With enterprise applications becoming a standard norm across almost all industry areas, hackers are having a field day stealing data from business entities rather than individual consumers (who were their initial targets).
Highly customized techniques are being devised to attack confidential enterprise data through phishing, spearfishing, CEO Frauds, and BEC (Business Email Compromise) – to name a few.
Enterprises are falling short of effectively preventing and countering these security breaches because of lack of a comprehensive policy that covers all types of devices that have access to their data – PCs, smartphones, and tablets.
This article is written to illustrate what are the major causes of security concerns and how they should be addressed in the enterprise’s mobile security strategy.
The level of Security Awareness within the workforce is an indicator of the vulnerability of the enterprise.
Most enterprises do not give adequate importance to security awareness programs within the company, reducing them to a mere formality of attending a training session annually. This is the first indicator how the enterprise will fare on the security rating scale.
The results of regular training sessions are effective only when surprise employee testing sessions are conducted by intentionally subjecting their emails to planned phishing scams/other forms of security threats. The number of employees reporting suspicious account activities gives an idea of the security awareness level of the enterprise.
It is important to note that the employees who fail to recognize these dummy threats should not be pressurized to maintain healthy atmosphere that will encourage them to report any subsequent security threats.
ROI (Return-on-investment) depends on mobile security strategy
It is a surprising fact that majority of enterprises do not have any mobile workspace solution to handle the security needs across devices. The implementation of a consistent security strategy is a must to ensure that the enterprise data is protected even when the workforce logs in using personal devices and from unknown networks.
This requires a comprehensive workspace solution that provides tools such as virtual desktops, data loss prevention, asset management, centralized data store, etc. through a combination of MAM (Mobile Application Management) and MDM (Mobile Device Management). There are several MEAPs (Mobile Enterprise Application Platforms) that provide this solution and help implement policies like consistent enterprise file sync and share, single sign-on, VPN and other development and deployment features.
If a mobile security strategy is implemented correctly, the enterprise will see an overall increase in productivity and application quality leading to an increase in application downloads. Thus, mobile security strategy and ROI go hand-in-hand for enterprises.
4 security practices
- BYOD policy implementation
Work from home has become an accepted norm be it an employee staying in for the day or being out of town for some meeting. In such cases, there may be instances of employees using their personal devices to access enterprise data and applications.
Although enterprises have accepted the fact that they cannot force users to use company devices at all times (and allowed usage of personal devices for office work), most of them still undermine the security breaches that can take place because of this. Hence, every enterprise requires a BYOD (bring-your-own-device) policy that provides more protection than just having secure passwords. Applications like PIN Genie Vault provide decoy passwords, and snap pictures if someone tries to forcefully access the device.
- Cloud Storage
Cloud migration is predicted to be number one enterprise mobility trend in 2017. The data stored on cloud (as well as critical on-premises hosting solutions) should be closely monitored through role-based access. It should not be stored as-is, but encrypted before being saved to the database.
The cloud-based security implementation should be able to segregate data dispensation based on roles, in addition to allowing remote retrievals, redaction, and wiping of device data. It should also take regular automatic backups of system data, to ensure data availability in case of ransomware attacks.
- Two layered authentication
Although a multi-layer authentication is desirable, it is too complex to implement (with OTPs, USB tokens, smart cards, etc.). A two-layer authentication is enough (and essential) to validate that the user accessing the data is indeed an authorized employee, and not an impostor who has broken in to the employee’s device. This implementation asks for an indicator like OTP or secret question when the user tries to access sensitive data.
- Email Security
Even normal email providers use two-layer authentication, which is an industry level security mechanism. Hackers mostly aim to accomplish identity thefts through phishing attacks, while the more sinister of them would aim to infiltrate the internal system of the enterprise to steal confidential data. This makes it necessary to have measures in place to encrypt sensitive emails and educate the top management level employees about CEO Phishing.
As technology advances, the enterprise applications become more prone to security breaches and threats as the hackers leverage the same technology advances to develop ‘better’ phishing scams and ransomware attacks. So much so that Ransomware-as-a-Service has become lucrative business. Hackers now focus on business entities, as individual user data supply has become abundant in the underground market and very few people pay for buying it. Instead, they hold entire enterprises to ransom by stealing huge chunks of database files. Hence, change management to keep upgrading security at the same speed as technology upgrades is the need of the hour along with the basic mobile security strategy implementation.
So, hire Java developers to develop robust client driven applications, easy to use ecommerce or online shopping apps, various web application and enterprise security application with minimal scope for redundancies.