The use of mobile devices is ubiquitous in today's society. According to CTIA (the Wireless Association), over 326 million mobile devices were in use within the United States as of December 2012.¹ This is a more than 100 percent penetration rate, since many users have more than one mobile device, and usage continues to grow. Citizens of China, India, and the European Union (EU) have even greater mobile phone usage than those in the United States.

Mobile computing has vastly accelerated in popularity over the last decade. Several factors have contributed to this: Improved network coverage, physically smaller devices, improved processing power, better price points, a move to next-generation operating systems (OSs) such as Google's Android and Apple's iOS, and a more mobile workforce have fueled the proliferation of mobile devices.

Mobile devices include laptops, netbooks, tablet PCs, personal digital assistants (PDAs) such as BlackBerries, and smartphones such as Apple's iPhone and those based on Google's Android platform. What used to be simple cell phones are now small computers with nearly complete functionality and some unique communications capabilities. These devices all link to an entire spectrum of public and private networks.

Gartner has estimated that “by 2016, 40 percent of the global workforce will be mobile, with 67 percent of workers using smartphones”² (emphasis added).

With these new types of devices and operating environments come new demands for information governance (IG) policies and unknown security risks.³ The Digital Systems Knowledge Transfer Network, a UK think tank, found: “The plethora of mobile computing devices flooding into the market will be one of the biggest ongoing security challenges [moving forward].” “With mobile devices connecting to Wi-Fi and Bluetooth networks, there are suddenly many more opportunities [for hackers] to get in and steal personal information.”⁴

Due to this rapid shift toward mobile computing, companies with mobile personnel, such as salespeople and service technicians, need to be aware of and vigilant toward these impending security threats, which can compromise confidential information.

Securing mobile devices is critical: A survey by Aberdeen Group, an IT research and analysis firm, estimates that that data leakage or loss can cost an organization anywhere from $10,600 to over $400,000.⁵

The reality is that most mobile devices are not designed with security in mind; in fact, some compromises have been made to enable new smartphone operating systems to run on a variety of hardware, such as the Android OS from Google. This is analogous to the trade-offs Microsoft made when developing the Windows OS to run across a variety of hardware designs from many PC manufacturers.

Smartphone virus infections are particularly difficult to detect and thorny to remove. Users may be unaware that all their data is being monitored and captured and that a hacker is waiting for just the right time to use it. Businesses can suffer economic and other damage, such as erosion of information assets or even negative goodwill from a damaged image.

The smartphone market is rapidly expanding with new developments almost daily, each providing criminals with a new opportunity. An International Data Corporation report indicated that “smartphone sales outpaced PC sales for the first time ever in the fourth quarter of 2010, with 100.9 million smartphones shipped versus 92.1 million PCs” (emphasis added).⁶ The growth in smartphone sales and new services from banks—such as making deposits remotely by snapping a picture of a check—means that there are new and growing opportunities for fraud and identity theft.

Awareness and education are key. The first line of defense is for users to better understand cybercriminal techniques and to become savvier in their use of information and communications technologies.

A large part of the battle will be won when biometric authentication technologies (those that use retina, voice, and fingerprint recognition) are mature enough to positively identify a user to ensure the correct person is accessing financial or confidential accounts. Application suppliers are first concerned about functionality and widespread adoption; security is not their top priority. Users must be aware and vigilant to protect themselves from theft and fraud. On a corporate level, organizations must step up their training efforts in addition to adding layers of security technology to safeguard critical electronic documents and data and to protect information assets.

Social engineering—using various ways of fooling the user into providing private data—is the most common approach criminal hackers use, and it is on the rise. Machines do their job, and software performs exactly as it is programmed to do, but human beings are the weakest link in the security chain. As usage trends in the direction of a more mobile and remote workforce, people need to be trained as to what threats exist and constantly updated on new criminal schemes and approaches. This training is all part of an overall IG effort, controlling who has access to what information, when, and from where.

