According to CTIA (The Wireless Association), “There are more than 400 million connections in America, equal to 1.2 wireless devices for every person in the country.”1 This is a more than 100% penetration rate, since many users have more than one mobile device. Citizens of China, India, and the European Union (EU) have even greater mobile phone usage than the United States.
Mobile computing has vastly accelerated in popularity over the last decade. Several factors have contributed to this: improved network coverage, physically smaller devices, improved processing power, better price points, a move to next-generation operating systems (OS) such as Google's Android and Apple's iOS, and a more mobile workforce have fueled the proliferation of mobile devices.
Mobile devices include laptops, netbooks, tablet PCs, personal digital assistants (PDAs) like BlackBerry, and smartphones, such as Apple's iPhone and those based on Google's Android platform. What used to be simple cell phones are now small computers with nearly complete functionality, and some unique communications capabilities. These devices all link to an entire spectrum of public and private networks.
A report by IDC noted that “By 2020 mobile workers will account for nearly three-quarters (72.3 percent) of the US workforce.” This significant shift to mobile workers has gained momentum as mobile computing capabilities have improved.2
With these new types of devices and operating environments come new demands for information governance (IG) policies and unknown security risks.3 “The plethora of mobile computing devices flooding into the market will be one of the biggest ongoing security challenges [moving forward] …” the Digital Systems Knowledge Transfer Network, a UK think tank, found. “With mobile devices connecting to Wi-Fi and Bluetooth networks, there are suddenly many more opportunities [for hackers] to get in and steal personal information.”4
The rapid shift toward mobile computing means that companies with mobile personnel like salespeople and service technicians need to be aware of, and vigilant toward, these impending security threats, which can compromise confidential information.
Securing mobile devices is critical: a 2018 study conducted by Ponemon Institute found that data breaches average $3.86 million in direct costs, a more than 6% increase from 2017.5
The reality is that most mobile devices are not designed with security in mind; in fact, some compromises have been made to enable new smartphone operating systems to run on a variety of hardware, such as the Android O/S from Google. This is analogous to the trade-offs Microsoft made when developing the Windows operating system to run across a variety of hardware designs from many PC manufacturers.
New techniques by rogue hackers include smishing, which is sending phishing text messages (Short Message Service [SMS], thus “smish”) to unwitting smartphone users, in an attempt to get them to reveal login credentials or to install malware. Smartphone virus infections are particularly difficult to detect and thorny to remove. A user may be unaware that all their data is being monitored and captured and that a hacker may be waiting for just the right time to use it. Businesses can suffer economic and other damage, such as erosion of information assets, or even negative goodwill from a damaged image.
The smartphone market is rapidly expanding with new developments almost daily, each providing criminals with a new opportunity. An International Data Corporation (IDC) report indicated that smartphone sales have outpaced PC sales since 2010, and in another report that nearly 1.5 billion smartphone devices were shipped in 2017.6 The growth in smartphone sales and new services from financial institutions—such as making deposits remotely by snapping a picture of a check—means that there are new and growing opportunities for fraud and identity theft.
Awareness and education are key. The first line of defense is for users to better understand cybercriminal techniques and to become savvier in their use of information and communications technologies. Holding regular security awareness training (SAT) sessions helps to reduce this risk. Using an entertaining, “gamified” approach, as some SAT suppliers have released, makes SAT training more engaging and fun, and helps employees to retain core concepts.
Biometric authentication technologies (those that use retina, voice, and fingerprint recognition) are mature enough to positively identify a user to ensure the correct person is accessing financial or confidential accounts. Biometric technologies for account access are much harder to hack than traditional passwords, but it is possible to, using sophisticated techniques.
Application suppliers for mobile devices are first concerned about functionality and widespread adoption, so security is not their top priority. Users must be aware and vigilant to protect themselves from theft and fraud. On a corporate level, organizations must step up their training efforts in addition to adding layers of security technology to safeguard critical electronic documents and data and to protect information assets.
Social engineering—using various ways of fooling the user into providing private data—is the most common approach criminal hackers use, and it is on the rise. Machines do their job, and software performs exactly as it is programmed to do, but human beings are the weakest link in the security chain, and as usage trends in the direction of a more mobile and remote workforce, people need to be trained as to what threats exist, and constantly updated on new criminal schemes and approaches. This training is all part of an overall information governance (IG) effort, controlling who has access to what information, when, and from where.
