitte can help your organization be secure, vigilant and resilient. We have solid experience and a forward-looking approach when it comes to mobile security, and we can assist with organizational needs from strategy and policy development to solution selection and implementation.