Scope of the Mobile Device Security Threat
Smartphones are just one type of mobile device that may show up in the workplace and therefore becomes a mobile device security concern. The mere presence of mobile devices in the enterprise is not the problem.
Considering the habits and practices of mobile device users who co-mingle work and personal activities helps you begin to outline the scope of the problem. For example, the devices your company’s employees use to read their work-related e-mail may also be the devices they use to post pictures and status updates on Facebook.
Consider the following interconnections and interactions that happen through mobile device use.
Loss, theft, and replacement of mobile devices
Your employees’ mobile devices may change hands for a number of reasons, exposing your company data to others. It may be your employee’s device, but it is your company’s data that it is carrying.
Three main characteristics define the demise of a mobile device:
Loss: Mobile devices are tiny, and your employees can lose them a lot easier than they can a desktop computer.
Theft: These devices are very attractive to thieves because of their popularity and resale value.
Replacement: Your employees like to periodically upgrade their old phones. The problem, these devices frequently contain proprietary enterprise information that can fall into the wrong hands.
Lost or stolen devices are ticking time bombs until they can be deactivated. Unscrupulous folks who have possession of these devices can access your network and assets inside your network. So the exposure is very high.
Really off-site data storage
The exploding storage capabilities of mobile devices – which is further augmented by applications that extend storage to the cloud – present a growing possibility of intellectual property and sensitive information being widely downloaded and stored and, more critically, compromised.
The phone in smartphone belies the capabilities of these devices. Your employees frequently download all kinds of enterprise data (spreadsheets, presentations, e-mails, and so on) that are stored in these phones with ever-expanding memory footprints (the amount of memory used by applications). Such use makes these phones an IT asset that needs to be guarded as zealously as servers or other storage devices.
Free (but not necessarily nice) apps
With the advent of free and nearly free applications available for download for every smartphone, your employees are experimenting with new apps all the time.
Almost exclusively, these applications are designed with the consumer in mind and encourage experimentation. Such experimentation results in devices that are constantly morphing and being exposed to potential malware.
It would behoove you to establish an approved set of application types and versions that could be your baseline for mobile devices. This allows you to evaluate any deviations from this baseline as your users customize their devices.
Network access outside of your control
By their nature, mobile devices connect wirelessly to available networks, most of which are outside your company’s control. The proliferation of wireless interfaces means an ever-increasing attack surface that can be used to compromise mobile devices.
While these interfaces enhance the user’s experience, they also expose your company to yet another attack vector that the bad guys are waiting to exploit. (An attack vector is a mechanism that is used by the attacker to gain access to a critical resource in order to deliver malware or compromise the entity.)
It is only a matter of time before mobile devices become multihomed, meaning they are connected to multiple wireless interfaces simultaneously. Therefore, you need to be aware of and protect against all of these interfaces simultaneously.