For businesses, maintaining mobile device cybersecurity involves a holistic, strategic approach that goes well beyond protection for the compact pieces of equipment we might think of first, like cell phones, tablets and personal digital assistants (PDAs). It also includes watches, Google Glass, and VR headsets, as well as myriad medical devices — not to mention innocuous office items that are part of the Internet of Things (IoT).
Unlike twenty years ago, when many of these devices didn’t exist or hadn’t yet gone mainstream, mobile devices have become a broad category of their own in terms of cybersecurity. For a business to maintain a safe tech ecosystem and avoid compromising the firm’s key data, its employees, and clients, it’s important to understand their vulnerabilities.
Weak Links
Mobile devices, while convenient and powerful, have become a key focus in cybersecurity strategies because they also represent some of the weakest parts of a tech system. The virtue of portability also increases the chances they can be lost or stolen, then quickly becoming a potential portal for a hacker to obtain access to a network and more. Even credit cards can be skimmed by a person walking close by.
This can create not only IT and operational challenges for a business, but legal issues as well. For example, some electronic medical devices can be hacked to compromise intellectual property or health information. Law firms and banks face a similar challenge in terms of confidential client information. Meeting compliance requirements — HIPAA or PCI, for example — is a key requirement for some firms, but that information can be compromised by storing it or being able to access it on a device that isn’t secure.
An firewall appliance is a familiar part of cybersecurity, but alone isn’t enough. Hackers rarely approach the highest wall to scale their way into a castle — they’ll seek the weakest point, which can often be from an unsuspecting user or a mobile device. That’s why a sound cybersecurity plan is holistic and strategic, incorporating layers of defense. If hackers can exploit one employee’s device vulnerability, they will. And if they succeed, it doesn’t necessarily mean the employee was incompetent or devious; it likely indicates the lack of a sound cybersecurity plan.
IT Visibility
As you engage a managed security service provider (MSSP) to address these vulnerabilities, it’s critical to provide full visibility into the entire constellation of your network and its components to allow wraparound protection. For instance, an employee using a deprecated version of an Apple mobile device can compromise the whole system — the IT provider needs an inventory of mobile devices being used, as well as versions of the software employed. That one employee’s device can be the window for a hacker to attack the entire firm.
With mobile devices, it’s important for IT to be alerted immediately if they are lost or stolen. At a mid-sized firm or larger, this can happen frequently. Concertium employs tools to “harden” mobile devices to make them impregnable in that scenario. If a device disappears and doesn’t have device management already in place, a hacker can usually enter email via the device, procure a new password, and use the device as a portal to initiate major damage.
Any devices connected to a network need to be centrally managed to ensure those protective layers are thoughtfully and consistently applied. The required layers of protection go far beyond the ones traditionally applied to, say, a workstation. To ensure protection to all mobile devices, Concertium can audit all devices used to access a firm’s network to determine if any have been compromised by hackers.
Solutions to Tech Vulnerabilities
Two-factor authentication (or two-step verification) is one of the easier layers of protection available. But even then, a device isn’t totally secure, because a hacker can clone a phone and get the same text message or access the email that the user has for the two-factor. Still, this method of layering security is a useful layer of protection and is a recommended part of a larger plan.
An effective mobile device cybersecurity plan should also include these core components:
- Start with a security assessment — including an understanding of your clients’ tech restrictions and requirements
- Implement a mobile device security plan, then collaborate with Human Resources to ensure implementation of these policies
- Create a trail of documentation to help avoid legal problems if the firm’s work requires regulatory compliance
- Create protocols for security events, such as when an employee is terminated, or a phone is breached or lost
The goal is to ensure a wraparound, layered system of security that maintains a firm’s cybersecurity and maintains the integrity of its mobile resources, so they can serve as assets, not liabilities.