Mobile security in a business environment

Whether we like it or not, BYOD (Bring Your Own Device) is here to stay. Long-gone are the days of IT managers making company-wide decisions when it comes to preferred mobile platforms. Today almost everyone uses their own mobile device in a work environment – whether the IT department is aware of that or not.

Background

Roughly ten years ago, the IT administrator could roll-out Blackberry devices across the entire company, providing appropriate mobile solutions for everyone: from a line worker in a factory, to the CFO and CEO. Administration was centered around the Blackberry Enterprise Server and it appeared that the mobile revolution entered the corporate world from a top-down perspective.

That all changed with the iPhone. Steve Jobs walked onto the stage with a new, shiny gadget that awed the crowd with its unadulterated simplicity. Web browsing, mail – it all simply worked. 

Not too long after that, many end-users brought their Apple devices into the corporate environment and demanded their favorite phone had all the same business capabilities as the old BlackBerry devices. As the history tells us, ultimately they won. IT departments, although reluctant at first, embraced the user’s demands and produced plugins, integrations and other means for Apple devices to access the features of the business network. This was a truly bottom-up process, where the users brought technology into the business world, rather than the business providing the technology for their employees. And so as such, the era of BYOD was born.

BYOD today

From the perspective of the corporate IT departments, BYOD usually means a security nightmare, or additional work, at least. First, it’s important to point out that user’s devices are inherently outside the control of the IT administrator. Although there are certain security platforms and measures that an IT admin can take in order to gain some control over the devices, but the fact of the matter is that most users will use their phones as they please: they may install new apps, change the security configuration, or worst – side-load unknown applications.

Second, there’s a multitude of different vendors, each supplying their own pre-loaded applications. Most often this bloatware is there to provide vendor-specific functionality, up-sell additional services or to subsidize the low price of the device by displaying advertisements on the user’s screen. Oftentimes security is not the highest priority – and that’s unfortunate – especially given the fact that most pre-loaded apps cannot be disabled or un-installed without first rooting the device (which in turn, voids the warranty of most products). Moreover, as a recent academic study outlines, these apps often bypass security measures of Android and the Google Play platform – by allowing far more data permissions than the app functionality requires. ¹

Having the BYOD security risks in mind, IT departments responded in a variety of ways. Some departments chose to have a separate VLAN for non-corporate devices, therefore limiting their access to only a few network services. Others heavily invested in mobile administration platforms, which provide a certain level of security, albeit require extensive maintenance on the part of the administrator. Other companies flat-out tried to ban outside devices from entering their network, asking the employees to utilize only company-provided smartphones and tablets – although with a limited success due to what can be dubbed as ‘the human behavior factor’.

The human behavior factor

The human behavior factor is something that cannot be easily fixed by technology. According to a recent Samsung Mobile Workplace study, about 55% of lower and middle-tier employees utilize their corporate smartphones as their personal devices ². They install additional applications, load personal files and side-load apps which otherwise would have been rejected on security grounds.

If one were to think that higher-level managers are free from making this mistake, one would be very misled. According to the same study, one-third of higher-level managers are guilty of the same security breaches. ³ As such, it can be inferred that regardless of official rules and company policies, out of convenience or multitude of other factors, people fall into the same behavioral patterns – and there’s very little that the IT department can do about it.

Meanwhile, the 2019 IDG Buying into Mobile Security whitepaper sums up the need to address this problem. According to their study based on top 100 IT leaders and IT security executives (49% were CIOs) from a cross-section of industries including high tech, financial services and manufacturing, with an average employee base of 23000, 74% of respondents report their organizations have experienced a data breach as a result of a mobile security issue. ⁴ Moreover, as IDG whitepaper outlines, these data breaches have been caused by the following:

1. Mobile apps containing malware,
2. Apps that contained security vulnerabilities,
3. Unsecured Wi-Fi connections.

Problem → Solution

As with any security-oriented problem, there is no solution which can 100% guarantee corporate network security. However, with a few good practices, we can get closer to that percentage.

First, it’s important to invest in knowledge of our employees.

According to Citrix, by 2020, 50% of the workforce will be remote ⁵. Having that said, one can easily infer that whether we like it or not, BYOD or remotely-connected devices are here to stay. 

Even with the best software security solutions implemented company-wide, there’s no way to rule out the human factor, as denying one feature will simply cause the user to find another. In a way, it’s a cat-and-mouse game. However, proper security training is by far one of the most effective solutions for raising security awareness ⁶. The Best Practices for Implementing a Security Awareness Program by PCI Security Standards provides an excellent outline of topics to cover.

Second, audit your devices.

Sometimes even brand-new devices come with malware or insecure applications pre-installed ⁷. One of the best ways to counter this problem is to simply check the amount of pre-installed applications on our devices, as well as their permissions. If possible, it’s a good idea to disable unknown or unnecessary applications. If this is not an option, limiting the app permissions and mobile data access in Android settings can be a step up. Best practice, however, is purchasing devices which do not come with modified UI or vendor applications pre-installed.

Last, but not least, monitor your network.

As there is no way to completely rule out the chances of a human error, it’s always a good idea to utilize proactive monitoring measures to quickly identify and quarantine security breaches. With the proper network monitoring software and a clear security policy, the administrator can create a baseline of network behavior, monitor for anomalies and set up scripts which will automatically suspend or limit the offending user device or account, until the problem is examined and resolved.

1. Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, Narseo Vallina-Rodriguez. An Analysis of Pre-Installed Android Software. IMDEA Networks Institute, Universidad Carlos III de Madrid, Stony Brook University, ICSI.
   /https://haystack.mobi/papers/preinstalledAndroidSW_preprint.pdf
2. https://www.telepolis.pl/wiadomosci/prawo-finanse-statystyki/ponad-polowa-pracownikow-uzywa-telefonu-sluzbowego-jak-prywatnego
3. https://www.telepolis.pl/wiadomosci/prawo-finanse-statystyki/ponad-polowa-pracownikow-uzywa-telefonu-sluzbowego-jak-prywatnego
4. Buying into Mobile Security: “Mobile security investments are becoming a priority for CIOs as the lack of visibility into mobile devices continues to increase risk.” IDG, 2019. PDF.
5. https://www.citrix.com/perspectives-by-citrix/innovation/future-of-work-how-you-unlock-innovation-anywhere.html
6. https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf
7. Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, Narseo Vallina-Rodriguez. An Analysis of Pre-Installed Android Software. IMDEA Networks Institute, Universidad Carlos III de Madrid, Stony Brook University, ICSI.
   /https://haystack.mobi/papers/preinstalledAndroidSW_preprint.pdf