Falcon Invoice Discounting: The best investment platform in india for investors
White Paper: Mobile Security
1. Mobile Security
That Helps Business Grow 1
ROGERS WHITE PAPER
MOBILE SECURITY
THAT HELPS BUSINESS GROW
Produced by IT World Canada For Rogers Communications. May 2011
2. page 2
Mobile Security
That Helps Business Grow 2
1. Introduction
TABLE OF CONTENTS
Changing the Traditional Security Mindset 3
Highlights of the CIO Security Study 2010 4
Mobility’s Built-in Benefits 6
Emerging Threat Vectors 7
Types of Threats 8
7 Steps to Better Mobile Security 9
Building a Culture of Mobile Security 11
3. page 3
Mobile Security
That Helps Business Grow 3
Changing the Traditional Security Mindset
If you drive down certain country roads in rural Canada, you may be occasionally greeted by a
sign that says “ACCIDENT – It’s Only A Word Until It Happens.” You could say the same thing
about the way most companies treat IT security.
When data is compromised and customer information makes its way into criminal hands,
or viruses temporarily shut down operations, most organizations are quick to respond. They
will consult the experts, conduct a post-mortem. The larger ones will hire or appoint a chief
security officer, if they don’t already have one. Smaller ones may undergo in-depth security
training and purchase expensive software to protect themselves. Security strategies are never
more thorough than when they are reactive.
The advent of mobile computing, which began with laptops but which is quickly moving to
smart phones and tablets, presents the dire possibility that history will repeat itself – that
companies will wait until something terrible happens involving a mobile device before taking
steps that could prevent the worst from happening. Yet much has been learned from IT
security trends that first surfaced in the PC era that can be applied to mobility, and there are
many security experts who are quick to point out the safeguards as well as the vulnerabilities
inherent in most mobile devices.
From CRM to authorizations to business intelligence, mobile applications help organizations
better support on-the-go workforces and engage more effectively with customers. Security
allows us to capitalize on these opportunities.
IT World Canada and Rogers have had the benefit of talking with countless CIOs, IT managers
and technical staff who are already investigating these issues. The smartest people among this
group see security as a way to move business forward, rather than a series of “no’s” which
create a barrier to innovation. They see good IT security as a way of making the business
case – of arguing, for example, that a company can allow more choice of mobile device to
employees and greater use of software that extends their capabilities across geographies.
We also have the benefit of our affiliation with other members of the International Data Group
(IDG) News Service who report on these issues, and the joint research projects we conduct to
probe these issues in greater detail. This white paper brings together all these resources to help
articulate a realistic vision of how mobile security needs to be considered, in a way that allows
IT departments to be positive contributors to their company’s business objectives.
4. page 4
Mobile Security
That Helps Business Grow 4
Highlights of the 2010 CIO Security Survey
Mobility is only one aspect of a challenging slew of IT security issues facing companies of
all sizes. In order to hone in on the ways potential threats around mobile devices can be
addressed, it’s important to understand how CIOs, IT managers and other technology staff
are setting their priorities and allocating the resources available to them. The approach
of these enterprises can be an early indication of how SMBs will likely deal with the same
problems.
Every year IT World Canada, in cooperation with our International Data Group affiliates in
90 countries around the world, conducts an in-depth research survey of chief information
officers focused on security. Here are some key findings from that research.1
Endpoints Enter The Picture
Although most CIOs see their security budgets remaining flat or enjoying very moderate
growth in 2011, the top five technologies they invest in to protect corporate data include end
user firewalls, biometrics, data leakage protection, locks and keys for computer hardware
and encryption for removable data. This last area is of obvious importance as more users
plug USB keys into their laptops while out of the office. We expect that more mobile-specific
security tools – which are already being released by the likes of Symantec, McAfee and other
major players – to join this list in 2012.
Pressure Trumps Policy As Investment Driver
When we asked CIOs why they invest in the security technologies they do, the most-cited
answer was “legal and regulatory requirement,” which has probably been true ever since
Sarbanes-Oxley, legislation to protect against the kind of accounting scandals perpetuated
by the likes of Enron and WorldCom, was enacted. “Client requirement” came second, but
“professional judgement” came third, followed by “common industry practice” or “potential
liability or exposure.”
1
The survey results, which are obtained in collaboration with consulting firm PricewaterhouseCoopers, include more than
12,000 responses, including a small portion from Canada.
5. page 4
Mobile Security
That Helps Business Grow 5
Top SPENDING “JUSTIFICATIONS” IN 2010 2007 2008 2009 2010
1. Legal & regulatory requirement 58% 47% 43% 43%
2. Client requirement 34% 31% 34% 41%
3. Professional judgment 45% 46% 40% 40%
4. Potential liability / exposure 49% 40% 37% 38%
5. Common industry practice 42% 37% 34% 38%
6. Risk reduction score 36% 31% 31% 30%
7. Potential revenue impact 30% 27% 26% 27%
It may be that, as new security threats continue to proliferate (particularly on mobile devices),
it is becoming so difficult for IT administrators to keep up that they lack confidence in their
professional judgement. If the main drivers of good security practices come from outside
forces, however, it’s hard to imagine protection of company data as anything other than a
chore. It should be the goal of an IT department – or an organization as a whole – to be
more self-directed in this area, as part of an overall strategy for business growth.