With more and more sensitive business information being pushed out to mobile devices (e.g., financial spreadsheets, business contracts, strategic plans, etc.) and advancing and evolving threats to mobile the mobile realm, IG becomes an imperative; and the most important part of IG is that it is done on an ongoing basis, consistently and regularly. Policies must be reviewed when a new mobile device starts to be utilized, when new threats are uncovered, as employees use unsecured public Wi-Fi networks more and more, and as business operations change to include more and more mobile strategies. Information technology (IT) divisions must ensure their mobile devices are protected from the latest security risks, and users must regularly be apprised of changing security threats and new criminal approaches by hackers.

Mobile device management (MDM) is critical to secure confidential information assets and managing mobile devices. Some available technologies can wipe devices free of confidential documents and data remotely, even after they are lost or stolen. These types of utilities need to be deployed to protect an enterprise's information assets.

Current Trends in Mobile Computing

With the rapid pace of change in mobile computing, it is crucial to convey an understanding of trends, to better know what developments to anticipate and how to plan for them. When a new mobile device or operating system is released, the best thing may be to wait to see what security threats pop up. It is important to understand the direction mobile computing usage and deployment are taking in order to plan and develop IG policies to protect information assets.

From CIOZone.com, here are the top trends in mobile computing:

Security Risks of Mobile Computing

Considering their small size, mobile computing devices store a tremendous amount of data, and storage capacities are increasing with the continued shrinking of circuits and advancement in SSD technologies. Add to that the fact that they are highly portable and often unsecured and you have a vulnerable mix that criminals can target. Considering how often people lose or misplace their mobile devices daily, and what valuable targets they are for physical theft (this author had a laptop stolen in the Barcelona airport, right from under his nose), and it is clear that the use of mobile devices represents an inherent security risk.

But they do not have to be lost or stolen to be compromised, according to Stanford University's guidelines, which are intended to help mobile computing device users protect the information the devices contain. “Intruders can sometimes gain all the access they need if the device is left alone and unprotected, or if data is ‘sniffed out of the air’ during wireless communications”⁸ (emphasis added). The devices can be compromised with the use of keystroke loggers that capture every single entry a user makes. This can be done without the user having any knowledge of it. That means company passwords, confidential databases, and financial data (including personal and corporate credit card numbers) are all at risk.

Securing Mobile Data

The first and best way to protect confidential information assets is to remove confidential, unnecessary, or unneeded data from the mobile device. Confidential data should not be stored on the device unless explicit permission is given by the IT department, business unit head, or the IG board to do so. This includes price lists, strategic plans, competitive information, photo images of corporate buildings or coworkers, and financial data such as tax identification numbers, company credit card or banking details, and other confidential information.

If it is necessary for sensitive data to be stored on mobile devices, there are options to secure the data more tightly, using USB drives, flash drives, and hard drives that have integrated digital identity and cryptographic (encryption) capabilities.

Mobile Device Management

MDM software helps organizations to remotely monitor, secure, and manage devices such as smartphones and tablet PCs.⁹ MDM improves security and streamlines enterprise management of mobile devices by providing ways to contact the remote devices individually or en masse to add, upgrade, or delete software, change configuration settings, and “wipe,” or erase, data, and make other security-related changes and updates. More sophisticated MDM offerings can manage not only homogenous company-owned mobile devices but also those that employees use in the workplace in a bring-your-own-device (BYOD) environment.

The ability to control configuration settings and secure data remotely allows organizations to better manage and control mobile devices, which reduces the risk of data leakage and reduces support costs by providing more uniformity and the ability to monitor enforce company-dictated IG policy for mobile devices.

Key vendors in the MDM marketplace include AirWatch, Apple (Profile Manager) AppSense, BoxTone, Centrify, Citrix, Good Technology, IBM (Endpoint Manager for Mobile Devices), LANDesk, Mobilelron, SAP (Afaria MDM), and Symantec (Mobile Management Suite).

Rapid growth is expected in the MDM marketplace, with Gartner projecting that nearly two-thirds of organizations will deploy MDM software by 2018.¹⁰ And Frost & Sullivan projects that “the market for enterprise MDM will grow from $178.6 million in 2011 to $712.4 million by 2018.”¹¹

Trends in MDM

Six key trends in the MDM marketplace are discussed next.