With more and more sensitive business information being pushed out to mobile devices (e.g. financial spreadsheets, medical test results, business contracts, strategic plans, and the like) and advancing and evolving threats to the mobile realm, IG becomes an imperative; and the most important part of IG is that it is done on an ongoing basis, consistently and regularly. Policies must be reviewed when a new device starts to be utilized, when new threats are uncovered, as employees use unsecured public WiFi networks more and more, and as business operations change to include more and more mobile strategies. IT divisions must ensure their mobile devices are protected from the latest security risks, but users must regularly be apprised of changing security threats and new criminal approaches by hackers.
Mobile device management (MDM) is critical to secure confidential information assets and managing mobile devices. Some available MDM technologies can wipe devices free of confidential documents and data remotely, even after they are lost or stolen. They can also provide mass security patch updates. These types of utilities need to be deployed to protect an enterprise's information assets in the mobile environment.
Gartner expanded their definition of MDM, placing it under the umbrella of enterprise mobility management (EMM). While most IG and IT professionals focus mostly on finding robust MDM solutions, the supplier marketplace has started using the broader term of EMM.7 MDM solutions are more limited in scope; most EMM solutions include not only MDM but also Mobile App Management, Mobile Content Management, App Wrapping, Containerization, and other features. The focus is more on the information being secured rather than the device itself, as more and more information is stored in cloud services.
With the rapid pace of change in mobile computing, it is crucial to convey an understanding of trends, to better know what developments to anticipate and how to plan for them. When a new mobile device or operating system is released, the best thing may be to first wait to see what security threats pop up. It is important to understand the direction mobile computing usage and deployment are taking, in order to plan and develop IG policies to protect information assets.
From CIOZone.com, here are some top trends in mobile computing:
Considering their small size, mobile computing devices store a tremendous amount of data, and storage capacities are increasing with the continued shrinking of circuits and advancement in SSD technologies. Add to that the fact that they are highly portable and often unsecured and you have a vulnerable mix that criminals can target. Considering how often people lose or misplace their mobile devices daily, and what valuable targets they are for physical theft (this author had a laptop stolen in the Barcelona airport, right from under his nose!), and the use of mobile devices represents an inherent security risk.
But they don't have to be lost or stolen to be compromised, according to Stanford University's guidelines, intended to help mobile computing device users protect the information the devices contain: “… intruders can sometimes gain all the access they need if the device is left alone and unprotected, or if data is ‘sniffed out of the air’ during wireless communications” (italics added).9 The devices can be compromised with the use of keystroke loggers, which capture every single entry a user makes. This can be done without the user having any knowledge of it. That means company passwords, confidential databases, and financial data (including personal and corporate credit card numbers) are all at risk.
The first and best way to protect confidential information assets is to remove confidential, unnecessary, or unneeded data from the mobile device. Confidential data should not be stored on the device unless explicit permission is given by the IT department, business unit head, or the IG Steering Committee to do so. This includes price lists, strategic plans, competitive information, photo images of corporate buildings or coworkers, protected heath information (PHI), and financial data such as tax identification numbers, company credit card or banking details, and other confidential information.
If it is necessary for confidential or sensitive data to be stored on mobile devices, there are options to secure the data more tightly, like USB drives, flash drives, and hard drives that have integrated digital identity and cryptographic (encryption) capabilities.
Mobile device management (MDM), now sometimes conflated with the broader term enterprise mobility management, is software that helps organizations to remotely monitor, secure, and manage devices such as smartphones and tablet PCs.10 MDM improves security and streamlines enterprise management of mobile devices by providing ways to contact the remote devices individually or en masse to add, upgrade, or delete software, change configuration settings, and “wipe” or erase data, and make other security-related changes and updates. More sophisticated MDM offerings can manage not only homogenous company-owned mobile devices, but also those that employees use in the workplace in a bring-your-own-device (BYOD) environment.
The ability to control configuration settings and secure data remotely allows organizations to better manage and control mobile devices, which reduces the risk of data leakage, and reduces support costs by providing more uniformity and the ability to monitor enforce company-dictated IG policy for mobile devices.
Key vendors in the MDM marketplace include VMWare AirWatch, Apple (Profile Manager) Ivanti, BoxTone, Centrify, Citrix, Good Technology (acquired by BlackBerry), IBM (Endpoint Manager for Mobile Devices), Microsoft, MobileIron, SAP Afaria, Sophos, SOTI, and Symantec (Mobile Suite).