In terms of cybercrime’s impact, financial loss is the No. 1 worry, followed by intellectual
property theft and compromising one’s brand or reputation. All this suggests that security
continues to be driven by costs, but perhaps there’s another way to look at this. Good
security not only prevents financial loss, but allows companies to grow revenue through the
ability to capitalize on new opportunities through technology – in other words, mobility.
BUSINESS IMPACTS 2007 2008 2009 2010
Financial losses 6% 8% 14% 20%
Intellectual property theft 5% 6% 10% 15%
Brand/ reputation compromised 5% 6% 10% 14%
6. page 3
Mobile Security
That Helps Business Grow 6
Built-in benefits of Mobile Security
Some senior executives are immediately worried about arming their employees with devices
that allow, in effect, for sensitive business information to walk out the door. What they may
not realize is that mobile devices have some advantages over their desktop predecessors
– advantages that may not last forever but can, for the moment at least, offer some
justification for further mobile investments.
1. OS variety: Unlike PCs, which were dominated by Windows, mobile devices run on
multiple platforms, limiting the ability for malware to infect all phones. Although some
businesses may prefer to standardize on one platform to simplify support, consumers are
bringing in a plethora of other devices, creating challenges in IT departments as well as
this benefit.
2. Mobile architectures: These tend to be more closed than their PC counterparts, with
limited access to documentation and debugging tools, making it more difficult (at least
initially) to identify the vulnerabilities necessary for malware to propagate.
3. Apps stores: RIM’s BlackBerry App World, iTunes App Store and those offering apps
for Android devices present the most popular or, in some cases, the only avenue for
deploying new software on mobile devices. This limits the ability of a worm to propagate
by directly installing executable code on a mobile device. It also adds a layer of review
that software is subject to before it can be deployed on a device.
7. page 3
Mobile Security
That Helps Business Grow 7
Emerging Threat Vectors
Even experts can’t agree on how big the security issues around mobile devices are.
Mformation, which provides mobile device management technology, commissioned
researchers Vanson Bourne to survey more than 300 IT managers across North America and
the U.K., and found that 78 percent of respondents don’t know what devices are connected
to the corporate network.
Seventy-six percent said that employee-owned mobile devices are creating security
headaches, while only 56 percent said they would be able to secure a device that has been
lost or stolen.
Others worry that the range of devices will make patch management much more difficult,
and that developers aren’t doing enough to build security into their applications. So far, some
of the biggest holes include the following:
Social networking: A study from Google showed that almost one quarter of users who
fell for a recent scam on a social network did so from their mobile device.
Games: Monkey Jump and other games are being illegally copied and repackaged with
code designed to steal personal info (source: Lookout Mobile Security).
Malware: Gemini, botnet-like malware built to lift and transmit personal data from a
user’s phone and ship it to a remote server, surfaced late in 2010.
There is perhaps no bigger threat, however, than employees. This has always been true in the
desktop era, but mobility potentially increases the amount of danger individual staff can do
to a company’s data.
The “consumerization” of IT, for example, means that staff are becoming responsible for
purchasing their own devices – and aren’t always telling their IT company about what
they’re doing with them. Loss or theft of devices means greater access to business as well as
personal data. Internal threats from rogue or ex-employees are heightened by the range of
applications and functions available through mobile phones – and weak security procedures.
8. page 3
Mobile Security
That Helps Business Grow 8
Types of threats
Once you’ve identified the biggest areas where security can be compromised, you need to
know what those compromises will look like. They can be broken down into three main
categories:
1. Traditional malware: Applications such as rogue dialers, which will send SMSes to
premium-rate numbers owned by the fraudsters. Other threats include worms spread
by communication protocols such as Bluetooth. Major security firms such as Symantec,
McAfee and Trend Micro are all beginning to offer specific anti-virus software to assist
mobile users.
2. Privacy, data collection issues: Mobile applications can also have other privacy-related
risks such as collecting, transmitting or storing data. Advertising networks and mobile
application developers are often highly interested in metrics around how and where
people are using their applications. Data may include information identifying a specific
device, with users unaware they are being tracked. Companies should not only work
hard to understand what apps employees are using but be prepared to conduct a privacy
impact assessment and offer training on the privacy vulnerabilities to employees.
3. Social engineering: Just like on desktops and laptops, fraud doesn’t have to involve a
technical trick. Phishing -- the practice of using a fake website to trick users into revealing
sensitive information -- is as much or more of a threat on mobile devices. People often
trust their mobile device more than their computer and are therefore more vulnerable to
phishing. Many firms will need to update their security policies and training programs to
educate their users on these expanded risks and provide examples of what such phishing
sites or e-mails might look like.
