|Topic:||Data security and the mobile workforce|
|Author:||John Ferron & John Knopf|
|Organisation:||NetMotion Wireless, Inc.|
John Ferron, Chief Executive Officer (CEO), NetMotion Wireless
John brings an extensive and diverse leadership background in high growth, technology-driven companies.
Prior to taking the helm at NetMotion, John served as CEO of Purple Communications; CFO and COO of Celerity, Inc., a company specialising in precision flow control instruments, and gas and chemical delivery equipment; CFO for Kinetics Group, Inc. which was an international design and installation company; Vice President of finance for Compaq Computer’s Commercial PC Group; General Manager of an R&D optical display division, and Vice President of strategic planning and business development for Science Applications International Corporation.
An expert in business transformations and operational improvement with a primary emphasis in late stage private equity held companies, John earned a bachelor’s degree from Northern Arizona University and a master’s degree from San Diego State University.
John Knopf, Vice President of Product Management,NetMotion Wireless
John started at NetMotion in 2001 when the company had only 3 customers. He is responsible for the direction, content and technology partnerships of the company’s solutions that are now deployed by over 3,000 enterprise customers. John began his software career over 25 years ago while still in high school when he co-founded pioneering shareware company, ButtonWare, with his father. After graduating from Brigham Young University, he led the expansion of that company into Europe. John has held leadership roles in product management and marketing at a handful of early-stage enterprise software companies based in the Seattle area.
BYOD strategies in particular are susceptible to the risk of employees working on old devices with out-of-date operating systems or applications, presenting a weak point in company security. Even if you can guarantee that all the devices connected to your network are up to date, there is still the potential for employees to attempt to work around mobility controls – removing application restrictions, for example, or misusing bandwidth to access restricted websites –which can result in network damage or data breaches.
Even the most regulated organisations which choose a highly-managed mobile environment need to cope with a huge variety of use cases and, as a result, a highly varied threat landscape. Mobility is for everyone, from CEO to warehouse worker, and as such, it’s key to create a flexible, multifaceted mobile strategy approach rather than a fixed one. For the modern enterprise to be able to capitalise on the benefits of mobile working, it must be confident in the agility of its defences no matter what the device or where the employee.
Companies need to manage not only the devices, but connections, authentication and deployments on a per-application and per-employee basis. Using dynamic policies for updates, management and security can allow COPE (company owned, personally enabled) strategies to mould to employees’ needs. Prioritising and shaping traffic for the right applications and for the right job roles is critical to keeping employees connected and productive. This will also protect organisations from a massive bill shock each month.
By controlling the connection of COPE devices on a per-app basis, organisations can choose what they are paying for and what they are not. This means if you need to ensure employees aren’t burning through mobile data in non-business hours, or using non-business applications, you can. Comprehensive mobile VPN solutions can be an effective means of doing this, and can provide secure and reliable communications in addition to all the management and assessment needs.
Data security and legal implications
The pace of change and increasing adoption of mobile devices is not going to abate. And mobility – regardless of whether it’s a BYOD or COPE strategy – will continue to cause headaches for companies, opening up a range of dangers not previously addressed by the static office system.
There is also the question of the device. BYOD strategies in particular are susceptible to the risk of employees working on old devices with out-of-date operating systems or applications, presenting a weak point in company security. Even if you can guarantee that all the devices connected to your network are up to date, there is still the potential for employees to attempt to work around mobility controls – removing application restrictions, for example, or misusing bandwidth to access restricted websites –which can result in network damage or data breaches.
Going one step further, jail-broken devices constitute an even more serious potential threat. Removing the manufacturer’s hardware restrictions allows users to install insecure services and leaves gateways open for targeted attacks. In August 2015, for example, the KeyRaider malware was found to affect only jailbroken iPhones. It allowed criminals to steal users’ login information and passwords, and affected more than 225,000 people. Though it can be hard to spot their presence, jail-broken devices are clearly not a minor concern, and any mobile enterprise needs to be keenly aware of the dangers they present.
Mobile working also brings with it a more basic but equally dangerous threat: that of physical loss and theft. Each mobile employee carries with them an entry point into the company network, and if that entry is not sufficiently well-guarded, then a burglary or even just a moment of absent-mindedness in an airport or station can result in a very costly data breach. Though an increase in mobility is the key to greater productivity in an accelerating business world, physically moving system access points outside the secure workplace means that a robust front-facing security system is a must.
New challenges, new responses
It is apparent that the mobile workforce faces a host of security risks. But there are answers. From our experience in the market, the most crucial elements of safe mobility are the security and connectivity of each individual application. Crucially, it doesn’t and shouldn’t matter what kind of device the application is on, or who owns it. Per-application management gives enterprises the flexibility and control to manage specific data, rather than relying on the security of the end-point device. This makes security, authentication and management of business data far simpler, and allows support and IT admin functions to be done automatically.
Take one final security risk, so-called ‘Evil Twin’ attacks, as a worked example. When employees connect remotely via an open or public WiFi network, per-application management acts as a secure gateway to the corporate VPN network, safeguarding against attacks from hackers. Hackers typically position themselves between the user and the connection point – intercepting communications and then relaying them on. One way hackers do this is by setting up a fake network (the ‘evil twin’) to mirror the real, freely available one. When users unwittingly connect to this fake network, a hacker then steals account names and passwords and redirects victims to malware sites or intercepts files.
Many organisations are focused on managing the device configuration and employee profile but this is often at the expense of insufficient attention being given to strong, multi-factor authentication and security. With different users having different needs, workflow, devices and security authorisation requirements, IT departments should be able to set access policies by department, seniority or device type. This could include regular re-authentication for employees with specific, high-level security clearance, for example, or a single sign-on for those with less at risk.
Finally, what about the future of these technologies? Even the most agile system will become outmoded given time if it is not also given space to grow and change. In order to future proof against the security challenges of BYOD, COPE or other emerging mobility strategies, companies need to build a dialog with their user community and invest in solutions that focus on solving real user problems and practice real user enablement, working to achieve transparency, app stability and ease of use.
Mobile workers need to perform their jobs securely and efficiently and mobile technology should be an enabler, not a barrier for this. Happy, productive users don’t tend to rebel against IT controls and that’s one key route to managing change.