Rapid growth is expected in the MDM marketplace, and broader EMM market, which is estimated to grow to $2.2 billion by 2022, according to a 2017 study by Strategy Analytics.11 According to Gina Luk, author of the report, “The two leaders in this space are VMware AirWatch, with 19 percent, and BlackBerry/Good Technology, with 18 percent. However, MobileIron, Citrix and Microsoft all displayed strong signs of growth…. Even SAP, IBM, SOTI, Sophos, and Symantec are challenging the top players in this space for market share.” Luk went on to say, “Mobile security and growth in BYOD (bring your own devices) are primary drivers behind EMM adoption.”
EMM platforms are transitioning from “tactical device management tools to broader unified end-user computing management (UEM) platforms, crossing mobile devices, apps, and data, as well as traditional computing platforms such as laptops and PCs,” according to the reports.
Trends in Enterprise Mobility Management
Some major trends are clearly emerging in mobility management, including:
Stanford University's guidelines are a helpful foundation for IG of mobile devices. They are “relatively easy to implement and use and can protect your privacy” and safeguard data “in the event that the device becomes compromised, lost or stolen.”
Smartphones and Tablets
Portable Storage Devices
Laptops, Netbooks, Tablets, and Portable Computers
While it is a relatively new channel, mobile e-commerce is growing rapidly, and new software applications or apps are emerging for consumers as well as business and public sector enterprises. These apps are reducing business process cycle times and making the organizations more agile, more efficient, and more productive. There are some key strategies that can be used to build secure apps.
As is the case with any new online delivery channel, security is at the forefront for organizations as they rush to deploy or enhance mobile business apps in the fast-growing smartphone market. Their priorities are different from those of the software developers churning out apps.
In the banking sector, initially many mobile apps limited customers to a walled off set of basic functions—checking account balances and transaction histories, finding a branch or ATM location, and initiating transfers—but “a new wave of apps is bringing person-to-person payments, remote deposit capture and bill pay to the mobile channel. Simply, the apps are getting smarter and more capable. But with those capabilities comes the potential for greater threats” (italics added).16
Security experts state that most of the challenges that could result from mobile fraud have not been seen before. Mobile e-commerce is relatively new and has not been heavily targeted—yet. But also industrial espionage and the theft of trade secrets by targeting mobile devices is going to be on the rise and the focus of rogue competitive intelligence-gathering organizations. So user organizations have to be even more proactive, systematic, and diligent in designing and deploying mobile apps than they did with web-based apps.
Software developers of mobile apps necessarily seek the widest audience possible, so they often deploy them across multiple platforms (e.g. Apple's iOS, Google's Android, TCL Communication's BlackBerry, and others) and this forces some security trade-offs: enterprises have to build apps for the “strengths and weaknesses intrinsic to every device, which adds to the security challenges” (italics added).17
A side effect of mobile app development efforts from the user perspective is that it can reshape the way they interact with core information management (IM) applications within the enterprise.
The back-office IM systems such as accounting, customer relationship management (CRM), human resources, and other enterprise apps that are driving online and mobile are the same as before, but the big difference comes in how stakeholders including employees, customers, and suppliers, are interacting with the enterprise. In the past, when deploying basic online applications for browser access, there was much more control over the operating environment; whereas with newer mobile applications running on smartphones and tablets, that functionality has been pushed out to the end-user device.
The list of threats to mobile apps is growing, and existing threats are poorly understood, in general. They are just too new, because mobile commerce by downloadable app is still a relatively new phenomenon. So the current list of threats is not complete or well understood. This does not mean the threat is not real because it could be other aspects related to the app. For example, it could be the unsecure network users are on, or a device infection of some sort.
For mobile apps, antivirus protection is not the focus as it is in the PC world; the security effort mostly focuses on keeping malware off the device itself by addressing secure software development methods and network vulnerabilities. Surely, new types of attacks on mobile devices will continue to be introduced (like smishing). That is the one thing that can be counted on.
There have been some high-profile examples of mobile devices being compromised. In 2017, it was reported that White House Chief of Staff John Kelly had been using a comprised smartphone for several months. Wired magazine reported that, “The breach was apparently discovered over the summer, when Kelly gave the smartphone to White House tech support after having problems with it and struggling to successfully run software updates.”18 This is more common than one would think. We do not know our smartphones have been comprised until the device does not work anymore because of the hack.
