Hope-Less: some REAL approaches to security that you will be glad are not yours!
Sometimes it feels like the little old mobile device, carried by employees anywhere and everywhere, is the only remaining business endpoint that it is acceptable to not secure. Maybe that is because it contains very little business related data and is not used to access any business systems..... oh wait.
?? There has been an explosion in remote working and mobile devices, both company owned and personal owned (BYOD), are used to access the same systems traditional endpoints such as laptops/desktops are used to access.
?? But they go everywhere. To the bar/bus/train/vacation/park/hike/raft/parachute jump/Bathroom? with their respective operators and connect to networks of questionable origin regularly: Yeah, remember that WiFi network you connected to that one time when you had to download that podcast and had no cellular coverage "Dodgy_WiFi_Free"....
?? So surely they need equal security treatment ? Yeah you would think that but stats would suggest that 80% of businesses have yet to secure their mobile devices. We talk to many of the security and IT teams in these companies regularly and they usually fall in to 2 categories:
1 - Well informed and planning on addressing the risk. For the moment we will park these guys.
2 - Over-confident, uninformed and full of HOPE
Don't get me wrong, hope has its place. If I am in a perilous situation and can remain hopeful of a good outcome it might give me a morale boost that could be the difference between life and death. But there is a crucial factor here that should raise an eyebrow when we encounter it. Why would you choose to remain in a perilous situation if you don't have to?
This, my friends, is "Hope as a strategy".
At best it is lazy or uninformed. At worst it is simply reckless.
A very welcome development which we have witnessed recently is the interest of the wider company in cyber security, awareness is on the increase and people are starting to ask questions. Recently we had a request from the CEO of a finance company to brief their senior team on some of the risks faced by mobile device users. The IT manager was in attendance and repeatedly questioned the need for mobile specific security. Following the session one of the senior team called me and said these exact words "it sounds like we are hoping nothing bad happens", there goes that word again, hope.
I thought it might be interesting to help you spot if "hope" is your mobile security strategy based on some of the regular utterances we hear from "hopers".
Strap in, some of these are clangers!
?? "We only allow iPhone's in our business"
This old chestnut has been around for a while now. No amount of telling them about the dangers of credential theft (more on that in a minute,) pegasus or stats about the instances of zero days on iOS will convince these guys that iPhone's are not an impenetrable fortress.
?? "We have MFA, we are secure"
Ah okay then, that's good! But it is not a panacea. When you get a moment google MFA weaknesses and have a read.
领英推荐
?? "Our team are clued in and don't click on bad stuff, we did cyber awareness training with them last year"
Training is great. Relying on your people to get it right every single time is not really fair on them.
?? "We have an MDM so we are covered"
This one is particularly terrifying. When you have to gently explain to someone that the management system they have in place is not detecting vulnerabilities, blocking phishing links in SMS's or performing network traffic inspection etc. The clue is in the name dude "management".
?? "We only use our phones for email, what's the worst that could happen"
Yes! People say this, I have witnesses! Unfortunately there are a considerable number of people out these who are responsible for IT who have no concern or understanding of the consequences of stolen credentials. It is simply the case that you change the user's login credentials once it is noticed and problem solved. Just think about that for a moment. I do like giving examples that outline the potential consequences of some of these security incidents but when I hear "what's the worst that could happen" in relation to unauthorized access to a company email account I find it hard to take the person seriously, surely nobody can be okay with that happening, right?
?? "We only use apps from official app stores"
Oh... that's fine then. Really it is not. There have been pretty massive cases where apps that appear on official app stores have later been found to dynamically load malicious code from the Internet or use compromised libraries etc.
Mobile is no different than any other part of the business when it comes to security. First and foremost it is important and worthy of attention, admit that to yourself. Now that we have agreed that it is important, ask yourself this: Is *hoping* that nothing bad happens an acceptable approach to any part of the security in your organization?
Advanced Detection and Response for Mobile Endpoints
1 年Excellent post which conveys the business value of mobile security in a highly accessible way.