Mobile security – what works and what doesn’t?

Mobile developments across today’s enterprises have put IT security teams at the centre of the business.

These teams are not just building walls to keep things out, but are working close to the business to improve internal efficiency and even help it make sales.

The use of mobile devices has increased the opportunities for businesses in engaging with existing and potential customers. At the same time, businesses are using mobile devices to make their staff more efficient and flexible.

Both these opportunities bring huge challenges for the security teams that are tasked with making mobile work for the business.

In the front end, businesses must protect customers and themselves from malware as cyber criminals try to take their illegal share of the mobile opportunity, while in business operations, security teams must make it possible for staff to work in the way they want, unobstructed by security rules.

“A few years ago, everyone was worried – we thought the heavens were going to open and we were going to get bombarded by malware so mobile devices wouldn’t work,” Sarb Sembhi, director at cyber risk and cyber incident advisory unit Storm Guidance told the CW500 Security Club in July.

But these fears had not materialised, he added.

“There has been a lot of malware out there, but I have not come across any publicised cases when an organisation has suffered as a result of some mobile malware they have picked up,” said Sembhi.

The exaggerated fear of mobile malware is partly the result of a misunderstanding of what it really is.

Sembhi said it is important to differentiate how malware infects a company. “There are some apps that are really malware, but that is different [to mobile malware] because you are installing it yourself,” he said. “In terms of malware getting on a device from other places [mobile], I have not found anything significant at all.”

There is mobile malware out there and people have been hit, he said, but a lot of this is because they have not been cautious and may have downloaded something they should not have.

Mobiles are actually less likely to pick up malware than laptops and desktops because browsers on mobiles do much less than the browsers on laptops or desktops, said Sembhi.

“A mobile device will only download one or two bits of JavaScript from the sites you are viewing, whereas if you view a site on a laptop or desktop, it will download every bit of malware and JavaScript.”

Where are the dangers?

However, Sembhi warned of serious risks where mobile users connect to Wi-Fi or mast stations that they think are legitimate but might not be.

“With Wi-Fi, the danger signs have been out there some time,” he said. Cyber criminals will target hotspots that they think a certain group of people are using. For example, in a hotel where business executives are staying, the Wi-Fi could be targeted, he said. “The attackers know it will be worth it.”

Fake mast stations are another growing threat, said Sembhi. “Recently, people have used kit to build mobile masts that look legitimate. Data can be taken from something that mobile users think is legitimate.”

Another concern for Sembhi is around surveillance and privacy. An increasing number of organisations, such as smartphone manufacturers, carriers and app makers, all want to read users’ data, he said.

“Everything is trying to get to your data – and that is quite worrying. They try to find out everything about your life.”

Security should not hinder usability

Security teams not only have to address these concerns and protect the enterprise and its staff, but they must at the same time help the business to become mobile and gain efficiency.

Mobile devices are now the preferred business tools for a huge proportion of workers, and this will only get bigger as younger generations join the workforce.

New ways of working using mobile means new ways of securing businesses are needed.

Ashish Surti, director of information security at the Clutch Group, told the CW500 Security Club that the biggest challenge is making mobile devices both usable and secure at the same time. If mobile is only usable under strict company rules, staff will not buy into a programme, he said. They will not use company devices, but will buy their own and use them for work.

“The challenge is to make it usable and give workers access to the information they want in a format they would like to see it in,” Surti said. “You need to give them the ability to create content, change content and send it on to other people without having to go through the whole rigmarole of authentication and having to use a separate application to block other things.”

The good applications are those that can integrate with the native devices that workers want to use, rather than just the corporate devices, he added.

Surti said CISOs must engage with the business to get staff to understand and buy into what they are trying to do. “You need evangelists in the workplace and you must listen to feedback. Keep your ear to the ground and engage the user group in a way that makes them part of the development process.”

Senior management buy-in is essential for CISOs when it comes to securing mobile activity, said Surti. “These are the people that will stand by you when you put the technology in place”

“If you are saying no to anything on security grounds and your senior executives don’t understand why, you are on a losing streak and you are not going to last long in that conversation.”

Security is also about making the business better at its core activity, which is selling products and services. And with customers moving to mobile engagement through apps, businesses must ensure that security keeps pace.

At the CW500 Security Club, Dragan Pendić, chief security architect at Diageo, described how he is an IT security professional, but his business is selling drinks.

“We are a drinks company and we are in the business of selling our products and services, and as a security professional you have to be part of that story and help create opportunities,” he said.

Security teams have to look at mobile strategies in a new way, said Pendić. It is less about stopping something happening, but enabling the business to do something.

“Businesses want to do certain things and they will not wait for you,” said Pendić. “Progress will never happen if you look at things as a security person.”

Developers are creating apps quickly and security needs to evolve just as fast, he said. “While these guys are agile and creating things quickly, we in security are catching up.”

The extra challenge for security personnel is the need to understand two very different, but connected, IT environments, said Pendić. At the front end, apps are being developed and at the back end there are systems such as ERP – and security teams need to understand both.