In order to comply with the new working model, CISOs will need to make ‘mobile security’ a priority on a much broader scale to prepare for future challenges. Josh Neame, Technology Director at BlueFort Security, suggests ways that CISOs should be rethinking how they approach ‘mobile security’ to ensure their organisation is both productive and secure in 2021.
The Coronavirus pandemic has had a significant impact on many aspects of the economy. But while many businesses have been focusing on maintaining operations in the face of remote working and changing consumer demands, threat actors around the world have been capitalising on the crisis.
Deloitte points out that its Cyber Intelligence Centre has observed a spike in phishing attacks, Malspams and ransomware, with threat actors using COVID-19 as bait to mislead employees – many of whom are now working remotely, beyond the confines of the corporate network and using a variety of mobile devices.
CISOs are now facing a host of new security challenges brought on by the rapid deployment of tools, technologies and processes that enabled people to work remotely. Many of these changes happened in a matter of days and the rushed nature of the rollout now poses some major data security issues. The ‘new normal’ has changed both the scope and definition of how CISOs will need to think about ‘mobile security’ going into 2021.
The risk of insider threat is not a new one. However, the shift in working practices, associated devices and locations is making it far easier for these types of threat to go unnoticed – whether they’re malicious or just a simple mistake. The mobile nature of the new IT environment means CISOs will need to consider a range of new tools and processes. Here we look at three ways CISOs should be rethinking how they approach ‘mobile security’ to ensure their organisation is both productive and secure in 2021.
- The proliferation of mobile devices
With more employees now working on mobile devices, the key question for CISOs is: are the devices my employees are using properly secured? The proliferation of mobile devices widens the organisation’s potential attack surface. This threat is further amplified by the associated increase in cloud adoption and the short-term Bring Your Own Device (BYOD) policies many organisations rolled out to overcome the initial challenges of COVID-19.
The very definition of a corporate mobile device is also now changing, with considerations around iOS, Android, Surface, Chromebook, Mac and Windows all varying considerably. Security leaders now have a much longer list of ’new’ vectors. Given that initial short-term solutions are fast becoming long-term operational models, CISOs need to be asking:
- Does our organisation have the relevant tools in place to gain visibility and control of these devices? Can all of these device types be managed effectively or denied access to services?
- Can our organisation audit and control application usage, license usage and the impact of shadow IT?
- Do these devices meet corporate standards, or device policies for web filtering, malware detection, DLP, application control and patching?
Strong unified endpoint management (UEM) data loss prevention (DLP) policies and the application of a cloud access security broker (CASB) will be important tools for any security organisation moving into an era of more permanent remote working. These will provide visibility – on a user, device and activity level – as well as the ability to enforce granular security policies, for example on files or messages containing sensitive or restricted data. This will also extend both visibility and manageability to other third-party cloud applications.
But while security is undoubtedly the number one priority, CISOs will also have to place a renewed focus on privacy while rolling out these changes. The increase in BYOD and personal device usage will present a number of privacy implications and concerns from employees. While organisations will be seeking visibility of anything corporate, controls will need to be put in place to ensure this does not extend to employees’ shopping habits or Netflix favourites. As the lines between corporate and personal continue to become increasingly blurred, ensuring proper coverage of all corporate assets while not encroaching on users’ personal behaviours is going to be more challenging.
- Best practice for a mobile workforce
After addressing visibility and device security, CISOs should focus on ensuring users are working to best practices. Office-based users who are not familiar with home or remote working may not be embracing it effectively, or in the way the organisation needs them to.
The shift to mobile working has also seen a move to co-working venues, which will likely become more frequent as permanent office spaces become less viable. While many of these venues take security seriously and have controls in place, the wider economic effect of COVID-19 has forced other businesses to provide co-working options as a new revenue stream. Whether this is a local pub, café or restaurant driving trade with free Wi-Fi or bottomless coffee offers, it is far less likely that these venues are as security conscious as dedicated co-working facilities. Employees working from these locations – often unbeknown to the IT security team – opens up yet another avenue for potential bad actors to compromise devices and services via man-in-the-middle (MITM) and similar style tactics. Going forward, this will force organisations to consider a much broader range of security tools and potential attack types.
The impact of mobile worker behaviour also bleeds into supply chain risk. CISOs will be tasked with providing a top-down view of organisational risk, inclusive of customers, third parties and potential supply chain breaches. Reconciling a mobile workforce and mobile device estate – one that potentially mixes personal and work tasks into single workflows – significantly broadens this risk and dilutes visibility across the organisation.
CISOs are facing a dilemma. On the one hand, they can embrace mobile working – which likely means changing a variety of processes, policies and procedures, which will in turn affect compliances and accreditations. On the other, they can reject modern working practices and attempt to enforce legacy policy in a modern environment – in which case tools will likely need to change to accommodate this.
Whichever route a CISO chooses, if the correct tools are not adopted by the business, there will almost certainly be an increase in the security responsibilities placed on end-users. If adequate training is not provided, this may have a significant long-term impact on overall security.
- Widening the focus on mobile infrastructure
One of the more challenging changes facing CISOs in the shift to remote working is the potential impact of Internet of Things (IoT) devices on organisational security. Few CISOs will currently be able to say for certain which IoT devices are connected to their corporate data repositories and networks via employees’ home networks, or whether any single employee has synced their digital assistant with their work calendar.
Modern authentication types such as security assertion markup language (SAML), oAuth and OpenID Connect (OIDC) make it very easy for end-users to enrol, connect and potentially leak data out of corporate cloud services without the security team ever knowing. These are also potentially ‘one time’ authentication types, making it even less obvious to an end-user that they have done something they shouldn’t have.
Something as simple as connecting an Amazon Echo device to a corporate Office365 account is unlikely to be seen by an employee as anything more than an easy way of gaining a central view of their calendar or appointments. However, many employees may unknowingly be leaking corporate data and leaving yet another attack surface – completely unnoticed by IT – open to threat actors.
Consumer IoT devices are now a corporate security risk. If a remote worker has a poorly secured home network, with numerous IoT devices (often with sceptical in-built security at best) this now poses a risk to the overall corporate environment. The threat of threat actors easily gaining access to a poorly secured home network and using this to move laterally throughout the corporate network or cloud services is now far from academic. Any organisation is only as strong as its weakest link and CISOs need to be acutely aware of this new threat vector.
Conclusion
The environment CISOs are now faced with securing is changing rapidly and now more than ever, any data breach is likely to have far-reaching consequences. From the financial losses associated with downtime and regulatory fines, to long-term effects on the organisation’s operations, compliance, reputation and ability to remain competitive. Indeed, the IBM Security Cost of a Data Breach Report 2020 shows the average cost of a data breach in the United Kingdom is increasing year-on-year and has now reached US$3.90 million. What’s more, organisations are taking longer to identify and contain a breach – now taking an average of 256 days.
CISOs have done extraordinary things to ensure Business Continuity in recent months, overcoming operational challenges that many – if not most – organisations never once considered possible. But as we move into 2021, CISOs will need to consider ‘mobile security’ on a much broader scale if they are to ensure their organisations are prepared for the challenges ahead.
Click below to share this article