The Log4j vulnerability has demonstrated the importance of supply chain security. In this blog post we consider the best course of action that companies can take to protect their software supply chain.
From apps that know our every move, to cookies that track each browsing session and large scale social media privacy breaches – our smartphones are constantly spying on us.
These days, most people accept that their mobile phones are not great at keeping personal data safe. What they don’t generally know, however, is what causes data to leak and what they can do to stop it.
Put simply, users are the weakest link.
Businesses recognize this and have put security policies in place to reduce risky practices, especially for corporate-owned devices. Even so, a surprising number do not enforce these policies, nor do they have tools to tell them which devices are connected to the corporate network.
Some even allow mobile workers with corporate-owned devices to connect without a virtual private network (VPN), a tried and tested way to keep confidential information passing over the Internet private.
Bring Users in from the Cold
Most businesses want employees to be able to access company data in real-time, wherever they happen to be. It helps operational efficiency, drives up productivity, and enhances customer service delivery. Some businesses operate a ‘bring your own device’ (BYOD) policy while others provide workers with company-owned equipment.
Surprisingly, more than a third (36%) don’t make employees take mobile security courses. Given that user ignorance is a major mobile security risk, you might expect the proportion of businesses imparting basic best practice to their employees to be a lot higher.
Suggested basic practices include remembering to password-protect phones and to turn off Bluetooth, along with ensuring they always download apps from approved sources, updating the operating system regularly, and understanding the risks of public Wi-Fi.
Employees, however, are by no means the only risk. Any app, even one that is well respected, can leak information.
It only takes a single bug in a software update to expose the data. It might be an app that synchronizes with contact lists and tracks geographic positioning, or it could be a mobile messaging service that offers predictive texts via the cloud.
If mobile communications are not properly secured, all these things can expose confidential information to third parties such as marketers or even cyber criminals.
Even Apple’s FaceTime video chat app is not immune. A flaw in the software, ironically discovered on Data Privacy Day, allows group chat calls to activate a recipient's microphone even if they don’t accept the call.
Mobile spy hazards don’t end with the apps and users either.
Following last year’s reversal of the Net Neutrality Agreement carriers have begun selling customers’ location data, effectively allowing phone tracking data to be available to anyone willing to pay for it.
Enterprises are Ill-Prepared
Most employers accept that mobile phones are an essential part of the modern workplace.
Yet, enterprises are still struggling to manage mobile security properly. In a 2017 survey by Enterprise Mobility Exchange just 27% of respondents rated mobility a top priority. A little more than one third (34%) have a corporate issued device strategy while 17% have opted for BYOD. Around half (46%) use a combination of the two.
One-in-ten enterprises rank mobile security as a low priority. According to a study by Arxan Technology 90% of enterprise mobile apps featured two out of the Open Web Application Security Project’s (OWASP’s) ten biggest security risks. The top four threats in the list are data leakage, phishing attacks, insecure apps and spyware.
Even now, half of all businesses don’t have a dedicated mobile apps security budget. Clearly this is a major Achilles heel for business.
Yet, in spite of all the risks, two thirds (66%) of enterprises do not oblige users to use a VPN when accessing corporate data via a mobile.
Managing Enterprise Mobile Security
To eliminate the ‘spy in the pocket’ risk, firms need to go beyond instigating a few policies and some employee training. For example, IT admins need to be able to see what network services employees are connecting to with corporate-issue devices. You cannot be confident of managing remote connectivity securely unless you have some insight into what’s going on.
Remote mobile devices should also have an automated means of verification - such as two-factor or multi-factor authentication - before they are allowed to connect with the company’s systems.
It is recommended that enterprises insist employees use an encrypted connection such as a VPN to prevent cyber attackers from intercepting communications between the device and back-end services.
The preferred VPN policy is for “always on” remote communications. Where this is not practical - because of low battery life for example - the VPN connection should be activated automatically whenever a threat risk is detected - such as when using public Wi-Fi in a coffee shop or airport.
In summary, smartphones are an indispensable part of today’s workplace, but they are also a risk. From careless user behavior to bug-ridden apps, the mobile phone is the mole in your pocket indiscreetly disclosing personal, sometimes highly sensitive information to complete strangers.
For this reason, most enterprises want to be able to securely manage how mobiles connect remotely with the corporate network. Many are turning to centrally managed VPN software. Enterprise-grade VPNs allows central IT support teams to manage and authenticate any number of remote mobile devices remotely to ensure data is encrypted and company confidential information remains private.