5. Do We Really Have a Choice?
•84% use the same smartphone for work and for personal usage.
•81% of employed adults use at least one personally owned electronic device for business
•59% use their mobile devices to run line-of-business applications
•74% of companies allow BYOD usage in some manner
•1/3 use mobile devices exclusively
--Experian Mobile Security Survey, November 2013 (Harris Interactive)
6. The Great Mobile Security Debate
•When will the great mobile data breach happen?
•2017: endpoint breaches will shift to tablets/smartphones.
•Physical vs Virtual
•BYOD/Mobile security policy
•Business vs Security
9. State of Mobile Security
•Productivity vs. Security
•Rise of mobile campaigns
•More targeted malware
•Volume of usage = increased risk
•End user error
10. User Perspective on Mobile Security
•50% of companies have experienced a data breach due to inadequate device security
•47% don’t have a password on their mobile phone.
•51% stated their companies couldn’t execute a remote wipe if lost or stolen.
•49% said mobile security has not been addressed with them by IT.
12. Mobile Security Failures
•Inconsistent security policies
•Unmanageable devices
•Minimal number of devices
•Data artifacts existing on disposed devices
•Data leakage
13. Unique Mobile Security Issues
•Multi-user/single user
•Browsing environment
•Updates/patching
•SSL
•CSRF
•Geolocation
•Apps
14. Mobile Malware Trends
•98% of all mobile malware targets Android users
•Kaspersky: 3.4M malware detections on 1.1M devices
•60% of all attacks are capable of stealing users’ money
•Reported attacks have increased 6X! (from 35K in August 2013 to 242K as of March 2014
Real-time Endpoint Threat Detection and Response
14
15. The Most Popular Mobile Malware
Malware
SMS
RiskTool
AdWare
Trojan
21. BYOD Challenges
•Device turn-over and EOL
•New devices: Default or customized settings?
•How can you know everything about every device?
•App Stores: Approved apps?
•Applications
22. Mobile Security Policy Checklist
Consider risk scenarios.
Adapt from proven or trustworthy models.
Measure perception.
Understand roles, privileges and what’s in place today.
Get granular with your questions & considerations.
Figure out a strategy for testing your applications.
Policy enforcement.
Raise awareness/required training.
23. Assess and Validate Risk
Take an inventory of your high-risk applications/mobile applications.
Determine business criticality.
What’s your attack probability?
How do you define the attack surface?
Consider overall business impact.
Where does compliance factor in?
What are the security threats?
24. Roles and Access Controls
•Which departments/groups/individuals have been most active in developing policies?
•Has there been any previous collaboration between policies and authors?
•Can you identify a potential champion(s) to support the new policy?
•Areas of agreement in commonly implemented controls re: policies?
•Support documents, materials and related policies should be cited in mobile device policy.
25. Get Granular
•How will mobile devices be used?
•Devices assigned to one person or shared?
•Which mobile applications would be used?
•What information is accessiblethrough mobile devices?
•What information will be storedon the mobile devices?
•How will data be shared to/from and between mobile devices?
•Who’s ultimately responsible for mobile devices?
•Will personal activities on company devices be permitted?
•What levels of support are expected?
27. Defining Policy
•Provide contextual, technical guidelines
•Map to compliance mandates
•Considers criticality of application and data
‒Requirements, activities and level of detail needed will differ
•Have clear exception policies where necessary
‒What if minimum standards can’t be met? What is considered acceptable? Who approves?
•Includes internally built and third party applications
•Reflects current maturity and skillset of staff
‒The more skilled, the less explicit you need to be with policies
28. Enforcing Policy
•You need management buy-in!
•Broad strategy vsTargeted strategy roll-out
•On-boarding:
‒Require all device info as part of hiring process
‒Require policy training up front
•Require training for various departments:
‒General population receives awareness training
‒Technical employees receive in-depth training
•Monitor for effectiveness –EX: Deliver training or reminder when employee is out of compliance.
29. Where are you at? Ad Hoc
Implementation
Technology
People
Process
Data
30. Get to the next level of ‘Repeatable’
•Collect examples
•Present business needs & educate executives
•Create a mobile security policy
•Identify some short and long-term risks/goals
•Make the case simple
31. Now you are at ‘Repeatable’
Implementation
Technology
People
Process
Data