Mobile Security That Helps Business Grow 1ROGERS WHITE PAPERMOBILE SECURITYTHAT HELPS BUSINESS GROWProduced by IT World Canada For Rogers Communications. May 2011
page 2 Mobile Security That Helps Business Grow 2 1. Introduction TABLE OF CONTENTS Changing the Traditional Security Mindset 3 Highlights of the CIO Security Study 2010 4 Mobility’s Built-in Benefits 6 Emerging Threat Vectors 7 Types of Threats 8 7 Steps to Better Mobile Security 9 Building a Culture of Mobile Security 11
page 3 Mobile Security That Helps Business Grow 3 Changing the Traditional Security Mindset If you drive down certain country roads in rural Canada, you may be occasionally greeted by a sign that says “ACCIDENT – It’s Only A Word Until It Happens.” You could say the same thing about the way most companies treat IT security. When data is compromised and customer information makes its way into criminal hands, or viruses temporarily shut down operations, most organizations are quick to respond. They will consult the experts, conduct a post-mortem. The larger ones will hire or appoint a chief security officer, if they don’t already have one. Smaller ones may undergo in-depth security training and purchase expensive software to protect themselves. Security strategies are never more thorough than when they are reactive. The advent of mobile computing, which began with laptops but which is quickly moving to smart phones and tablets, presents the dire possibility that history will repeat itself – that companies will wait until something terrible happens involving a mobile device before taking steps that could prevent the worst from happening. Yet much has been learned from IT security trends that first surfaced in the PC era that can be applied to mobility, and there are many security experts who are quick to point out the safeguards as well as the vulnerabilities inherent in most mobile devices. From CRM to authorizations to business intelligence, mobile applications help organizations better support on-the-go workforces and engage more effectively with customers. Security allows us to capitalize on these opportunities. IT World Canada and Rogers have had the benefit of talking with countless CIOs, IT managers and technical staff who are already investigating these issues. The smartest people among this group see security as a way to move business forward, rather than a series of “no’s” which create a barrier to innovation. They see good IT security as a way of making the business case – of arguing, for example, that a company can allow more choice of mobile device to employees and greater use of software that extends their capabilities across geographies. We also have the benefit of our affiliation with other members of the International Data Group (IDG) News Service who report on these issues, and the joint research projects we conduct to probe these issues in greater detail. This white paper brings together all these resources to help articulate a realistic vision of how mobile security needs to be considered, in a way that allows IT departments to be positive contributors to their company’s business objectives.
page 4 Mobile Security That Helps Business Grow 4 Highlights of the 2010 CIO Security Survey Mobility is only one aspect of a challenging slew of IT security issues facing companies of all sizes. In order to hone in on the ways potential threats around mobile devices can be addressed, it’s important to understand how CIOs, IT managers and other technology staff are setting their priorities and allocating the resources available to them. The approach of these enterprises can be an early indication of how SMBs will likely deal with the same problems. Every year IT World Canada, in cooperation with our International Data Group affiliates in 90 countries around the world, conducts an in-depth research survey of chief information officers focused on security. Here are some key findings from that research.1 Endpoints Enter The Picture Although most CIOs see their security budgets remaining flat or enjoying very moderate growth in 2011, the top five technologies they invest in to protect corporate data include end user firewalls, biometrics, data leakage protection, locks and keys for computer hardware and encryption for removable data. This last area is of obvious importance as more users plug USB keys into their laptops while out of the office. We expect that more mobile-specific security tools – which are already being released by the likes of Symantec, McAfee and other major players – to join this list in 2012. Pressure Trumps Policy As Investment Driver When we asked CIOs why they invest in the security technologies they do, the most-cited answer was “legal and regulatory requirement,” which has probably been true ever since Sarbanes-Oxley, legislation to protect against the kind of accounting scandals perpetuated by the likes of Enron and WorldCom, was enacted. “Client requirement” came second, but “professional judgement” came third, followed by “common industry practice” or “potential liability or exposure.” 1 The survey results, which are obtained in collaboration with consulting firm PricewaterhouseCoopers, include more than 12,000 responses, including a small portion from Canada.