1. MDM software expansion and maturity. Many experts believe that MDM will develop and reach beyond just mobile endpoints to include deep integration with mobile infrastructure and applications (apps).¹² What is important is securing and authenticating data. To ensure that, MDM must expand beyond remote device locking, tracking, and wiping. A more comprehensive life cycle management approach will emerge beginning with the acquisition or introduction of the device into the enterprise network until its retirement or destruction. In addition, monitoring and controlling costs through integrated expense management will likely occur.
2. Consolidation of MDM major players. Acquisitions by Citrix, Good Technology, and others signal that fewer but stronger market leaders are likely to emerge.
3. Cloud-based MDM. This will become the norm, not the exception, and it will happen quite rapidly.
4. Emphasis on mobile device policy. Technology can do only so much—an organization must have its IG policies, processes, and audit practices formalized, tested, and monitored. The IT department must have clear direction on which data and devices to monitor and secure, and employee rights and responsibilities must be clearly delineated and communicated.
5. Diversifying and expanding mobile monitoring and security. This means that MDM may go beyond today's mobile devices and include remote instruments and machines that are churning out data in applications, such as process management, transportation management, and enterprise resource management.
6. Infrastructure consolidation. The currently disparate pieces, including social computing, mobile computing, and cloud computing, may consolidate and become the new construct for the infrastructure paradigm. This means that tools will emerge to manage all these pieces in a centralized and holistic way.

IG for Mobile Computing

Stanford University's guidelines are a helpful foundation for IG of mobile devices. They are “relatively easy to implement and use and can protect your privacy” and safeguard data “in the event that the device becomes compromised, lost or stolen.”¹³

Building Security into Mobile Applications

While it is a relatively new channel, mobile electronic commerce (e-commerce) is growing rapidly, and new software apps are emerging for consumers as well as business and public sector enterprises. These apps are reducing business process cycle times and making the organizations more agile, more efficient, and more productive. Some key strategies can be used to build secure apps.

As is the case with any new online delivery channel, security is at the forefront for organizations as they rush to deploy or enhance mobile business apps in the fast-growing smartphone market. Their priorities are different from those of the software developers churning out apps.

In the banking sector, initially many mobile apps limited customers to a walled-off set of basic functions—checking account balances and transaction histories, finding a branch or automated teller machine location, and initiating transfers—but “a new wave of apps is bringing person-to-person payments, remote deposit capture and bill pay to the mobile channel. Simply, the apps are getting smarter and more capable. But with those capabilities comes the potential for greater threats”¹⁴ (emphasis added).

Security experts state that the majority of the challenges that could result from mobile fraud have not been seen before. Mobile e-commerce is relatively new and has not been heavily targeted—yet. But industrial espionage and the theft of trade secrets by targeting mobile devices is going to be on the rise and the focus of rogue competitive intelligence-gathering organizations. User organizations have to be even more proactive, systematic, and diligent in designing and deploying mobile apps than they did with Web-based apps.

Software developers of mobile apps necessarily seek the widest audience possible, so they often deploy them across multiple platforms, which forces some security tradeoffs: Enterprises have to build apps for the “strengths and weaknesses intrinsic to every device, which adds to the security challenges” (emphasis added).

A side effect of mobile app development efforts from the user perspective is that it can reshape the way users interact with core information management (IM) applications within the enterprise.

The back-office IM systems, such as accounting, customer relationship management, human resources, and other enterprise apps that are driving online and mobile, are the same as before, but the big difference comes in how stakeholders (employees, customers, and suppliers) are interacting with the enterprise. In the past, when deploying basic online applications for browser access, there was much more control over the operating environment; with newer mobile applications running on smartphones and tablets, that functionality has been pushed out to end user devices.

Real Threats Are Poorly Understood

The list of threats to mobile apps is growing, and existing threats are poorly understood, in general. They are just too new, because mobile commerce by downloadable app is a relatively new phenomenon—the Apple iTunes App Store and the Android Marketplace debuted in the second half of 2008. “But that doesn't mean the threat isn't real—even if the app itself is not the problem.” The problem could be the unsecure network users are on or a device infection of some sort.

For mobile apps, antivirus protection is not the focus as it is in the PC world; the security effort mostly focuses on keeping malware off the device itself by addressing software development methods and network vulnerabilities. Surely, new types of attacks on mobile devices will continue to be introduced. That is the one thing that can be counted on.

