Tech Insight: Smartphones The New Lost And Stolen Laptops Of Data Breaches

Mobile device management and a new spin on user awareness training are essential to the enterprise mobile explosion

Enterprises have enacted full-disk encryption to protect themselves from their data being exposed through careless users. And the same trustworthy users whove left laptops in taxis or had them stolen from the local coffee shop are now forcing companies to deal with mobile devices that are smaller, always-on, unmanaged, and need to be plugged into the corporate network.
Management and IT are butting heads on the issue. Why? The trend of allowing users to bring in personal devices might be saving money when a companys bottom line is being considered, but the support headaches and increasing risk to company data are immeasurable. Employee satisfaction and productivity are important, and letting users use their own devices can help with that, but enterprises need to draw a line so that fluffy user experiences are not allowed to trump data security and the brand/reputation impact a data breach would have.
The hard-edged approach would be to simply ban all noncompany-issued phones, but that only leads to unhappy employees who either become spiteful and careless, or find workarounds to do what they wanted to do in the first place. You as a security professional dont want to deal with either situation. The safer choice is to find a compromise that -- backed by appropriate security policies -- will allow users to choose from a set of devices that can be centrally managed using one of the many mobile device management (MDM) solutions currently available (see Gartners
Critical Capabilities for Mobile Device Management
).
An alternative to the full MDM approach is to use a mobile security solution that focuses more on email security and access to email, calendaring, and contacts. Since access to company email is the primary driver for smartphone use in the enterprise, it makes sense, and Good for Enterprise is an example of this approach.
Finding a way to manage mobile devices is just one problem: A larger one is the general lack of awareness of the risks to enterprises as a result of these devices. Security professionals, including the CISOs, need to take the time to learn about the security risks associated with smartphones. While some of the risks are similar to those faced in the past with laptops and mobile storage, there are newer ones associated with their high mobility, constant connection, and lack of cross-platform security controls that require new, creative approaches to solve.
Kevin Johnson, a security consultant with
Secure Ideas
and SANS Institute senior instructor, told
Dark Reading
that mobile devices are one of the most popular attack targets today due to the limited security controls and the large amounts of sensitive data.
Seeing a specific lack in mobile device security awareness and training, Johnson has worked with the SANS Institute to develop the
Security 571 Mobile Device Security
course. Most organizations are just now starting to realize the risk associated with these mini-computers in their employees pockets, he says.
Veracode, with the help of the Lookout Mobile Security research team, has put together a
Mobile App Top 10 List
of risks that provides a good introduction into mobile application risks. Some of the top issues include activity monitoring and data retrieval, unauthorized network connectivity, sensitive data leakage, and hard-coded passwords and/or encryption keys. All of those could directly impact the security of an enterprise network were mobile devices allowed to freely connect, view, and store sensitive data, and access e-mail without any sort of security controls in place.
With technical controls in place and the requisite knowledge in the hands of the company security pros, no mobile security effort would be complete without a user awareness program. User awareness, while a sore spot for many, is an absolute must -- and it needs to be done properly. As
experts point out
, awareness efforts fail because it ha been done wrong for so many years. Users need to understand the issues, but not through yearly, half-day events that blast them with so much information that theyll glaze over 15 minutes.
Break the awareness topics down into easy-to-digest chunks like marketing people do; provide monthly reminders on the importance of different aspects of mobile security; and make users aware of consequences if policies arent adhered to or purposefully circumvented.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ Teen admits hacking Lady Gagas computer. ◂ Discovered: 05/01/2025 Category: security	▸ Report from White House on Healthcare Exchanges Security. ◂ Discovered: 05/01/2025 Category: security	▸ Senator suggests cybersecurity norms ◂ Discovered: 05/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Tech Insight: Smartphones The New Lost And Stolen Laptops Of Data Breaches