page 4 Mobile Security That Helps Business Grow 5 Top SPENDING “JUSTIFICATIONS” IN 2010 2007 2008 2009 2010 1. Legal & regulatory requirement 58% 47% 43% 43% 2. Client requirement 34% 31% 34% 41% 3. Professional judgment 45% 46% 40% 40% 4. Potential liability / exposure 49% 40% 37% 38% 5. Common industry practice 42% 37% 34% 38% 6. Risk reduction score 36% 31% 31% 30% 7. Potential revenue impact 30% 27% 26% 27% It may be that, as new security threats continue to proliferate (particularly on mobile devices), it is becoming so difficult for IT administrators to keep up that they lack confidence in their professional judgement. If the main drivers of good security practices come from outside forces, however, it’s hard to imagine protection of company data as anything other than a chore. It should be the goal of an IT department – or an organization as a whole – to be more self-directed in this area, as part of an overall strategy for business growth. In terms of cybercrime’s impact, financial loss is the No. 1 worry, followed by intellectual property theft and compromising one’s brand or reputation. All this suggests that security continues to be driven by costs, but perhaps there’s another way to look at this. Good security not only prevents financial loss, but allows companies to grow revenue through the ability to capitalize on new opportunities through technology – in other words, mobility. BUSINESS IMPACTS 2007 2008 2009 2010 Financial losses 6% 8% 14% 20% Intellectual property theft 5% 6% 10% 15% Brand/ reputation compromised 5% 6% 10% 14%
page 3 Mobile Security That Helps Business Grow 6 Built-in benefits of Mobile Security Some senior executives are immediately worried about arming their employees with devices that allow, in effect, for sensitive business information to walk out the door. What they may not realize is that mobile devices have some advantages over their desktop predecessors – advantages that may not last forever but can, for the moment at least, offer some justification for further mobile investments. 1. OS variety: Unlike PCs, which were dominated by Windows, mobile devices run on multiple platforms, limiting the ability for malware to infect all phones. Although some businesses may prefer to standardize on one platform to simplify support, consumers are bringing in a plethora of other devices, creating challenges in IT departments as well as this benefit. 2. Mobile architectures: These tend to be more closed than their PC counterparts, with limited access to documentation and debugging tools, making it more difficult (at least initially) to identify the vulnerabilities necessary for malware to propagate. 3. Apps stores: RIM’s BlackBerry App World, iTunes App Store and those offering apps for Android devices present the most popular or, in some cases, the only avenue for deploying new software on mobile devices. This limits the ability of a worm to propagate by directly installing executable code on a mobile device. It also adds a layer of review that software is subject to before it can be deployed on a device.
page 3 Mobile Security That Helps Business Grow 7 Emerging Threat Vectors Even experts can’t agree on how big the security issues around mobile devices are. Mformation, which provides mobile device management technology, commissioned researchers Vanson Bourne to survey more than 300 IT managers across North America and the U.K., and found that 78 percent of respondents don’t know what devices are connected to the corporate network. Seventy-six percent said that employee-owned mobile devices are creating security headaches, while only 56 percent said they would be able to secure a device that has been lost or stolen. Others worry that the range of devices will make patch management much more difficult, and that developers aren’t doing enough to build security into their applications. So far, some of the biggest holes include the following: Social networking: A study from Google showed that almost one quarter of users who fell for a recent scam on a social network did so from their mobile device. Games: Monkey Jump and other games are being illegally copied and repackaged with code designed to steal personal info (source: Lookout Mobile Security). Malware: Gemini, botnet-like malware built to lift and transmit personal data from a user’s phone and ship it to a remote server, surfaced late in 2010. There is perhaps no bigger threat, however, than employees. This has always been true in the desktop era, but mobility potentially increases the amount of danger individual staff can do to a company’s data. The “consumerization” of IT, for example, means that staff are becoming responsible for purchasing their own devices – and aren’t always telling their IT company about what they’re doing with them. Loss or theft of devices means greater access to business as well as personal data. Internal threats from rogue or ex-employees are heightened by the range of applications and functions available through mobile phones – and weak security procedures.
page 3 Mobile Security That Helps Business Grow 8 Types of threats Once you’ve identified the biggest areas where security can be compromised, you need to know what those compromises will look like. They can be broken down into three main categories: 1. Traditional malware: Applications such as rogue dialers, which will send SMSes to premium-rate numbers owned by the fraudsters. Other threats include worms spread by communication protocols such as Bluetooth. Major security firms such as Symantec, McAfee and Trend Micro are all beginning to offer specific anti-virus software to assist mobile users. 2. Privacy, data collection issues: Mobile applications can also have other privacy-related risks such as collecting, transmitting or storing data. Advertising networks and mobile application developers are often highly interested in metrics around how and where people are using their applications. Data may include information identifying a specific device, with users unaware they are being tracked. Companies should not only work hard to understand what apps employees are using but be prepared to conduct a privacy impact assessment and offer training on the privacy vulnerabilities to employees. 3. Social engineering: Just like on desktops and laptops, fraud doesn’t have to involve a technical trick. Phishing -- the practice of using a fake website to trick users into revealing sensitive information -- is as much or more of a threat on mobile devices. People often trust their mobile device more than their computer and are therefore more vulnerable to phishing. Many firms will need to update their security policies and training programs to educate their users on these expanded risks and provide examples of what such phishing sites or e-mails might look like.