There already have been some high-profile examples of mobile devices being compromised. For example, in 2010:

There are many more examples, but the cited incidents make it imperative to understand the mobile app marketplace itself in order that effective IG policies and controls may be developed, deployed, and enforced. Simply knowing how Google has approached soliciting app development is key to developing an IG strategy for Android devices. Google's relatively open-door approach initially meant that almost anyone could develop and deploy an app for Google Android. Although the policy has evolved somewhat to protect Android users, it is still quite easy for any app developer—well intentioned or malicious—to release an app to the Android Marketplace. This in itself can pose a risk to end users, who sometimes cannot tell the difference between a real app released by a bank and a banking app built by a third party, which may be fraudulent. Apple has taken a more prudent and measured approach by enforcing a quality-controlled approval process for all apps released to its iTunes App Store. Sure, it slows development, but it also means apps will be more thoroughly tested and secure.

Both approaches have their positives and negatives the companies and for the device users. But clearly, Apple's curated and quality-controlled approach is better from a security risk standpoint.

Understanding the inherent strengths and, perhaps more important, weaknesses of specific mobile hardware devices and OS—and their interaction with each other—is key when entering the software design phase for mobile apps.

The development environment is altogether different. Windows programmers will experience a learning curve. Mobile apps under Android or Apple OS operate in a more restricted and less transparent file management environment.

Bearing that in mind—regardless of the mobile OS—first ensure that data is secured, and then check the security of the application itself. That is, practice good IT governance to ensure that the software source code is also secure. Malicious code can be inserted into the program; once it is deployed, hackers will have an easy time stealing confidential data or documents.

Innovation versus Security: Choices and Trade-offs

As organizations deploy mobile apps, they must make choices, given the limited or confined software development environment and the need to make agile, intuitive apps that run fast so users will adopt them. To ensure that a mobile offering is secure, many businesses are limiting their apps' functionality. So stakeholder users get mobile access that they didn't have before and a new interface with new functionality, but it is not possible to offer as much functionality as in Web apps. And more security means some sacrifices and choices will need to be made versus speed and innovative new features.

Some of the lessons learned in the deployment of online Web apps still apply to mobile apps. Hackers are going to try social engineering like phishing (duping users into providing access or private information) and assuming the identity of an account holder, bank, or business. They will also attempt man-in-the-middle attacks. (More on that topic soon).

With mobile applications, typically the app is operated directly on a mobile device, such as a smartphone. This is a key difference between apps and traditional PC-based interfaces that rely on browser access or using basic mobile phone text messaging. Connecting to a business via app can be more secure than relying on a browser or texting platform, which require an additional layer of software (e.g., the browser, texting platform, or Wi-Fi connection) to execute sensitive tasks. These security vulnerabilities can compromise the safety of information transmitted to a secure site. Thankfully, if the app is developed in a secure environment, it can be entirely self-contained, and the opportunity to keep mobile data secure is greatest when using the app as opposed to a browser-based platform.

This is because a mobile app provides a direct connection between the user's device and the business, governmental agency, or e-commerce provider. Some security experts believe that mobile apps potentially could be more secure than browser-based access from the desktop because they can communicate on an app-to-app (or computer-to-computer) level.

In fact, “a customer using a bank app on a mobile network might just be safer than a customer accessing online banking on a PC using an open Wi-Fi connection” that anyone can monitor.

How do you combat this browser-based vulnerability if it is required to access an online interface? The most effective and simplest way to counter security threats in the PC-based browser environment and to eliminate man-in-the-browser or man-in-the-middle attacks is to use two different devices rather than communicate over a standard Internet connection. This approach can be built into IG guidelines.

Consider this: Mobile apps actually can bring about greater security. For example, do you receive alerts from your bank when hitting a low-balance threshold? Or a courtesy e-mail when a transaction is posted? Just by utilizing these types of alerts—and they can be applied to any type of software application beyond banking—tech-savvy users themselves can serve as an added layer of protection. If they receive an alert of account activity regularly, they may be able to identify fraudulent activity immediately and take action to counter it and stop it in its tracks, limiting the damage and potential exposure of additional private data or confidential information assets.

