The key factors in reducing the BYOD mobile security threat
In its latest report, research firm Ovum reveals that 47% of employees now use their own smartphones to access corporate data, a quarter use a tablet, and 8% use wearables to access information in some form. It’s clear that BYOD is an established feature in today’s always-connected, always-contactable business landscape, and organisations therefore need to put secure mobility management measures in place. What are the principle considerations to bear in mind for this process?
Workers now routinely expect to use the same feature-rich smartphone or other connected device at home and in the office. The launch of new high profile devices like Apple’s iPhone 7 and Google’s latest Android Pixel smartphone in time for Christmas means IT managers everywhere will in the new year have to deal with how to securely connect these and other new devices to their corporate networks.
But as the number of people using the same device for both business and personal lives increases, so does the threat to network security.
Today’s mobile devices contain multiple apps full of sensitive personal and corporate data, which makes them a significant target for malicious attack. In the second quarter of 2016, nearly a third of executive mobile devices were exposed to network attack (source: Skycure Mobile Intelligence Threat Report”, Q2 2016). Nearly the same number were infected with malware, leaving valuable, sensitive data vulnerable to cyber criminals.
It’s not that mobile devices are being targeted more than laptops or desktop PCs. But as the gap between smartphone and PC capabilities narrows, mobile devices are now vulnerable to the types of attack previously reserved for desktops and laptops. Threats like phishing or malware in attachments, which were previously confined to your desktop inbox, are now on your smartphone.
The solution is not a single, fixed policy. What is instead required is a consistent but flexible set of guidelines that’s wide-ranging enough to cover all the apps that your users will access on their mobile device, both for work and for their personal use.
By policy, we mean a set of rules that defines authentication procedures for users – and which also defines access rights by individual users to certain types of data. For example, whether a user has permission to access certain files on a “read-only” basis, or whether they are authorised for “editing rights” to change or add to the file. The end result is a consistent set of security rules across all apps.
But this kind of flexible access and management policy by itself is not enough. With BYOD and mobility increasingly the norm, containerisation plays a significant role as well. Installing a secure container onto each staff member’s new device to house the apps and features they need for work provides dedicated secure “real estate” space on their phone.
The container keeps corporate apps and access to the network separate and, most importantly, protected from the user’s own personal apps - and by extension, any malicious threats that they might pick up while using them. Simply put, what happens in the container, stays in the container. Likewise for outside the container.
Of course the use of a secure on-device container is only one half of the puzzle. The other half (that is typically paid too little attention to) is the well-balanced, robust authentication processes that manage who can and cannot access the device, the container, and the apps it contains, while being as simple and unobtrusive as possible.
Multi-factor contextual authentication can in a single process identify and allow authorised users to securely access their device, apps, data and files in a way that is fast and convenient, and simply. Importantly, your users will only be challenged for additional credentials or proof of identity when and where the context of their situation warrants it.
Contextual authentication works by continually recording and analysing various background factors based on the device’s current use versus the context of how it has been typically used in the past - such as the device’s location, its time of use, or proximity to other devices.
If it detects no discrepancy between how your user is using it currently versus how they’ve used it previously, then he or she merely needs to complete a simple authentication step – such as entering a PIN code or swiping a fingerprint scanner on the device. Only if there is a considerable departure between the current and previous activity does the system ask your user to complete extra authentication steps.
Contextual authentication incorporates a range of diverse situational factors – everything from location and time of day, to device type and which app you want to use. Your company can adopt and adapt different factors according to your line of business, the requirements of your mobility strategy, or to be industry compliant.
Flexible, intelligent approaches to device security must incorporates security at every level – the device, the apps on it, and the corporate network that it connects to. With secure contextual authentication and containerisation both in place as part of a wider, robust but flexible management policy, workers and companies alike can properly benefit from the productivity and responsiveness that secure mobile connectivity enables, on whichever device best suits them.
- » CISO research advocates ’30 day sprint’ to get privileged credentials up to date
- » Enterprise apps “functional but unfriendly”, new report affirms
- » How the CIO role has been ‘completely transformed’ in recent years through IT shift
- » 10 enterprise mobility acronyms you need to know for 2017
- » Why a new vision is required for European enterprise mobility