HOW TO IMPLEMENT AN EFFECTIVE MOBILE CYBERSECURITY POLICY WITH FEW RESOURCES?

70% of our time spent online now occurs on smartphones,[1] which are becoming the preferred communication tools for agile organizations with open ecosystems. As a result, mobile traffic will increase sevenfold by 2022[2]. This is why mobile cyber security is a critical issue for CIOs and business leaders: 150 million mobile attacks globally have been identified during the first semester of 2018 alone![3] Faced with this increase in cyber-attacks and the legal obligation imposed by GDPR to protect personal data on all components of an information system, including mobile devices, organizations must find the right balance between their security level, their costs and their teams. Mid-sized organizations and SMEs, often having limited resources, may find it difficult to reach such balance. However, solutions exist to efficiently protect mobile devices without exceeding budget.

User awareness as a first line of defense

70% of security issues are directly associated with employees![4] The first and foremost risk factor in an organization remains human, whether intentional or not. Installing infected applications, sharing documents through a consumer messaging system or connecting to an unsecure Wifi network… Employees are not always aware of the risks they incur for themselves and their organization’s information systems!

Indeed, few employees are really aware of cyber security, and the now widespread BYOD (Bring Your Own Device) trend, which consists in using personal devices for business purposes, greatly increases the risk of theft or loss of business data. Not to mention Shadow IT, which makes it very difficult to control devices and their use. Most often because of ignorance, employees mistakenly think they are protected. This is why it is essential to empower them through awareness training and workshops. By sharing information and best practices tailored to the needs of your employees, your organization can prevent incidents.

Some of the major risks your employees are exposed to:

• Phishing and smishing: Encourage users to look for syntax and grammar errors, check the origin of a message, never click on a link leading to a known organization without going through their official website, and calling a contact directly by phone if their request seems inappropriate, suspicious or unusual.
• Installing applications: Ask them to never download mobile apps outside official app stores (Apple App Store for iOS and Google Play for Android), or using a link included in an email or text message.
• Wireless connection: Encourage them to never connect to a public Wi-Fi network, as “Man-in-the-Middle” type of attacks (technique used to intercept communications through a rogue Wi-Fi hot spot) increase. A 3G/4G connection is much more secure and difficult to hijack.
• Software update: Encourage them to install updates for their OS. These often incorporate new security measures.

Security does not always go hand in hand with budget

While employee awareness and training is a first line of defense against mobile cyber-attacks, it is not enough on its own to counter all threats, as they are becoming more and more sophisticated. Therefore, you need solutions matching your actual needs.

Within an organization, not all users have the same needs… or the same uses. For instance, sedentary employees who do not exchange sensitive data are less exposed and require a lower level of security. For these employees, it is necessary to provide them with professional tools aligned with your organization’s policies, to avoid Shadow IT and known threats.

Mobile or sedentary employees who exchange confidential information will therefore be more targeted. First, it is necessary to assess their uses in order to configure smartphones and tablets according to their profile and specific usage. This will ensure that you deploy the right solutions for their needs.

Then, according to best practices, define a strict internal security policy for mobility: mandatory smartphone activation code, lending smartphones or opening business documents from your personal smartphone is prohibited… You can also implement an administrator-controlled solution that will allow containerization to delimit business uses and personal uses, thus limiting the risks of compromising business data. Similarly, it is possible to limit access to the corporate network based on the mobile user’s authorization level.

Mobile cybersecurity challenges require addressing certain issues beforehand: How many business smartphones in your fleet? What models and OS? What are the main uses? How many mobile employees? Do you have clients or suppliers working in sensitive industries (defense, health, government, etc.)?

Implementing security solutions is not necessarily expensive or complex if the organization is appropriately protected. Prepare different scenarios: theft of business and personal data, sabotage, espionage, etc. How much would disaster recovery cost? What would be the loss of income? What are the risks of financial penalties if the organization does not have a security system in place? What would be the impact on your image? 

The answer to these questions will allow you to adjust your mobile security policy closer to the needs of your users, and, in this sense, closer to the required budget.

[1] Médiamétrie, 2018 – https://www.mediametrie.fr/fr/lannee-internet-2018

[2] According to the Mobile Visual Networking Index – https://www.cisco.com/c/m/en_us/solutions/service-provider/visual-networking-index.html

[3] ThreatMetrix Report, H1 2018 – https://www.globalsecuritymag.fr/Rapport-ThreatMetrix-au-premier,20180912,80763.html

[4] “2017 Cybercrime Report: A Year in Review” ThreatMetrix Report – https://www.threatmetrix.com/info/2017-cybercrime-year-in-review/

Cet article vous a plu ? N'hésitez pas à le partager