Incidents like this and many others make it imperative to understand the mobile app marketplace itself in order that effective IG policies and controls may be developed, deployed, and enforced. Simply knowing how Google has approached soliciting app development is key to developing an IG strategy for Android devices. Their relative open-door approach initially meant that almost anyone could develop and deploy an app for Google Android. While the open-door policy has evolved somewhat to protect Android users, it is still quite easy for any app developer—well-intentioned or malicious—to release an app to the Android Marketplace. This can pose a risk to end users, who sometimes cannot tell the difference between a real app released by a bank and a banking app built by a third party, which may be fraudulent. Apple has taken a more prudent and measured approach by enforcing a quality-controlled approval process for all apps released to its iTunes App Store. Sure, it slows development, but it also means apps will be more thoroughly tested and secure.
Both approaches, Android and Apple, have their positives and negatives for Google and Apple, and for their users. But clearly, Apple's more curated and quality-controlled approach is better from a security risk standpoint.
Understanding the inherent strengths and, perhaps more important, weaknesses of specific mobile hardware devices and operating systems—and their interaction with each other—is key when entering the software design phase for mobile apps.
It's a different development environment altogether. Windows programmers will experience a learning curve. Mobile apps under Android or Apple operating systems operate in a more restricted and less transparent file management environment.
Bearing that in mind—regardless of the mobile OS—first ensure that data is secured, and then check the security of the application itself. That is, practice good information technology (IT) governance to ensure that the software source code is also secure. Malicious code can be inserted into the program and once it is deployed the hackers will have an easy time stealing confidential data or documents.
As organizations deploy mobile apps, they must make choices, given the limited or confined software development environment and the need to make agile, intuitive apps that run fast so that users will adopt them. To ensure that a mobile offering is secure, many businesses are limiting their apps’ functionality. So stakeholder users get mobile access that they didn't have before, and a new interface with new functionality, but it is not possible to offer as much functionality as in web apps. And more security means some sacrifices and choices will need to be made versus speed and innovative new features.
Some of the lessons learned in the deployment of online Web apps still apply to mobile apps. Hackers are going to try social engineering like phishing (duping the user into providing access or private information), smishing, and assuming the identity of an account holder, bank, or business. They will also attempt man-in-the-middle attacks where data is “sniffed” out the air during wireless transmission.
With mobile applications, the most used mode of operation is operating the app directly on a mobile device such as a smartphone. This is a key difference between apps and traditional PC-based interfaces that rely on browser access or using basic mobile phone text messaging. Connecting to a business via app can be more secure than relying on a browser or texting platform, which require an additional layer of software (e.g. the browser, texting platform, or WiFi connection) to execute sensitive tasks. These security vulnerabilities can compromise the safety of information transmitted to a secure site. Thankfully, if the app is developed in a secure environment, it can be entirely self-contained, and the opportunity to keep mobile data secure is greatest when using the app as opposed to a browser-based platform.
This is because a mobile app provides a direct connection between the user's device and the business, governmental agency, or e-commerce provider. Some security experts believe that mobile apps potentially could be more secure because they can communicate on an app-to-app (or computer-to-computer) level, as opposed to browser-based access on a PC.
In fact, “a customer using a bank app on a mobile network might just be safer than a customer accessing online banking on a PC using an open Wi-Fi connection” that anyone can monitor.19
How do you combat this browser-based vulnerability if it is required to access an online interface? The most effective and simplest way to counter security threats in the PC-based browser environment and to eliminate man-in-the-browser or man-in-the-middle attacks is to use two different devices, rather than communicate over a standard Internet connection. This approach can be built into IG guidelines.
Consider this: mobile apps can render greater security. For example, do you receive alerts from your bank when hitting a low balance threshold? Or a courtesy e-mail when a transaction is posted? Just by utilizing these types of alerts—and they can be applied to any type of software application beyond banking—tech-savvy users can serve as an added layer of protection themselves. If they receive an alert of account activity regularly, they may be able to identify fraudulent activity immediately and act to counter it and stop it in its tracks, limiting the damage, and potential exposure of additional private data or confidential information assets.
Mobile computing is not going away; it is only going to increase in the future. Most businesses and governments are going to be forced to deploy mobile apps to compete and provide services customers will require. There is the potential for exposure of confidential data and e-documents, but this does not mean that organizations must shy away from deploying mobile apps.20 There are some proven best practice approaches, which can help to ensure that mobile apps are secure.
There are some steps that can be taken to improve security—although there can never be any guarantees—and some of these should be folded into IG guidelines in the policy development process. BankTech magazine identified six best practices that can shape an organization's app development process:
Where do you start? Developing a comprehensive mobile strategy is key before you craft your mobile device policies. You will need input from a variety of stakeholders, and you will need to understand where mobile devices fit in your overall technology infrastructure and strategy. Here are some best practices for developing your mobile device policies:22
52.15.218.103