Mobile device security, it’s not a control issue

Trend Micro has released another attention-grabbing video tutorial on mobile and smartphone security in the workplace.

Some of the scenarios it demos are really very frightening (from a corporate perspective) and if I ran a company, no matter what the size, it’d probably have me tapping out an email straight away to our head of IT about tightening the control on staff use of mobile devices. However, the real issue is bigger than just control.

I think companies should be asking themselves how they can secure their business from threatening access via devices, rather than how they can control the devices themselves.

Devices are often owned by the employees, not the company, but the majority of those devices will have “guest” internet and LAN access. This means that the organisation is legally unable to secure & control those devices, because a company cannot enforce security and control software upon devices which it does not own. Yet, its data could be at great risk and if devices are compromised, the scenario demonstrated in the video above will become a reality.

This isn’t a mass virus issue - it’s more focused than that. A criminal might want something specific from a corporate environment and use any means necessary to get it. That means, theoretically, that any company could be individually compromised by a targeted criminal behaviour whether from inside or outside. The former is the path of least resistance for cybercriminals as most organisations tend to heavily trust their employees and BYOD schemes, so they will secure the perimeter against the outer attacks, but leave internal systems relatively easy to access, as demonstrated in the video.

One way to prevent data exposure is to create a VLAN which will allow isolation of sensitive data from “guest” devices. It is also important to have a gateway web content filter (aka. proxy), which will ensure that those devices are unable to access malicious sites and download malicious content and unintentionally distribute on internal network.

Our customers use Trend Micro solutions such as Mobile Security, which can remotely wipe and encrypt devices, disable cameras and perform anti-malware app checking on company-owned devices. But these should be coupled with gateway security solutions and VLAN implementations to control access to sensitive resources for those “guest” devices, where security software cannot be installed.

The video from Trend Micro really hits the message home – I’m suggesting to all our partners that they pass it on to their own customers, with the message that security must be implemented with a holistic approach, as sensitive emails, confidential documents and private boardroom conversations will be as secure as the weakest link in their network.

Most importantly, mobile devices are not to be ignored from a security perspective and looked upon as purely “telephones”, they are now as capable and as dangerous as laptops, if not more than.

Leave a Reply