Symantec White Paper - Don`t Lose the Data: Six Ways You May Be

WHITE PAPER:
DON’T LOSE THE DATA: SIX WAYS YOU MAY BE
.LOSING
. . . . . . .MOBILE
. . . . . . .DATA
.........................
Don’t Lose the Data: Six Ways You May
Be Losing Mobile Data and Don’t Even
Know It
Who should read this paper
CIO, CISO, VP IT Operations, Mobile Architect, Mobile Program
Manager . This paper briefly reviews the top six threats to your mobile
workforce, matching real-world hazards with really helpful ways you can
take action and achieve the security your business requires.
Don’t Lose the Data: Six Ways You May Be Losing Mobile Data and Don’t Even Know It
Content
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1. Device loss and theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2. Data leakage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
3. Malware and malicious attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Shared devices and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
5. Jailbreaking and rooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
6. Wi-Fi and wireless snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Don’t Lose the Data: Six Ways You May Be Losing Mobile Data and Don’t Even Know It
Introduction
When your workplace is mobile, will your business get carried away?
The mobile devices your employees love to use on their own time have now also become the business tools they use on your dime. Our recent
research tells the story: 65 percent of our surveyed companies give employees network access through their own devices; 80 percent of the
applications these employees use are not based on-premise, but in the cloud; and 52 percent regularly use, not one, but three or more
devices.
Sure, these mobile devices – including smartphones, laptops and tablets – open up new opportunities for portable productivity. But by their
very mobile nature, they also open new vulnerabilities: new ways to lose data, lose protection and lose confidence in the security of your
company network.
Fortunately, productivity and protection can travel together – if you fully understand what the risks are and what you can do to mitigate
them. This paper briefly reviews the top six threats to your mobile workforce, matching real-world hazards with really helpful ways you can
take action and achieve the security your business requires.
1. Device loss and theft
The most obvious risk is often met with the most obvious response: anticipate replacing lost devices. But many working devices are owned by
the employees themselves – the "bring your own device" phenomenon. More importantly, it's what is on the device, not the device itself, that
truly matters. Every lost device is a potential portal to your company's applications and data.
Think we're overstating the issue? In 2012, we put our concerns to the test. In a project we called, "Operation Honey Stick," we "lost" ten
smartphones in each of five major cities: Los Angeles, San Francisco, Washington D.C., New York City and Ottawa, Canada. Every phone was
loaded with simulated corporate data and applications, and then abandoned in high-traffic areas.
In the plus column for humanity, attempts were made to return half of the 50 phones. But from there, the numbers reveal a much bleaker
picture of human nature. On 89 percent of the devices, attempts were made to access personal apps or data – which suggests that even the
erstwhile do-gooders were tempted to do some bad. A total of 83 percent showed attempts to access corporate-related apps or data. A "saved
passwords" file was accessed on 57 percent of the phones; on 49 percent, finders took a poke at a "Remote Admin" app that simulated access
to the corporate network.
Lesson learned: instead of focusing on lost devices, companies need to protect sensitive data that could be potentially lost. Basic device
management must be complemented with policies for app and data protection. At one level, this means having the ability to quickly locate
lost devices and perform remote data wipes; for protection at a deeper level, businesses should secure apps and encrypt corporate data on
the move.
2. Data leakage
Much has been said about threats from "malevolent insiders" who deliberately seek out and share confidential business information. But the
greater threat may be from benevolent, well-intended employees who use cloud-based services, such as email and online collaboration tools,
to simply get more work done more quickly. On the ever-evolving pathway toward greater ease of use (also known as: "consumerization"),
employees feel comfortable working with applications designed for the convenience of consumers, not for the security concerns of
corporations.
