One Mobile Device Security Threat You Haven't Considered - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile
Commentary
10/5/2011
05:50 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

One Mobile Device Security Threat You Haven't Considered

Remember that Dilbert cartoon where the waitress comes back wearing a fur coat? Wireless store employees may be the next ones wearing mink, thanks to your data.

Whenever I talk with clients or other industry folks about mobile security, they inevitably ask, What is the No. 1 threat to mobile devices? Is it new Trojans for Android, or perhaps theft?

Until now, my stock response has been that every organization has a unique risk profile, and that's still true. There's no way around performing a mobile security risk assessment to determine what threats your organization is most vulnerable to. Uncurated app stores, phones left in taxis, public hotspots -- there are lots of ways employees can be tripped up. But lately, I’m recommending that infosec teams add a new danger they may not have considered: the wireless store.

The announcement of the iPhone 4S means wireless stores and kiosks across America are amping up operations to handle an influx of customer orders from those who have to have the newest thing. Sprint is reportedly betting its business on iPhone sales. And don't forget that Android devices are also selling like hotcakes. So what do our employees -- who are consumers, remember -- do when a new phone comes out? They buy it. Your CFO may, as we speak, be handing a helpful employee his old iPhone 4 or Android device. The helpful employee walks in the back room and transfers data to the new phone.

But are you sure that "old" phone didn't contain any scrap of confidential corporate data? Or that it can't give a wireless store worker access to your network? How do you know, when that data transfer is being done, that the helpful employee isn't helping himself to everything on the device?

You don't, unless you have policies in place and spend some time educating your users and help desk staff. Make it clear that before any device is upgraded or discarded, it must be wiped of sensitive data. That's for the employees' benefit as well as the company's. And back up that advice with a policy that disallows registering a new phone on the network until you're satisfied the old one isn't a threat.

That means that, before people start snapping up new high-powered mobile devices like the iPhone 4S and Samsung Galaxy S II, you need to analyze your device registration process. If you don't have one, now is the time to develop one. If yours is a "bring your own device" shop, this is essential to managing the madness -- especially if you don't have mobile device management software in place, as new phones inevitably lead to new help desk calls.

Here's a quick checklist of things that must be part of your registration process:

1) Make sure each device is tied back to a user -- not just a cost center. This adds accountability.

2) If you have MDM software, prevent a new registration until you confirm that the old device has had its data erased.

3) If you don't have MDM software, implement a default-deny policy for new devices connecting via ActiveSync or BES (both have that capability) so that users MUST contact the help desk to get corporate email or network access on their new phones. I discuss more ways to control access here.

4) DOCUMENT THIS PROCESS! And communicate that this is how any new activation will occur, so your co-workers don't head to the AT&T store and claim the phone isn't working. This is where education pays off.

5) Train the help desk to handle these situations. It will get support calls as consumer mobile devices permeate the business. When an employee says, "This doesn’t work," sending her off to the carrier store is asking for trouble (see No. 4). While there are thousands of phones and tablets, focus your efforts on the top sellers, and remember: Android is Android. There are more than 214 flavors across all the carriers, so having the help desk know Android will go a long way. Ditto for iOS. Every help desk has a person who enjoys playing with new hardware, so tap him to be the mobile research manager and, if you org is big enough, pay for new phones and use him to train others.

6) If you do have MDM software -- and you should -- have a plan for when a user brings in a device the MDM suite doesn't support. Most likely, it will happen. Do you deny or allow? If you allow, must the employees agree to conditions, such as they can use the phone but corporate email will be denied, or they can use the phone but won't receive support for it until the MDM suite can support it? Depending on your organization, these may not fly (especially when an executive is the one with the new phone), so we against strongly suggest your help desk be on top of things.

7) Stay up to date on new malware and other threats to major new releases, like the Apple iPhone and iPad, and major Android phones. I recommend tracking the popular HTC Evo and Samsung Galaxy lines, at minimum.

If you haven't invested in MDM, get it in next year's budget so your security policy can be backed up with technology.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DSHERMAN018
50%
50%
DSHERMAN018,
User Rank: Apprentice
10/12/2011 | 1:24:57 PM
re: One Mobile Device Security Threat You Haven't Considered
Bprince is right. Show of hands here...... How many folks have a drawer somewhere with old, retired devices in it?
Bprince
50%
50%
Bprince,
User Rank: Apprentice
10/7/2011 | 12:04:51 AM
re: One Mobile Device Security Threat You Haven't Considered
Interesting. A mobile phone retirement process is something that I can see easily slipping below the radar at most organizations.
Brian Prince, InformationWeek contributor
News
Watch Out: 7 Digital Disruptions for IT Leaders
Jessica Davis, Senior Editor, Enterprise Apps,  11/18/2019
Commentary
Enterprise Guide to Data Privacy
Cathleen Gagne, Managing Editor, InformationWeek,  11/22/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll