Jon Fielding, Managing Director, Apricorn EMEA
Defining, implementing and enforcing a mobile security strategy is a challenging task for most IT managers. Corporate management, on one hand, expects effective security measures to be in place but, at the same time, demands that employee productivity remains unhindered. Meanwhile, end users are often reluctant to adopt new procedures and will try to circumvent anything than disrupts their standard working practice. However, it is important to acknowledge that the end users are the first line of defence in any security strategy – and often the first point of attack. In fact, in corporate breaches reported, the highest percentage stems from employee negligence or malice at nearly twice the number of outsider attacks.
Cybercriminals are increasingly focusing their efforts on mobile devices as more and more critical, work-related data is stored on them and taken outside the company premises, and these devices can provide easier access to confidential company information. Additionally, mobile devices, USB sticks, external drives and notebooks are often the targets of physical theft with the added risk that users may lose them or leave them lying around.
Furthermore, USB sticks, in particular, have become a worrying and new vector of attack for authors of malware as we have seen in the past with sophisticated and high profile attacks such as Stuxnet and its new variants, various Trojan horses used to hijack financial directors’ workstations, and the exposures highlighted by the BadUSB exploit. In these instances, malware is delivered directly into the heart of an organisation, through a corrupted USB stick innocently plugged into a corporate machine by the employee, bypassing all gateway protection.
The key to minimising the risks associated with mobile working is to create a security strategy that meets the necessary regulatory and corporate requirements, has minimal impact on productivity and allows automatic adoption and intuitive processes that end users will easily accept. As our work and private lives merge, an effective security strategy needs to extend to both company-issued and personal mobile devices. However, even the best security policy is useless if end users fail to (or refuse to) adhere to the policy. Education and training help make employees aware of the risks and potential consequences of a data loss.
The best and most effective security strategies bypass the risk of human error altogether by relying on security measures that eliminate the opportunity for non-compliance. For example, organisations that only allow secure portable hardware drives with built-in hardware encryption to protect the data and a secure the risk of exposing sensitive data.implementation of its firmware to prevent corruption in support of malware attacks, and that further enforce this policy through device whitelisting, substantially reduc
Moving goal posts
Regulated industries, such as Health Care and Financial Services, generally have stated security policies. We also have cross-industry requirements such as PCI-DSS or cross-geography ones such as the upcoming GDPR regulation. The common theme is that sensitive data must be adequately encrypted, can only be accessed by authenticated users, and must remain encrypted when the storage device is at rest.
Hardware encryption is now increasingly being chosen over software encryption as it delivers a higher level of security and is reliable, fast and convenient. It eliminates the need for regular, costly and time-consuming software updates and the issue of software administrator rights on end user equipment. Another advantage is that some hardware-encrypted drives are platform-independent.
To help implement a strong security policy, mobile drives should support corporate rules for generating complex passwords, for example by specifying minimum length and limiting successive characters. For added security, in case an encrypted drive is stolen or lost, the data saved on it must be protected against brute force attacks such as automated attempts to generate the correct PIN – for example, through auto-lock and self-destruct features.
Both data security regulation and corporate guidelines are constantly evolving in reaction to new and highly publicised data breaches. Taking a solely reactionary approach to IT security will ultimately lead to an ineffective and disjointed strategy. By being proactive and building a security strategy from the end user upwards, IT managers can execute a comprehensive strategy that addresses current needs while being able to adapt to future requirements.
Compared with the cost of a data breach, it is far easier to justify the replacement of a secure hardware drive for a couple of hundred pounds than to weather a multi-million pound hit in fines, reparation costs, brand damage and business revenue stemming from an employee-generated data breach.