Best Practices to Secure Mobile Applications

Mobile computing is not going away; it is only going to increase in the future. Most businesses and governments are going to be forced to deploy mobile apps to compete and provide services customers will require. There is the potential for exposure of confidential data and e-documents, but this does not mean that organizations must shy away from deploying mobile apps.¹⁵ Some proven best practice approaches can help to ensure that mobile apps are secure.

Some steps can be taken to improve security—although there can never be any guarantees—and some of these should be folded into IG guidelines in the policy development process. BankTech magazine identified six best practices that can shape an organization's app development process:

Developing Mobile Device Policies

Where do you start? Developing a comprehensive mobile strategy is key before you craft your mobile device policies. You will need input from a variety of stakeholders, and you will need to understand where mobile devices fit in your overall technology infrastructure and strategy. Here are some best practices for developing your mobile device policies.

1. Form a cross-functional mobility strategy team. You will need the input of primary stakeholder groups, including IT, field business units, and human resources (for policy creation and distribution). Your strategy development process should also tap into the expertise of your risk management, compliance, records management, and legal departments. The aim will be to balance risks and benefits to improve employee productivity and guard against risk while focusing on the goals and business objectives of the organization.¹⁷
2. Clarify goals for your mobile strategy. Start your discussion with the big picture, the “30,000 foot view” of the business drivers, challenges, threats, and opportunities that mobile computing provides in today's technology context and your business context. Draw a direct line from your mobile business needs to your planned mobile support strategy and infrastructure. Keep your business goals in mind and link them to the discussion.
3. Drill down into policy requirement details. You may want to survey other existing mobile device policies to inform your mobility strategy team. Those from peer organizations and competitors will be most relevant. Then start with the basics: which types of devices and OS make sense for your organization to support, what changes and trends are occurring in the technology marketplace, which sensitive e-documents and data you must protect (or disallow) on mobile devices, and what available security technologies (e.g. MDM, mobile VPNs, encryption, information rights management) you might deploy. It may be helpful to segment your mobile users into broad categories, and break out a list of their specific business needs related to mobile computing. Your strategy and policies for executives will be somewhat different than those for users in field business units. And you will need BYOD policies if your organization opts to go this route.
4. Budgeting and expense control. Is the organization going buy devices and pay all mobile expenses through direct billing each month? What cost controls need to be in place? Or will mobile device use expenses be reimbursed by a flat rate or by processing expense reports? What about BYOD? Roaming charge limits? Decisions on the financial and cost control aspects of mobile computing use must be made by your mobility policy team, under the guidance of an executive sponsor.
5. Consider legal aspects and liability issues. Consult your legal counsel on this. What key laws and regulations apply to mobile use? Where could users run afoul? What privacy and security issues are most prominent to consider? What about the private data that users may hold on their own (BYOD) devices? An overarching consideration is to maintain security for private information and to have a policy in place for data leaks and lost or stolen devices. That includes your policy on remote “wipes” of sensitive data or perhaps all data.
6. Weigh device and data security issues. Since most mobile devices—especially smartphones—were not designed with security as a foremost consideration, you must take steps to protect your sensitive data and to secure the devices themselves without impeding business or making operation too difficult for the end user. The world of mobile computing presents new challenges that were not present when IT had full control of endpoint devices and internal networks. Clear mobile security policies and controls must be in place.
7. Develop your communications and training plan. Users must be apprised and re-minded of your mobile device policy if they are going to adhere to it. They also need to know the consequences of violating your policies. Your communications and training plan should be creative—from wall posters to text and e-mail messages, from corporate newsletters to group training sessions. You may want to first pilot your new policy with a small group of users. But communication and training are key: A perfect mobile device policy will not work if it is not communicated properly and users are not trained properly.
8. Update and fine-tune. There will be some misses, some places where after your deploy your mobile policy you find room for improvement. You will receive user feedback, which should be considered too. And there will be changes in the technology marketplace and user trends. A program must be in place to periodically (every six months, perhaps) review your mobile device policy and any audit information to make improvements in the policy.

