Smart home technology is making government networks more vulnerable, Christopher Young, senior vice president and general manager of Intel Security, said at the 2017 RSA Security Conference in February. He pinpoints working from home as the single greatest risk to government networks as employees begin to take advantage of teleworking opportunities.
“This is increasingly where all of our employees do their work. So if you want to worry about [where] the next ... governmental vulnerability might lie, it’s likely to be in the home of the people that work for you,” Young said during a keynote speech. “The other reason is that those homes now have more powerful, more connected devices that are increasingly being used to launch larger and more sophisticated attacks against us.”
But the truth is, the workforce is changing, and organizations that don’t change with it will be left behind. And for this reason, Young notes that government officials need to increase their focus on ensuring that government employees are using safe cybersecurity practices on their home networks.
By 2020, millennials will make up nearly half (46 percent) of the workforce, and mobile employees are projected to account for 72 percent of the workforce. Even today, more than 60 percent of workers say they work outside the office at least part time.
Millennials have grown up in the age of smartphones and tablets. As this generation completes its transition into the workforce, young people are bringing with them firm expectations that they will be able to work how they want, where they want and when they want, using the device they prefer.
Historically, the adoption of mobility solutions has faced resistance, with some organizations not wanting to put data at risk by making it available outside of the office. But this position is becoming untenable. As mobility becomes virtually inevitable, security and risk management teams must be prepared to secure mobile deployments.
“Mobile is the new playground for criminals,” says Raj Samani, chief scientist at Intel Security. “When you compare against laptops and desktop computers, the level of coverage with regard to security programs for mobile devices is very, very low. They are like sieves in our pockets.” Many IT managers are unaware of the full extent of their mobile environments, including the number of mobile applications their users employ.
“People think, ‘I’ve got 10 apps, or 50, or 100,’ ” says David Jevans, vice president of mobile security at Proofpoint. “But when you multiply that by your employee base, you’ll be blown away. It is not unusual for us to go into an enterprise, turn on our mobile threat defense product, and see 60,000 different apps. People’s eyes get wide open.”
The proliferation of mobile apps represents a huge vulnerability for organizations, as apps with malicious code can pop up even in legitimate app stores — and are ubiquitous in third-party stores, where users sometimes wander to look for free versions of paid apps.
“Maybe your kids use your device to go to a third-party app store and download a new game that’s not available in the U.S. yet,” Jevans says. “That’s how these infections get into the enterprise.”
Phishing and ransomware — threats that have long caused headaches for organizations — are now spilling over into the mobile space. Mobile ransomware is seen as less of a threat than a PC-based attack, because mobile ransomware typically locks up individual devices, rather than paralyzing entire systems. Still, the threat is growing exponentially, with one security vendor finding that the number of unique Android ransomware threats was 15 times higher in June 2016 than in April 2015. And phishing threats are only growing more sophisticated.
“It’s evolved from phishing to whaling,” says Jeff Falcon, principal security solution architect for CDW. “Attackers are deliberately going after someone specific, someone with a ‘C’ in their title, and they’re bringing elements of social psychology and fear to trick them into doing something that they shouldn’t be doing.”
Zero-day vulnerabilities — holes in software that are unknown to manufacturers and anti-virus vendors — have long kept cybersecurity professionals up at night. Now these exploits are threatening mobile devices.
Apple made news in 2016 when the company announced a “bug bounty,” offering $50,000 for outside researchers who discover zero-day threats. Shortly afterward, security analysts determined that text messages sent from hackers were linking to zero-day exploits that could take control of an iPhone and allow the hackers to spy on calls, emails and text messages.
Because zero-day threats are unknown to anti-virus vendors, signature-based detection tools can’t sniff them out. To protect against mobile zero-day attacks, organizations must rely on tools that monitor for anomalies such as abnormal CPU usage, unknown configuration profiles and file system tampering.
User education is also important. If a user doesn’t click on a malicious link to a zero-day exploit, the attack won’t be able to affect the device.
There’s no one-size-fits-all solution for mobile security. Organizations must look at their unique environments and determine which tools will provide the greatest security benefits for their specific mobility deployments. Often, a trusted partner can provide advice to help enterprises design mobile security solutions that best meet their needs.
Over time, the concept of mobile device management has evolved into enterprise mobility management — helping organizations manage not only devices, but also mobile applications and content. While EMM solutions remain an important piece of mobile security, vendors such as Proofpoint are also now offering mobile threat defense solutions that incorporate protection from malicious apps, threat intelligence, anomaly detection and advanced malware sandboxing. These MTD systems can often integrate with an organization’s existing EMM solution, creating a cohesive mobile security environment. Proofpoint and other vendors also offer stand-alone tools that provide advanced threat protection for email and social media.
When organizations first deploy mobile security tools, they’re not just surprised by the sheer number of mobile apps in their environment, Jevans says. “We typically find more malicious apps than they thought. One thing that causes a big wake-up call is when we show them what countries and which companies data is being sent to.”
Despite the introduction of newer tools, Samani says, EMM solutions remain a must-have for most organizations with significant mobility deployments. “For me, it’s absolutely crucial,” he says. “What happens when an employee leaves the organization, and they can’t log in, but they’ve got all the contact information about their customers? We see anti-virus and firewalls as a prerequisite. For me, EMM is in that category.”
As organizations invest in mobile security solutions, Falcon says, they must balance the costs of new tools with their potential benefit. Sandboxing, for example, can quickly hog computing resources, and has the potential to become an “expensive, time-consuming process,” he says. As a result, some organizations subscribe to cloud services that offer sandboxing on an as-needed basis.
“Mobile security isn’t something you acquire and walk away from,” Falcon says. “These are heavy-duty technologies, typically layered in, based on the appetite and the gaps that exist within an organization.”
Organizations must make sure that users’ mobile devices aren’t leaking enterprise data — but this doesn’t mean that IT teams should be able to access all the data on users’ devices.
“We find that privacy is a big deal for workers, and it’s important to communicate to employees what privacy considerations you’ve taken,” says David Jevans, vice president of mobile security for Proofpoint. “You have to answer the question, ‘Are we collecting any user data?’ And in general, the answer should be no.”
Different mobile security solutions offer different levels of enterprise visibility. Some allow IT staff to see only what apps reside on users’ devices and whether those apps are malicious, without providing the organization access to private data. Even this capability may raise objections, Jevans notes. Many workers, for example, wouldn’t want their bosses to know what dating and health monitoring apps they use, especially on their private devices.
Some mobile security solutions provide what Jevans calls “total privacy.” These tools monitor devices for safe behavior. However, instead of allowing organizations to see specific apps or data, they simply enable security administrators to see whether a device is in compliance with enterprise cybersecurity policies.
For mobile security investments to succeed, organizations must first consider what outcomes they hope to achieve, and also what obstacles are standing in their way. In addition to investing in new IT tools, enterprises should work to ensure that they implement clear security policies and engage in effective user education to support their mobile security efforts.
When Proofpoint researchers studied one business card–scanning app, Jevans says, they found that it was uploading users’ entire contact lists to servers in China. “If there are apps that are leveraging corporate data, those should be reviewed,” he says.
Samani says that organizations must first determine what sorts of data sharing they’re comfortable with, and then design their mobile security solutions backward from there. “You might say, ‘We don’t want people to use their own devices, end of story,’ ” he says. “You might say, ‘We don’t want people accessing social media.’ Having a clearly defined policy about what is acceptable and what’s not acceptable is the first step. Only after you’ve done that can you think about the technologies you want to use.”
Learn more about how CDW’s solutions and services can help your organization secure and streamline its mobile deployments here.