The Mobile Movement – Quantum Security

Kevin Wu, Principal Security Consultant, Quantum Security

Mobile devices have increasingly become an essential part of our everyday lives. It is no longer just a device for making phone calls or sending text messages. We rely on it for wider communication, transaction, navigation, media, Internet, lifestyle applications and more.   

Today in the modern workplace, mobility is seen as an effective way to improve staff productivity. More organisations are embracing the use of technology that enable people to work from anywhere, anytime and on any device. Mobility is no longer a buzzword in technology, it has arrived.

What Are The Risks?

The implementation of Mobility solutions introduces a range of different security risks to organisations. Below are what we believe are the key risks categorised into the top three areas.  

1. End Point Device Security

Using mobility at work means extending the organisation’s network boundaries to the end user mobile device. This increases the surface area for attacks and broadens the organisation’s threat landscape. End user mobile devices are now attractive targets for attackers trying to access the corporate network.

If a malicious person gains control of an insecure mobile device, then the person may use it as an entry point into the organisation’s corporate network to retrieve or modify sensitive data.

2. User Behaviour

The individual behind the mobile device is the guardian of the information which the device has access to. The strength of device controls become less relevant when users are unaware of threats, or demonstrate behaviour that puts both device and information at risk.

If an employee becomes a victim of a social engineering attack, that employee may accidentally disclose or enable access to sensitive data from their mobile devices.

3. Data in Transit

Data will be transmitted across untrusted networks such as the Internet. It is important to ensure that adequate controls are applied to protect the information in transit. 

If the data in transit is intercepted by a malicious person due to the use of poor or no encryption, then the person is able to view or modify the captured information.

What Can Organisations Do?

Organisations can take a few simple steps to ensure that mobility risks are identified and managed. Here are the key recommendations grouped into the top three areas.

1. Security Assurance

Assurance activities such as design reviews, risk assessments and control audits should be undertaken to build confidence that the mobile solutions are securely designed and configured. The scope of the reviews should extend out to mobile devices, reducing the likelihood of insecure builds.

2. User Awareness Training

Mobile and general security awareness information should be made available to inform and upskill employees on how they can help protect devices and information. This reduces the likelihood of employees falling victim to people-focused attacks.

3. Ongoing Monitoring and Response

Active monitoring of the mobility solution should be in place, to allow for early detection of suspicious activity.  This, together with an effective communication and response plan, reduces the impact should a security incident occur.

About the Author

Kevin Wu is a Principal Security Consultant at Quantum Security, specialising in providing technical IT assurance and risk management services.