I recently had my mountain bike stolen. I had locked it with a device that I thought was strong enough, but the thief was able to cut through it and take the cycle. As anyone who has had something personal stolen will know, the theft makes you re-evaluate how you protect other things you own. So, after choosing a replacement bike, I naturally decided to buy a more secure lock.
At the cycle specialist, I was looking at devices from ABUS, one of the leading bike security brands. All of the company’s devices perform the same basic function – helping to prevent ‘mobile devices’ from being stolen – but of course, its solutions cover a range of security levels. So the company rates each of its locks according to its intended usage and the threat environment it will be used in – from low-cost bikes and accessories in low-risk areas, to high-value bikes in high-risk areas for theft.
This got me thinking – why shouldn’t organizations apply the same rating process to securing the smartphones and tablets being used across their employee base? As with bike security, the overall objective is simple: reduce the security risks of the device being stolen or compromised. And there is no ‘one size fits all’ solution, as the organization has various functions with different levels of risk and different security needs. The idea that every mobile device in an organization should be protected with the highest-grade security technologies looks good on paper – but in practice it simply doesn’t make sense, as some do not require that level of security or are not willing to pay the required security price.
Organizations need to ensure they provide the right levels of security for the device and data, based on several factors: the role of the individual using the device; what core business applications and data the person has access to; and the risk to the business if the device is stolen, compromised by malware, or communications are intercepted. Just as it is unlikely that you would use a 150-dollar lock to secure an old, 50-dollar bike, you wouldn’t use a 30-dollar lock to secure a hand-built Specialized or Colnago racer.
Different staff, different security levels
So how should organizations approach stratifying the security requirements across their mobile estates? I believe there are three main security levels to think about.
First, there are the senior members of staff or specific, sensitive organization functions (C-level, MNA, Legal, Finance, core IP, Research, etc.) who access and process sensitive corporate data. These personnel – and their devices – are critical to the organization, and therefore should be considered a high security risk. As such, layering multiple security products onto their company-issued or personal device is simply not a good approach. The tools and processes that provide reasonable levels of protection, often compromise the performance and usability of the device so much that users will seek workarounds, bypassing security measures to achieve productivity. This exposes the device, and the data on it, to even greater unnecessary risk. What’s more, underlying OS level vulnerabilities on these devices can also be targeted by hackers as part of a ‘whaling’ attack against the organization’s executives.
As such, instead of using vulnerable mobile devices with bolted-on restrictive security, senior executives should be issued with specialized, secure devices in which the standard OS and the entire software layer from the kernel level upward is replaced with a secure, hardened version with built-in security layers implemented seamlessly, without affecting productivity, functionality or usability. These devices should deliver full encryption of data at rest, as well as all communications to and from the device, secure its externally available interfaces (Web, Cellular, Wifi, NFC, USB, Bluetooth, etc.), and actively monitor, block and alert on all targeted attacks and attempts to gain unauthorized access to on-device resources, plant malicious code or install rogue apps.
As a result, cyber criminals will hit a very high security bar when trying to target the device. Also, since security is built into the devices’ lowest software layers (instead of being added on), the end user can still enjoy a standard, familiar, fully functional operating system, leveraging a complete app ecosystem and standard ease of use: ensuring that their productivity is not compromised in any way.
Referencing back at the ABUS cycle lock rating system analogy, this method would be ranked 9 in a scale of 1 to 10 in terms of security rating, assuming realistically that a 100% bullet proof, 10 out of 10 rating cannot be achieved.
The second level of security is mid-tier management staff, senior external contractors, project managers and other specific functions that have access to some sensitive data but are unlikely to be primary targets for hackers. These personnel – and their devices – are not as critical to the organization as the first group, and therefore should be considered a medium security risk. For these individuals, a standard smartphone, protected with a comprehensive security application that delivers data and communications encryption, attack detection and protection capabilities together with advanced device management features should provide sufficient protection to satisfy the level of risk and security requirements identified at corporate level.
This method could be applied on a corporate-issued smartphone, or on the user’s own device under a BYOD scheme, and would be rated 6 out of 10 on the Abus scale. The security is not as strong as with a full hardened device and OS, but will be sufficient for the majority of mid-tier staff.
The third level of security applies to employees who have low-level access to data, including contract and freelance staff that are not part of the organization for long enough to warrant being issued with a company device, or included as part of a comprehensive mobile security scheme. Each individual’s device usage and data access should be assessed and monitored, providing visibility at the corporate level with regards to the security postures and risk levels of each device under this scheme. This should be achieved by applying lightweight security software on these devices. This method would be rated as 3 out of 10, and devices under this scheme treated accordingly – low risk, low access level, low security processing power.
Real time visibility and policy enforcement
These three levels of security should be underpinned with a management system which enables the organization’s IT team to see the real-time risk level and security posture of each mobile device in its estate. Monitoring the overall security health of a specific device, a group or the entire organization can effectively point out security gaps, users’ negligence and specific areas of risk that may affect the way IT rollout new services and access to services. This also enables the team to manage and apply policies to mitigate risks on devices as they occur, reducing the organization’s attack surface, the potential impact of threats and attempts to breach security.
This stratified contextual approach to security means that businesses can apply protection to each device and the data it holds, in a way that is appropriate to the device user’s role, and risk profile. In turn, this makes it easier for organizations to lock down and manage the complete mobile security cycle.