If your day has gotten off to a bad start, this probably isn’t going to help. But just so you know, all that money you invested in mobile device management products, antivirus software, data encryption, and virtual private networks isn’t going to buy you mobile data security.
That was my takeaway from a recent email interview with Tony Busseri, CEO of Route1 Inc., a Toronto-based provider of secure access technologies for the mobile workspace. Busseri pulled no punches in identifying what he sees as flaws in technologies that are widely used to secure mobile data. The crux of the problem, he said, is that the vulnerability of mobile data is increasing exponentially:
Cyber criminals continuously strive to find new ways to hide their malicious code inside mobile apps and websites to lure potential users, sometimes repackaging code within legitimate apps or simply creating new apps that pretend to contain some useful functionality, while carefully masking their malevolent purpose. A compromised device will expose the decrypted data to the attacker.
Exacerbating the problem, Busseri said, is that despite the best efforts of organizations to impose stringent data security policies, employees often disregard or forget to implement those standards:
Many organizations believe that a breach will not happen to them, yet continue to increase their security risk by allowing mobile users to open unprotected inbound ports to the network. In today’s BYOD environment, most companies are more than likely at the brink of a data breach that will create significant financial loss and a damaged reputation for the enterprise. A more mobile work force is the new reality, as remote access technology increases productivity and enhances business continuity. Despite its advantages, mobility presents a significant cyber risk to organizations across all sectors. Employees often fail to implement even the most basic security protections on their mobile devices, and use unsecure applications that can directly impact the enterprise network via the remote connection.
Adding to the complexity of the issue, Busseri says, is that traditional mobile device management (MDM) and antivirus software products are no longer sufficient to protect mobile data security:
Employees will resist efforts to install applications on their personal devices that monitor their activity, often preventing MDM from being utilized correctly. MDM can provide some level of device protection, but when an employee leaves their company and takes their personal device with them, any corporate data residing on that device is wholly unprotected. Antivirus software is not an effective solution, as its methods are reactive instead of proactive in protecting endpoints. The software’s alarms are not set off until viruses or malware have entered the network, at which point engineers are required to find the breach, contain it, and remedy it. Given the pace of malicious data attack adaptation, antivirus developers cannot keep current with the malevolent technical innovation and the sheer number of malicious programs.
At least data encryption and VPNs are still effective, right? Not so much, Busseri insists:
In practice, either through human error or improper implementation, data-at-rest (DAR) encryption strategies fail to address the issue. A further technical challenge with this technique is that data must be decrypted to be manipulated. Once data is decrypted, it is susceptible to transmission by any malware that is resident on the device. Virtual private networks (VPNs) attach a remote endpoint to the enterprise network—creating a virtual open door—and inherently do not offer adequate data protection. VPNs seek to secure the connection by only allowing malware-free endpoints to access the enterprise network. This is an ineffective security method, as determining that an endpoint is malware-free is next to impossible. With the number and complexity of attack vectors increasing exponentially, VPN-based solutions cannot be relied upon as truly secure. Mobile employees often connect to open, public Wi-Fi networks without any security parameters for the sake of convenience and productivity. This is yet another reason not to use VPN-based mobile access technology or similar ineffective techniques. Attackers can exploit the unsecure Wi-Fi connection to steal data stored on a device or to propagate malware directly to an organization’s network through the mobile VPN connection.
If you’re thinking the mobile-security sky is falling at this point, the good news, at least according to Busseri, is that Route1 is saving the day with its MobiKEY product:
MobiKEY is the ultimate mobile data security solution for the enterprise. It uniquely combines secure mobile access with high-assurance identity validation and plug-and-play functionality. … With no clients or drivers, MobiKEY ensures that no virtual footprint is left on the remote device. Sensitive corporate data is never stored on the mobile endpoint, eliminating the risk of data loss when a device is lost or stolen. Once the user terminates the remote data session, malicious parties have no digital path to follow. The remote asset never becomes a node on the enterprise network, so malware and viruses have no virtual doors through which to enter it. With MobiKEY, organizations’ systems are immune to zero-day threats.
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.