Communications of the ACM
Five Tips To Improve Enterprise Mobile Security
John Harrison, group manager, Symantec Security Response
Photo courtesy of Symantec Corp.
While both Apple's iOS and Google's Android mobile platforms were designed with security in mind, those provisions may still be insufficient to protect sensitive enterprise assets on the devices, according to a new white paper, A Window Into Mobile Device Security, from Symantec Corp.
The problem is that today's mobile devices are increasingly being connected to and synchronized with an entire ecosystem of third-party cloud and desktop services outside the enterprise's control, potentially exposing key assets to increased risk.
Symantec says it isn't in a position to recommend one platform over the other. But its white paper points out that Google performs no vetting on either apps or application authors, and malware creators can easily sign their malware apps with anonymous certificates.
"Unfortunately, Android ultimately relies upon the user to decide whether or not to grant permissions to an app, leaving Android users open to social engineering attacks," says John Harrison, group manager, Symantec Security Response. "The fact of the matter is that most users are unequipped to make such security decisions, leaving them open to malware and all of the secondary attacks that malware can launch."
Meanwhile, Apple vets every single publicly available iOS app. While its approach isn't foolproof, says Thompson, "it has thus far proved a deterrent against malware attacks, data loss attacks, data integrity attacks, and denial of service attack."
Harrison recommends these five tips that enterprises — as well as end users — can follow to improve their mobile security:
1. Use security software on the devices if possible. This can stop hackers and prevent cybercriminals from stealing information or spying on users when using public networks. It can also eliminate annoying text and multimedia spam messages. And it can detect and remove viruses and other mobile threats before they cause problems.
2. While iOS provides default level encryption, if another device being used within an enterprise infrastructure does not, enterprises should look to an encryption solution to add to the device. The business-related and even personal information stored on mobile devices is often sensitive. Encrypting this data is a must. If a device is lost and the SIM card stolen, the thief will not be able to access the data if the proper encryption technology is loaded on the device.
3. Develop and enforce strong security policies for using mobile devices. It's important to enforce password management and application-download policies for managers and employees. Maintaining strong passwords will help protect the data stored in the phone if a device is lost or hacked.
4. Since a well-managed device is a secure device, properly managing mobile devices is key. Enterprises should consider implementing a mobile management solution to ensure all devices that connect to their networks are policy compliant and free of malware. Mobile management solutions can also help enterprises if a device is lost or stolen by providing processes and tools to deactivate the device and protect its information from intrusion.
5. Educate users. Enterprise IT should help users understand the need to click with caution, just like they do with PCs. Opening emails and texts from unfamiliar senders on mobile devices is just as dangerous as doing so on PCs. Users should also avoid clicking on links in messages if at all possible. Users should also be advised to be aware of their surroundings when accessing sensitive information. Whether entering passwords or viewing sensitive or confidential data, users should be cautious about who might be looking over their shoulder.?
Paul Hyman was editor-in-chief of several hi-tech publications at CMP Media, including Electronic Buyers' News.
No entries found