In the world of mobile business security, sometimes terrible situations require security measures to keep the business going. And COVID-19 is forcing companies to empty office buildings and move everything (and everyone) to remote locations, and the cloud in March 2020 is the classic example. What led to security shortcuts was not just the sudden shift to work from home, but the fact that, in general, companies had to make the transition in a few days.
Add to this the increase in IoT security issues, especially when IoT devices in your home environment have accessed global systems via VPNs, sometimes spreading malware through pipes and you have a mess. A recent Verizon mobile security report made it clear: “Nearly half of those surveyed admitted that their company knowingly cut the security points of their mobile devices. This is an increase from our 2020 report, when the figure was 46%. The proportion increases to two thirds [67%] in our IoT sample. And the rest, 38% (27% of IoT) were pressured to do so. Another way to look at this is that 68% were under pressure to cut corners and 72% of them gave up. «
A quick note to put these numbers in context: it’s a survey. How many security directors they know that they took shortcuts, but were afraid to admit it in writing? Security professionals know better than anyone how easy data can be leaked. So the reality is probably even worse than the Verizon data suggests.
There is a more frightening problem: while I’m here about 13 months after this happened, there are still too many holes to connect. The CISO and IT teams were so incredibly busy (and understaffed), just trying to keep operations up to date and not create new security holes, that they didn’t have a chance to fix the old vulnerabilities.
This means that the leaders of suite C – CFO, COO and CEO – must budget and insist on making corrections.
In the meantime, here are some easy ways to start reducing your COVID risks:
Dual LANs to remote sites , especially home offices
This is simple to do, relatively inexpensive (in the worst case, you will need to purchase an additional router for each site) and will dramatically reduce your exposure to any of the daemons that come from home appliances, including at home appliances.children. games, home IoT devices, a laptop / phone visiting and high risk sites and free download God knows what.
The policy rule is simple. As of now, you need to create a dedicated LAN for your company and all corporate devices must use this LAN and no more that LAN. This means a laptop that is used exclusively for work purposes. As for a dedicated phone, and that. (See suggestion no. 2.)
Let me emphasize: the idea here is to thoroughly and thoroughly review BYOD policies, not necessarily to abandon them. There are too many variables to track this. Key detail: Decide what your company’s plans for remote work will be at the end of 2021 and in 2022.
When most companies moved to BYOD (not all have, of course), they did so under totally different circumstances. There has always been a statistical risk analysis for BYOD, which is something like, “Let’s do it, but keep in mind that 90% of business communications I do not know performed on personal mobile devices, there is a limit to the number of issues we may face. » This is the same logic that allowed for the suboptimal security of the home office before COVID-19. Because the average company had 10% or less of its employees working from home, some felt that it was not necessary / unprofitable to spend a lot of money to insure them.
But today, with much more activity in remote locations and on mobile devices, BYOD needs to be reconsidered.
Returning to my first suggestion (dual LAN), there is a limit to risk reduction if the employee / contractor accesses a smartphone that also accesses high-risk sites and includes suspicious applications. To get the most out of an enterprise-only LAN, you need to be strict, which means rethinking your BYOD policy.
A few other considerations: the partitioning approach was only partially successful. One argument for separating personal and corporate data and applications on a phone is that if it is reported that corporate data is missing or stolen, limited remote deletion can protect company data, leaving personal data intact.
But this has yielded mixed results, which in turn has made IT people reluctant to perform a remote wipe. The longer the remote wipe doesn’t work (maybe the employee / contractor has more time to try to find the device), the more useless it becomes. IT and security professionals should assume that a lost phone is in the possession of a bad boy.
A device owned by companies, on the other hand, would probably be easier to delete because there is no danger of losing personal information.
Another consideration: 2021 smartphones take advantage of more and better backup options. This means that even a remote wipe will not protect all your business data. Suppose an employee or contractor resigns, is fired or fired. These backups are invariably within IT’s reach. On a well-managed corporate device, more data is controlled.
Also, remote wiping today is not what it used to be. It once involved literally deleting all the data on a phone. Although, technically, it happens, it is often less of a deletion than a disconnect from the company’s assets (almost always cloud-based). This still works even on a BYOD device.
Examine mobile device management
Unlike BYOD, the idea here is not to re-examine whether or not you should use Mobile Device Management (MDM), it is to decide which one to choose and whether it is time to update or review your configuration decisions. Now that mobile devices are a much more widespread data control mechanism, rethinking MDM in 2021 could lead to different decisions.
In short, you may be able to justify the costs of a top-level MDM solution today. Browse numbers, meet appointments, review product options today, and find out.
Doug Barbin, director of the consulting firm Schellmen & Co. (and a truly insightful analyst), claims that “MDM technology has advanced, so it is no longer all or nothing. Everyone was in a hurry to be available, but you don’t need all this access. » Barbin points out that IT and security administrators have focused less on the goal of the least privilege than they should. «They gave users access to everything they needed and then began to withdraw.
This is an example manual of the opposite of the least privilege.
Consider rejecting the user
The biggest problem with pandemic business security efforts today is the popular streamlining of the user (and often the administrator): «I’m just trying to do my job.»
This is almost always the code for “Your security requirements take too much time and effort. Now I’m actively trying to avoid them. » This started immediately with COVID-19, when VPNs (which saw massive increases in usage) slowed down and users desperately tried to bypass them to do their job. The line of business managers has often applauded these efforts or ignored them aggressively.
This was proof that IT and corporate security professionals have not done a good enough job of selling the benefits of adhering to security rules. This must also be re-evaluated.
Companies have learned many lessons in the last 13 months, some good and some bad. When it comes to security, it’s time to rethink how things have been handled in the past and what they should look like in the future.