9. page 3
Mobile Security
That Helps Business Grow 9
7 Steps to Better Mobile Security:
An IT Administrator’s Checklist
Armed with this background data, what can you do today to begin creating a culture of
mobile security? As always, it all starts with training and education. Get your coworkers
focused on these common sense (but often overlooked) areas.
1. Secure Your Device with a Password: All major smartphone platforms have built-in
password options, and the majority of newer feature-phones, or non-smartphones, also
offer some sort of password protection. Mandate that employees break out their phone’s
user guide or search for it by model number online and help them to assign a password.
2. Make Mobile-Phone Backup a Priority−and a Habit: Whatever the application, it’s
wise to get in the habit of backing up smartphones every time an employee plugs it into
their computer--or more often if they rarely connect their handhelds and PCs. Many
desktop sync programs let you set some sort of “automatic backup option so your device
backs itself up whenever connected to your PC, without any effort on your part. If a
company already has a backup policy in place for desktops, it should be a relatively simple
matter to extend this to the mobile space.
3. Add Owner Info to a Phone’s Locked Home Screen: Including lost-phone-reward
info helps ensure that whoever finds a phone will also have a way to get in touch with
users to return it, should the person be so inclined, as well as an incentive, if the company
or employee decides to offer up a reward. Depending on the kind of data that may be
stored on a device, it could be well be worth compensating someone to turn a device in.
Once again, instruct employees to hit up their mobile phone’s user guide or search online
to see if their specific device has a built-in option to add owner information or a reward
offer--something like: If found, please dial 555.555.5555 for a $50 reward.
10. page 3
Mobile Security
That Helps Business Grow 10
4. Keep List of “Emergency” Contacts Away from Phone: Train your mobile workforce
to make a quick list of important contact people or companies and tuck it away in a
wallet or purse--preferably somewhere away from their cell phones, so they’re less likely
to lose the emergency contact list along with their phone.
Sample contacts to include: A significant other; nearby friends or family; the IT
department’s help desk or IT contact, if they are using a corporate-issued phone; AAA or
other roadside assistance organization; their wireless carrier’s customer information line,
should they need to freeze their account; etc.
5. Prepare Phone-Location and Remote-Wipe Services: Depending on the specific
mobile phone model, it may be possible to purchase and/or employ some sort of cell-
phone tracking service to locate lost mobile phones (ie., MobileMe, BlackBerry Protect).
Some of these offerings also allow users to remotely wipe information from their device.
6. Reduce Sensitive Info, Apps Stored on Your Device
No files named “passwords”.
No storing of payment information.
Reduce the number of one-click purchase icons.
7. Encrypt or Protect Data Stored on Media Card: If users aren’t asked to encrypt or
otherwise protect the information stored on their media card, a malicious party could
simply remove the card from their locked and secured device and access its data from a
compatible card reader, like another smartphone or a PC.
11. page 3
Mobile Security
That Helps Business Grow 11
Creating a Culture of Mobile Security
Security should be a force of positive motivation, rather than negative necessary evil. It’s
motivating because good security is key to winning customer’s trust, which is becoming the
currency most valued by customers who perform more and more of their transactions online,
from their mobile devices.
All organizational cultures are somewhat unique, but there are standard techniques that may
help to determine the best way to not only get IT security on the radar of mobile employees,
but to turn it into something they consider a shared company value.
1. Conduct a self-assessment of your traditional IT security posture in the PC/desktop
world and identify the gaps. How can these be addressed in the mobile environment?
2. Determine your organization’s risk appetite – what is necessary for business growth
and what poses a threat to customer or partner relationships?
3. Recognize and recruit mobile security champions or ambassadors among tech-
savvy employees – delegate some of the messaging and communication to those who
have the respect and authority among their peers
The advice in this white paper does not guarantee that you’ll never face security issues due to
mobile devices. It can, however, be the first step towards turning security into something that
gets in the way to the most logical way forward.
For more information about Rogers Wi-Fi Calling for Business, please contact your
Rogers representative.
12. page 12
Mobile Security
That Helps Business Grow 12
About IT WORLD CANADA
IT World Canada is the Canadian affiliate of International Data Group (IDG), the world’s largest
IT information media provider. We have been creating conversations and building relationships
with the influential network of Canada’s technology professionals, business managers and
executives for over twenty-five years by delivering timely, incisive information they can trust
through digital publications, events and print brands.
Reaching the distinct and influential decision maker in business and the business of Information
Technology, (French and English) readership totals with reach of 2.5 pass along, 300,000, and
120,000 individual IT professionals and business executives...and still growing because we at
IT World Canada are Canada’s trusted IT Media Publishers. Our mission is to inform, to teach,
to empower, to connect.