After recent reports that a Secret Service agent’s laptop was stolen from a vehicle, new questions arose about the security of mobile devices. In the case of the Secret Service laptop, those questions involved national security and the well-being of the First Family.
Although your company’s data probably doesn’t include details about how to protect a president, that information is still very important for the operations and financial well-being of your business. The disappearance of the laptop should have had you questioning the security of any mobile device that has direct access to your organization’s sensitive data. That includes corporate owned and operated devices, as well as BYOD. Not sure what that security should look like? Security professionals share their tips for securing mobile devices and their favorite security solutions.
10 Steps Your Organization Should Take to Keep Mobile Device Data Secure
In the wake of new reports of serious breaches of mobile devices and data, security professionals share their tips for securing mobile devices and their favorite security solutions.
Have a strong MDM solution
Without a strong MDM solution on a trusted device that supports all aspects of your policy and standards, your organization is likely managing risk at a reactionary level with a best efforts response, according to Kennet Westby, president and co-founder of Coalfire. A strong MDM and mobile identity management solution can help orchestrate these security controls across your environment and users. Westby recommends the VMWare/WorkspaceOne /AirWatch suite of products as a leader in a unified solution for mobile security.
If you are using your device for BYOD (and even if you aren’t), you should ensure that your phone is password protected. And if your device offers it, take advantage of its biometric authentication options, like a fingerprint, Mandeep Khera, mobile and IoT app security expert and CMO for Arxan, recommends.
Apps should be protected, too
Organizations need to ensure that their mobile applications are secured at the binary code level and their cryptographic keys are secured as well, Khera states. “If the app is not protected, hackers can steal a phone, jail break into the app, steal credentials, and reverse engineer the app as well as insert malicious code or create duplicate app, affecting all consumers of that app. One hack like this can severely damage an enterprise’s brand reputation and lead to major financial losses and loss in revenues.”
Galina Datskovsky, CEO of Vaporstream, suggests that mobile device users should take advantage of ephemeral technology for their mobile messaging services. Ephemeral messaging allows a user to send a message. When it is received and read by the recipient, the message disappears after a predetermined amount of time. This gives users the ability to ‘shred’ a conversation and remove it from a device in its entirety and, Datskovsky added, “as a result, even when attackers do infiltrate a device, they will not be able to extract private messages — because they won’t be there.”
Remote wipe software
Verizon’s 2017 Data Breach Digest has a number of suggestions regarding better protection of mobile devices and data, but perhaps the most important suggestion is this: “Enable Remote Wipe – Most mobile devices support this functionality meaning that if your device is misplaced, you’ll be able to delete all data using this feature. To use this feature, the administrator setting on the device must be enabled, and it’s important to ensure that a backup has been performed prior to protect against loss of user data.” There are conflicting messages regarding the Secret Service’s ability to remote wipe its laptop, but if it was able to, there would be fewer concerns about what the thieves could access.
Designate travel-only devices
Verizon’s Data Breach Digest also suggests that organizations take a new approach to how mobile devices are used. Designate devices as “travel only.” In this case, access to the devices would be limited and controlled, the devices could be wiped clean and/or rebuilt after each trip, and they would have known baselines from which to pull digital forensics.
Keep good records
Michael Ciaramitaro, senior vice president, Forensic Advisory Services at FRONTEO USA, suggests that IT departments keep detailed records of the devices themselves, including serial numbers, models, and any other identifier, to assist with recovery in case of theft or loss.
Reconsider data access criteria
“The industry spends a lot of time worrying about whether user credentials are valid but we risk losing sight of the actual machines and code handling our data. The number of applications and devices handling enterprise data will only increase inside an organization, particularly with the Internet of Things reaching into enterprises,” says Sean Ginevan, senior director of Strategy at MobileIron. “The user-centric authentication model doesn’t solve emerging security issues. For example, if your CEO authenticates into a bad app, your data is lost. If your VP of Marketing connects their new smart fridge to the enterprise and there’s a vulnerability, it exploits the corporate network.” Instead, organizations need to abandon the outdated blacklist model and decide what criteria they want met for data access. And then constantly reinforce that criteria.
Turn to containers for storage
Rethink data being stored on a device, says Jayson Gehri, director of Product Marketing with Quest. Only allow corporate data to be stored in containerized apps and not on native device apps. Containerized apps enable IT pros to separate and secure important, sensitive company information on an employee’s device, making the information inaccessible to thieves.
Deploy full-device encryption
Plenty of tools exist to securely encrypt data so that only someone with the correct password can access it, says Scott Holewinski, CEO at Gillware Digital Forensics. “Laptops can be encrypted using FileVault, BootLocker, PGP encryption, or other forms of full-disk encryption. This ensures that a thief cannot access the device without knowing the password for it,” he says.