page 3 Mobile Security That Helps Business Grow 9 7 Steps to Better Mobile Security: An IT Administrator’s Checklist Armed with this background data, what can you do today to begin creating a culture of mobile security? As always, it all starts with training and education. Get your coworkers focused on these common sense (but often overlooked) areas. 1. Secure Your Device with a Password: All major smartphone platforms have built-in password options, and the majority of newer feature-phones, or non-smartphones, also offer some sort of password protection. Mandate that employees break out their phone’s user guide or search for it by model number online and help them to assign a password. 2. Make Mobile-Phone Backup a Priority−and a Habit: Whatever the application, it’s wise to get in the habit of backing up smartphones every time an employee plugs it into their computer--or more often if they rarely connect their handhelds and PCs. Many desktop sync programs let you set some sort of “automatic backup option so your device backs itself up whenever connected to your PC, without any effort on your part. If a company already has a backup policy in place for desktops, it should be a relatively simple matter to extend this to the mobile space. 3. Add Owner Info to a Phone’s Locked Home Screen: Including lost-phone-reward info helps ensure that whoever finds a phone will also have a way to get in touch with users to return it, should the person be so inclined, as well as an incentive, if the company or employee decides to offer up a reward. Depending on the kind of data that may be stored on a device, it could be well be worth compensating someone to turn a device in. Once again, instruct employees to hit up their mobile phone’s user guide or search online to see if their specific device has a built-in option to add owner information or a reward offer--something like: If found, please dial 555.555.5555 for a $50 reward.
page 3 Mobile Security That Helps Business Grow 10 4. Keep List of “Emergency” Contacts Away from Phone: Train your mobile workforce to make a quick list of important contact people or companies and tuck it away in a wallet or purse--preferably somewhere away from their cell phones, so they’re less likely to lose the emergency contact list along with their phone. Sample contacts to include: A significant other; nearby friends or family; the IT department’s help desk or IT contact, if they are using a corporate-issued phone; AAA or other roadside assistance organization; their wireless carrier’s customer information line, should they need to freeze their account; etc. 5. Prepare Phone-Location and Remote-Wipe Services: Depending on the specific mobile phone model, it may be possible to purchase and/or employ some sort of cell- phone tracking service to locate lost mobile phones (ie., MobileMe, BlackBerry Protect). Some of these offerings also allow users to remotely wipe information from their device. 6. Reduce Sensitive Info, Apps Stored on Your Device No files named “passwords”. No storing of payment information. Reduce the number of one-click purchase icons. 7. Encrypt or Protect Data Stored on Media Card: If users aren’t asked to encrypt or otherwise protect the information stored on their media card, a malicious party could simply remove the card from their locked and secured device and access its data from a compatible card reader, like another smartphone or a PC.
page 3 Mobile Security That Helps Business Grow 11 Creating a Culture of Mobile Security Security should be a force of positive motivation, rather than negative necessary evil. It’s motivating because good security is key to winning customer’s trust, which is becoming the currency most valued by customers who perform more and more of their transactions online, from their mobile devices. All organizational cultures are somewhat unique, but there are standard techniques that may help to determine the best way to not only get IT security on the radar of mobile employees, but to turn it into something they consider a shared company value. 1. Conduct a self-assessment of your traditional IT security posture in the PC/desktop world and identify the gaps. How can these be addressed in the mobile environment? 2. Determine your organization’s risk appetite – what is necessary for business growth and what poses a threat to customer or partner relationships? 3. Recognize and recruit mobile security champions or ambassadors among tech- savvy employees – delegate some of the messaging and communication to those who have the respect and authority among their peers The advice in this white paper does not guarantee that you’ll never face security issues due to mobile devices. It can, however, be the first step towards turning security into something that gets in the way to the most logical way forward. For more information about Rogers Wi-Fi Calling for Business, please contact your Rogers representative.
page 12 Mobile Security That Helps Business Grow 12 About IT WORLD CANADA IT World Canada is the Canadian affiliate of International Data Group (IDG), the world’s largest IT information media provider. We have been creating conversations and building relationships with the influential network of Canada’s technology professionals, business managers and executives for over twenty-five years by delivering timely, incisive information they can trust through digital publications, events and print brands. Reaching the distinct and influential decision maker in business and the business of Information Technology, (French and English) readership totals with reach of 2.5 pass along, 300,000, and 120,000 individual IT professionals and business executives...and still growing because we at IT World Canada are Canada’s trusted IT Media Publishers. Our mission is to inform, to teach, to empower, to connect.