Skip to main content

CIO Magazine: Not your father’s cybersecurity

By Craig Riegelhaupt
The connection of personal computers to the Internet, which began in earnest in the 1980s, ushered in an era of innovation in communications, commerce and productivity. But it came with a cost – the proliferation of malicious software that today presents a threat-based environment for organizations and individuals the world over.

The hard-wired systems of computing’s early days were the primary targets of the early cyber criminals. But today’s melding of cellular, Wi-Fi and smart devices – combined with the burgeoning Internet of Things (IoT) – presents an enormous challenge to organizations that need to keep their data safe and not go broke doing so. The so-called “Krack” attack that exposed the vulnerabilities of WiFI networks in mid-October is just the latest example.

A recent trend in larger organizations has been the appointment and/or elevation of a chief information security officer (CISO) at the C-Suite level. In many cases, the CISO works in tandem with the chief information officer (CIO), who manages the enterprise data, and the chief technology officer (CTO) who supervises the hardware and software. Responsibility for the overall security of an organization’s intellectual property rests within this management triumvirate. Companies have been known to thoughtfully build out a mobile security policy plan, and yet fail to execute because they don’t have backing from the C-Suites. Mobile security needs to be carefully balanced with usability on a mobile device to empower employees.

Responsibility for mobility management

Enterprises have an ever-increasing responsibility for safeguarding mobile devices which power sales and marketing forces critical to the organization’s business success. Many organizations issue smartphones and/or tablets to their employees to use on the job. Others may use a BYOD (bring your own device) policy where the employee uses the device for both business and personal use.

Cyber security experts have long maintained the most vulnerable and targeted points of entry (aka endpoints) into any system are the multitude of workstations, personal computers and other devices used by employees in their daily business duties. Mobile smart devices now must be added to this mix.

BYOD policies for smartphones, tablets IoT devices (smart watches, sensors) are particularly problematic from a cyber security standpoint. In the United States, Apple’s IOS system is used by most BYOD devices, which provides a measure of comfort while by no means fail-safe from a security standpoint. In Europe and Asia, cheaper devices use a variety of operating systems, some of which are more secure than others. The vulnerability with these systems mostly stems from nefarious app stores where end-users go to download apps because in some regions they can’t access certified apps. Researchers noted that Wi-Fi connected devices using Android operating systems were especially vulnerable in the mid-October incident.

Moreover, smartphones and tablets are more easily lost or stolen than in-house computers and laptops, presenting yet another security risk.

A mobile security policy should be applied universally, or at least as much as an organization’s platforms allow. Employees will talk, and it’s important that functionality on their devices remain consistent across the board.

To meet the new mobile cyber security challenge, many organizations have employed Enterprise Mobility Management (EMM) programs. EMM focuses on managing mobile devices, wireless networks and other mobile computing services in a holistic context – for security as well as efficiency and cost-savings. EMM programs differ in size and scope but generally include the following components (often called “EMM stacks”):

Mobile device management (MDM) – technology that remotely manages devices and platforms, including unique profiles for individual device users. MDM can be used to remotely wipe data from a lost or stolen device.
Mobile application management (MAM) – tools to install, manage and update mobile apps that can be used selectively and can protect data without resorting to a total purge of the remote device.
Mobile identity management (MIM) – tools to manage certificates, authentication, signatures and single sign-on apps. MIM can also be used to track app and device metrics.
Mobile content management (MCM) – tools to manage internet content on mobile devices and authorize access to files and data on a trusted device.
Mobile expense management (MEM) –helps the organization control the expenses of its mobile communications devices and systems.
Naturally, the largest organizations have the resources to deploy EMM stacks as needed. But what about smaller or mid-sized enterprises that want to protect their essential data as well as keep mobility costs under control?

What to expect in an outsourced EMM program

EMM programs managed by third-party providers can relieve the resource-heavy workload of mobility management. EMM can be complex and require highly specialized knowledge and resources that in-house IT teams lack. When an EMM solution is not precisely tuned, security risks may be overlooked while employees may experience issues with email and other tools that prevent them from doing their job effectively.

A concerned organization can do an initial mobile situation analysis to better understand the current environment to deliver and implement a custom playbook for EMM integration and support. After implementation, any device that connects to its global network can be monitored and managed based on corporate policy. At a minimum, an organization shopping for an outsourced EMM program should expect:

EMM Optimization that ensures an organization gets the most out of its EMM stacks.
EMM Set-Up and Configuration that helps to set-up and connect an EMM solution properly.
EMM Management that provides ongoing support to help manage a mobile enterprise.
EMM End-User Service desk to answers any questions via a user support line.

It’s important to remember that mobile devices are more “personal” in nature — whether corporate-issued or BYOD – than a computer at a corporate workstation. We can design, build and deploy policies that will help secure the devices, but employee education on cyber security is critical. It is employee behavior on the end points that often inadvertently opens up the corporate network to attack. Education with employees is an ongoing exercise.

Link to full article