1
Don’t Lose the Data: Six Ways You May Be Losing Mobile Data and Don’t Even Know It
But once in the cloud, your business data may be beyond your control. The popular file-sharing and document editing programs employees
like usually lack the access and authorization protocols businesses need for data protection. Without deliberate controls, data can "leak" out
of the corporate IT sphere and into the less secure world of risks
Appropriate app and data protection must take a two-pronged approach to security: 1) enforcement of an application blacklist that prohibits
access to non-approved applications; and 2) deployment of controls that prevent business data from being copied, pasted and/or otherwise
shared via online applications.
Relevant app and data protection capabilities include:
• App-specific authentication
• Data encryption
• Copy/paste blocking
• Disabling document sharing
• Blocking access to modified (rooted or jail-broken) devices
3. Malware and malicious attacks
In hard numbers, many more malware attacks threaten PCs than mobile devices. But the amounts of attacks on mobile devices are growing
at a much faster rate. While traditional IT professionals are not paying much attention to mobile malware, the bad guys see mobile as their
next big growth opportunity.
At risk: identity theft, information exposure and data loss incurred by malicious attacks from trojan horses, monitors, and malware
hitchhikers. Of these, the biggest threat may be "spoofed" apps; under the camouflage of a popular game or application, and the lure of a free
download, these apps sneak malicious code into the device that can skim money from accounts or extract data from business networks.
So-called "security" freeware lacks sufficient brawn and brains to address constantly mutating malware and ever evolving efforts to break
business data barriers. Truly effective threat protection must account for the variations in risk profile among different platforms, and apply
coordinated action to secure business assets against external attacks, rogue apps, unsafe browsing, and even poor battery use.
4. Shared devices and passwords
According to recently published studies, near half of all employees share their devices with friends and family; another 20 percent share their
passwords. Unfortunately, casual sharing of accounts represents the majority of workforce security breaches.
Protecting mobile devices means much more than applying a screenlock. Before users can access business data and applications, it may be
prudent to authenticate their identities. Consider applying a two-factor approach to authentication – the key to successful user and app
access management, and app and data protection – that combines something the user knows (like a password) with something the user has
(such as a token, a fingerprint or a retinal scan).
5. Jailbreaking and rooting
In a BYOD world, it's easy for an employee to introduce a "jail-broken"/"rooted" device into the corporate environment. Such device
modifications can circumvent security protocols, uninstall security features, and open access to previously protected file systems and data
controls.
2
Don’t Lose the Data: Six Ways You May Be Losing Mobile Data and Don’t Even Know It
Businesses need to apply device management policies that apply consistent standards for configuration and security across all devices,
whether they are owned by the company or the employees. Devices that have been modified should be identified and denied access to protect
the corporate network.
6. Wi-Fi and wireless snooping
If it's "free," it's probably fake; any hot spot that conspicuously calls itself "free" is likely to be fishing for data on the move. Users often do not
recognize their vulnerability, and companies have no control or visibility into 3G, 4G and 4G LTE channels.
Complete app, data, and device management policies should protect at two levels:
• Communication, such as corporate email, through secure SSL or VPN connections
• Encryption of corporate data when it is in transit and at rest within mobile devices
To learn more about enterprise mobility that offers complete protection without compromising the user experience, visit
http://go.symantec.com/mobility.
3
Don’t Lose the Data: Six Ways You May Be Losing Mobile Data and Don’t Even Know It
About Symantec
Symantec protects the world’s information, and is a
global leader in security, backup, and availability
solutions. Our innovative products and services
protect people and information in any environment
– from the smallest mobile device, to the enterprise
data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities,
and interactions gives our customers confidence in
a connected world. More information is available at
www.symantec.com or by connecting with
Symantec at go.symantec.com/socialmedia.
For specific country offices
Symantec World Headquarters
and contact numbers, please
350 Ellis St.
visit our website.
Mountain View, CA 94043 USA
+1 (650) 527 8000
1 (800) 721 3934
www.symantec.com
Copyright © 2013 Symantec Corporation. All rights
reserved. Symantec, the Symantec Logo, and the
Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be
trademarks of their respective owners.
1/2013 21283507