Preparing for the festive IT headache

Christmas is the season for giving, but for IT security teams that can create numerous problems, says Terry Greer-King.

Preparing for the festive IT headache
Preparing for the festive IT headache

The holidays are a time for giving, we all know, and 2014 continues the trend of the past few years - one of the most popular gifts this year will be a new tablet, smartphone or laptop.

While tablet sales are predicted to slow this year, research firm Gartner still estimates that tablet sales worldwide will reach 229 million units in 2014, an 11 percent increase from 2013, representing 9.5 percent of total worldwide sales of devices in 2014.

Worldwide combined shipments of devices (PCs, tablets, ultra mobiles and mobile phones) for 2014 are estimated to reach 2.4 billion units in 2014, a 3.2 percent increase from 2013 with smartphones set to represent 71 percent of the global mobile phone market in 2014.

Of course, that means the poor IT security teams back at our offices will be presented with a festive headache as staff return after the break with their new devices fresh out of the holiday wrapping and expect to be able to use them at work.

For these teams the Bring Your Own Device (BYOD) trend has the potential to complicate one of their primary duties – that of data protection.

As the transition away from relatively easy to manage corporate laptops and desk-bound computers, personal tablets and smartphones gathers pace, it's no surprise that hackers are choosing these mobile devices as their next target. It makes economic sense and they are simply ‘following the mobile money'.

The issue with employee-owned mobile devices is that they access corporate resources outside of the control of the corporate IT function. This means it can be difficult to identify even basic environmental data for these devices, such as the number and type of devices being used, and the operating systems and applications.

In addition mobile malware is growing rapidly, which further increases risk. Research from Cisco indicates that 99 percent of malicious attacks on mobiles in 2013 occurred on devices running Google's Android operating system. Given the lack of even basic visibility, most IT security teams certainly don't have the capability to identify potential threats from these devices.

However, despite these pitfalls, it would not be practical or desirable to ban BYOD strategies outright. In order to gain the information security advantage in a mobile world, IT security professionals must be able to see everything in their environment. Only with this visibility can they understand whether it is a risk and then protect it. For most enterprises, the right solution is to implement BYOD policies that clearly define the proper use of employee-owned devices in the enterprise.

 Here are a few steps enterprises can take to help maintain control of their networks:

  • First, identify technologies that provide visibility into everything on the network – devices, operating systems, applications, users, network behaviours, files as well as threats and vulnerabilities. With this baseline of information they can track mobile device usage and applications and identify potential security policy violations.
  • Second, enterprises should leverage technologies that help apply security intelligence to data so that they can better understand risk. From there, it's possible to evaluate mobile applications to determine if they are malware and even identify vulnerabilities and attacks targeting mobile assets.
  • Third, identify agile technologies that allow the company to adapt quickly and take action to protect systems in rapidly changing mobile environments. Enterprises need to create and enforce policies that regulate what data can be transmitted to BYOD users.

For employee owned devices it may be useful to lock down your organisation's network or computers (laptops, desktops, servers) with capabilities like application control. Consider approved applications that can be used by employees to remotely access their desktop computers back in the office form their tablet while travelling. While they may not be able to limit the installation of an application on the device, they can prevent it from running on corporate-owned computers.

At the end of the day, security of mobile devices is ultimately a question of three phases.

  • Before – establishing control over how mobile devices are used and what data they can access or carry.
  • During – visibility and intelligence is vital if security professionals can hope to identify the threats and risky devices and monitor their activities on the corporate network.
  • After – when the inevitable happens and the network is compromised by a threat, this is the ability to retrospectively review how that threat entered the network; which systems it interacted with and what files and applications were run to ensure it can be cleaned up as quickly as possible.

There's no doubt that adoption of mobile devices in the workplace presents a challenge that is as much a question of policy and control as it is of technology alone. However, BYOD is here to stay with over 10 million UK employees predicted to be using personal devices in the workplace by 2016. And in today's increasingly mobile enterprise, where BYOD is becoming the norm, organisations need an increased level of IT security intelligence that allows them to identify risky behaviour and applications on employee devices, so that they can take measures to protect corporate assets. 

Contributed by Terry Greer-King, director of cyber security at Cisco