I recently had my mountain bike stolen. I thought my lock was secure enough, but the thief was able to cut through. As anyone who has had something personal stolen will know, the theft makes you re-evaluate how you protect other things you own. So, after choosing a replacement bike, I naturally decided to buy a more secure lock.
At the cycle specialist, I was looking at locks from ABUS, one of the leading bike security brands. They all perform the same basic function – helping to prevent ‘mobile devices' from being stolen – but of course, its range covers multiple security levels. The company rates its locks according to their intended use and threat environment – from low-cost bikes and accessories in low-risk areas, to high-value bikes in high-risk areas for theft.
This got me thinking – why shouldn't organisations apply the same rating process to securing the smartphones and tablets being used across their employee base? As with bike security, the objective is simple: reduce the security risk of the device being stolen or compromised. And there is no ‘one size fits all' solution, as the organisation has various functions with different levels of risk and different security needs. The idea that every mobile device is protected with the highest-grade security technologies looks good on paper – but in practice it doesn't make sense.
Organisations need to provide the right levels of security for the device and data, based on several factors: the role of the individual using the device; the core business applications and data they have access to; and the risk to the business if the device is stolen or compromised. After all, it's unlikely that you would use a 150-pound lock for a 50-pound bike, and you wouldn't use a 30-pound lock for a hand-built Specialised or Colnago racer.
Different staff, different security levels
So how should organisations approach stratifying the security requirements across their mobile estates? There are three main security levels to think about. First is the senior members of staff or specific sensitive functions (C-level, M&A, legal, finance, research, etc.) who access and process sensitive corporate data. These personnel and their devices should be considered a high security risk. As such, layering multiple security products onto their mobiles is simply not a good approach. This often compromises the usability of the device so much that users will seek workarounds, bypassing security measures to do their work.
These executives should be issued with specialised, secure devices in which the standard OS and software layer from the kernel level upward is replaced by hardened versions, with built-in security layers, without affecting productivity, functionality or usability. The device should deliver full encryption of data, and for all communications to and from the device, secure its externally available interfaces, and actively monitor, block and alert on all targeted attacks and attempts to gain unauthorised access to on-device resources, plant malicious code or install rogue apps.
Using the ABUS cycle lock rating system analogy, this method would be ranked nine on a security scale of one to 10 (assuming that a 10/10 rating is not realistically achievable).
The second level of security is mid-tier management staff, senior external contractors, project managers and other functions that have access to some sensitive data but are unlikely to be primary targets for hackers. These personnel should be considered a medium security risk and for them, a standard smartphone protected with a comprehensive security application that delivers encryption, attack detection and protection capabilities together with device management features should provide sufficient protection to satisfy the risk profile. This method could be applied on a corporate-issued smartphone, or on the user's own device, and would be rated six out of 10 on the Abus scale.
The third level of security applies to employees who have low-level access to data, including contract and freelance staff. Each individual's device usage and data access should be assessed and monitored, providing visibility at the corporate level with regards to the security postures and risk levels of each device under this scheme. This should be achieved by applying lightweight security software on these devices, and would be rated as three out of 10 on the Abus scale.
These three levels of security should be underpinned with a management system which enables the organisation's IT team to see the real-time risk level and security posture of each mobile device in its estate. The team can then manage and apply policies to mitigate risks and threats as they occur.
This stratified, contextual approach to security means that businesses can apply protection to each device and the data it holds, in a way that is appropriate to the device user's role, and risk profile - making it easier to secure the complete mobile security cycle.
Contributed by Avi Rosen, CEO and co-founder, Kaymera Technologies