If your organization sanctions the use of mobile devices, you must have a clear, updated IG policy for their use, and you must be able to monitor, test, and audit compliance with the policy. Bear in mind that mobile devices are inherently unsecured and have many vulnerabilities, and you will have to consider possible security threats. If your organization plans to utilize a BYOD approach, your support for mobile devices will be more challenging and complex. Critical to success in leveraging mobile devices is training employees on your IG policy and policy updates and consistently reinforcing the message of cautiousness with confidential company data. If you are using mobile devices to conduct business, there will be business records that are created that must be captured and archived with their integrity and authenticity intact. All information on an employee's smartphone or tablet is potentially discoverable in legal proceedings, so you must include your legal team in policy development and periodic updates. Mobile device use can allow for great productivity gains, but the gains come with associated risks.

Notes

1. CTIA, “Wireless Quick Facts,” www.ctia.org/advocacy/research/index.cfm/aid/10323 (accessed May 13, 2013).

2. Alan Joch, “How to Create an Effective Mobile Device Policy,” Biztech, www.biztechmagazine.com/article/2013/03/how-create-effective-mobile-device-policy, March 26, 2013.

3. “Current Mobile Computing Calls for Security as Powerful as Titanium,” http://techreview.blogpool.co.uk/2011/02/10/modern-day-mobile-computing-calls-for-security-as-powerful-as-titanium (accessed March 30, 2012).

4. Warwick Ashford, “Mobility among the Top IT Security Threats in 2011, Says UK Think Tank,” Computer Weekly, January 7, 2011, www.computerweekly.com/Articles/2011/01/07/244797/Mobility-among-the-top-IT-security-threats-in-2011-says-UK-think.htm (accessed March 30, 2012).

5. Ann All, “Mobile Device Management: 6 Trends to Watch,” eSecurity Planet, www.esecurityplanet.com/mobile-security/mobile-device-management-6-trends-to-watch.html (accessed February 8, 2013).

6. Matt Gunn, “How to Build a Secure Mobile App,” Bank Systems and Technology, July 6, 2011, www.banktech.com/risk-management/231001058?itc=edit_stub (accessed December 19, 2011).

7. “Top Ten Trends in Mobile Computing,” CIO Zone, www.ciozone.com/index.php/Editorial-Research/Top-Ten-Trends-in-Mobile-Computing/2.html (accessed December 19, 2011).

8. Stanford University, “Guidelines for Securing Mobile Computing Devices,” www.stanford.edu/group/security/securecomputing/mobile_devices.html (accessed December 19, 2011).

9. Symantec, “Business Challenge: Mobile Device Management,” www.symantec.com/mobile-device-management (accessed May 14, 2013).

10. All, “Mobile Device Management: 6 Trends to Watch.”

11. Vikrant Gandhi, “U.S. Mobile Device Management (MDM) Market,” October 4, 2012, www.frost.com/sublib/display-report.do?ctxixpLink=FcmCtx1&searchQuery=mdm&bdata=aHR0cDovL3d3dy5mcm9zdC5jb20vc3JjaC9jYXRhbG9nLXNlYXJjaC5kbz9xdWVyeVRleHQ9bWRtQH5AU2Vhc-mNoIFJlc3VsdHNAfkAxMzYwMzI5NTg4NTc5&ctxixpLabel=FcmCtx2&id=NB29-01-00-00-00

12. All, “Mobile Device Management: 6 Trends to Watch.”

13. Quotes in this section are from Stanford University, “Guidelines for Securing Mobile Computing Devices.” www.stanford.edu/group/security/securecomputing/mobile_devices.html

14. Quotations in this section are from Matt Gunn, “How to Build a Secure Mobile App,” Bank Systems and Technology, July 6, 2011, www.banktech.com/risk-management/231001058?itc=edit_stub (accessed March 30, 2012).

15. Beau Woods, “6 Ways to Secure Mobile Apps,” Bank Systems and Technology, May 26, 2011, www.banktech.com/architecture-infrastructure/229700033 (accessed March 30, 2012).

16. Ibid.

17. Joch, “How to Create an Effective Mobile Device Policy.”

* Portions of this chapter are adapted from Chapter 7, Robert F. Smallwood, Safeguarding Critical E-Documents: Implementing a Program for Securing Confidential Information Assets, © John Wiley & Sons, Inc., 2012. Reproduced with permission of John Wiley & Sons, Inc.