In the world of enterprise mobile security, sometimes horrible situations force security corner-cutting to preserve the company. And COVID-19 forcing companies to empty office buildings and move everything (and everyone) to remote locations and the cloud in March 2020 is the classic example. What led to the security shortcuts was not just the abrupt change to work from home, but the fact that companies typically had to make the transition in a few days.
Add to that increased problems with IoT security — especially as IoT devices in home environments accessed global systems via VPNs, sometimes spreading malware through the pipeline — and you have a mess. A recent Verizon mobile security report put it bluntly: “Almost half of respondents admitted that their company had knowingly cut corners on mobile device security. That’s an increase from our 2020 report when the figure was 46%. The proportion rises to two-thirds [67%] in our IoT sample. And of those remaining, 38% (27% IoT) came under pressure to do so. Another way of looking at this is that 68% came under pressure to cut corners and 72% of those succumbed.”
A quick note to put those numbers in context: It’s a survey. How many security executives knew that they had cut corners, but were scared to admit it in writing? Security pros know better than anyone how easily data can leak. So the reality is likely even worse than the Verizon data suggest.
There is a more frightening issue: as I sit here some 13 months after this happened, far too many holes have yet to be plugged. CISOs and IT teams have been so insanely busy (and understaffed) just trying to keep operations up and to not create any new security holes that they haven’t had the opportunity to fix old vulnerabilities.
This means that C-suite leaders — the CFOs, COOs and CEOs — need to budget and insist on fixes happening.
In the meantime, here are some easy repairs to start to reduce your COVID-related risks:
Dual LANs in remote sites, especially home offices
This is simple to do, relatively inexpensive (worst case scenario, you’ll need to buy one additional router for each site) and will sharply reduce your exposure to any of the demons coming from the consumer-grade devices in the home, including kids’ games, home IoT devices, and laptops/phones that also visit high-risk sites and freely download God knows what.
The policy rule is simple. As of now, you need to create a corporate-only LAN, and all corporate devices must use that LAN and only that LAN. That means a laptop solely used for work purposes. As for a dedicated phone, that, too. (See suggestion No. 2.)
Please let me stress: The idea here is to completely and thoroughly review BYOD policies, not necessarily abandon it. There are too many variables to pursue that. The key detail: Decide what your enterprise’s plans for remote work will be in late 2021 and all of 2022.
When most enterprises moved to BYOD (not all have, of course), they did so under starkly different circumstances. There has always been a statistical risk analysis to BYOD, namely something like: “Let’s do it, but considering that 90% of enterprise communications are not done on personal mobile, there is a limit to how much trouble we can get ourselves in.” This is the same logic that permitted suboptimal security in home offices before COVID-19. Given that the average enterprise had 10% or fewer of its employees working from home, some considered it unnecessary/not-cost-effective to spend a lot of money to secure them.
But today, with so much more activity happening at remote sites and via mobile devices, BYOD needs to be reconsidered.
Going back to my first suggestion (dual-LAN), there is a limit to risk-reduction if the employee/contractor gets inside a smartphone that is also accessing high-risk sites and includes suspect apps. To get the most benefit from an enterprise-only LAN, you need to get strict, which means rethinking-through your BYOD policy.
Some other considerations: the partition approach has only been partially successful. One argument for separating personal and corporate data and apps on a phone is that if corporate data is reported missing or stolen, a limited remote wipe can protect enterprise data while leaving personal data untouched.
But that’s delivered mixed results, which in turn has made IT people hesitant to remote wipe. The longer remote wipe is not executed (perhaps to let the employee/contractor more time to try and find the device), the more pointless it becomes. IT and security pros have to assume that a lost phone is in the possession of a bad guy.
A corporate-owned device, in contrast, would presumably be easier to wipe since there’s no danger that personal info would be lost.
Another consideration: smartphones in 2021 are leveraging more and better backup options. That means even a remote wipe won’t secure all enterprise data. Let’s say that an employee or contractor quits, is laid off, or is fired. Those backups are invariably out of the range of IT. In a well-managed corporate device, more data is controlled.
Also, remote wipe today isn’t what it used to be. It once involved literally wiping all data off a phone. Although it still does that technically, most of the time it’s less a wipe than a disconnect from enterprise assets (almost always cloud-based). That still works even on a BYOD device.
Revisit mobile device managment
Unlike BYOD, the idea here isn’t to revisit whether you should use Mobile Device Management (MDM) or not — it’s about deciding which provider to choose and whether it’s time to upgrade or revisit your configuration decisions. With mobile now a much more prevalent data-control mechanism, rethinking MDM in 2021 could yield different decisions.
In short, you might be able to cost-justify a higher-level MDM solution today. Crunch the numbers, have the meetings, review product options today, and find out.
Doug Barbin, a principal at the Schellmen & Co. consulting firm (and a truly insightful analyst), argues that, “MDM technology has advanced, so it’s not all-or-nothing anymore. Everyone rushed into availability, but you don’t need all of this access.” Barbin stresses that IT and security admins focused less on the least-privilege goal than they should have. “They gave users access to everything they needed and then started ratcheting back.”
That’s a textbook example of the opposite of least-privilege.
Dealing with user pushback
The biggest single problem with pandemic-related enterprise security efforts today is the popular user (and often manager) rationalization: “I’m just trying to do my job.”
That’s almost always code for, “Your security requirements are taking too much time and effort. I’m actively trying to now do an end-run around them.” This started right away with COVID-19, when VPNs (seeing massive increases in usage) slowed to a crawl and users desperately tried to sidestep them to get their work done. Line-of-business managers often either applauded those efforts or aggressively ignored them.
That was proof that corporate security and IT pros hadn’t done a sufficiently good job of selling the benefits of adhering to security rules. That needs to be re-evaluated as well.
Companies have learned many lessons in the past 13 months or so, some good, some bad. When it comes to security, now’s the time to rethink how things have been handled in the past and what they should look like going forward.