Five key assumptions to make when considering mobility security

Imation's Jon Fielding sets out some key truths to consider when formulating security strategy

However you choose to roll out enterprise mobility, be it BYOD, COPE, CYOD, virtual desktops, Windows to Go USB sticks or any of the other myriad strategies, the thought processes and strategies around data security have many common features. At Computing's Enterprise Mobility and Application Management Summit today, Imation's director of sales EMEA, Jon Fielding, outlined five key assumptions that every IT department should make when it comes to mobile security.

1. Assume the worst

"You have to be paranoid," Fielding said. "You have to deploy defences assuming the worst."

In the mobile age everything has changed, he explained: "The corporate boundaries have come down. If you want to increase productivity by allowing people to work outside the organisation, you necessarily open up new avenues of risk."

It is important that firms think carefully about all these avenues and set up defences to protect them, he went on, but this must be done in a way that is invisible to the end user, which brings us to the second assumption.

2. Assume that users value convenience more than security

Most users are not fully aware of the range of data security threats, and anyway they will probably not be fired if sensitive data goes missing. (The CIO, on the other hand, just might...)

Therefore, in any contest between security and convenience, convenience will always win. With multiple alternatives available, employees will always find a way around onerous security measures.

"You want to make sure the security is invisible to the user. If they have to take three steps to do something that could take one step, particularly if it is something they use on a regular basis, they will get round it," Fielding said.

3. Assume employees will plug their personal devices into the network, even if they are not supposed to

This is the issue of shadow IT and follows on from the second assumption. People will use their own devices no matter how many security edicts are emailed out warning them of the dangers. It's just too easy to do so, especially if security measures create a barrier to legitimate usage. Of particular concern are corrupt USB devices, which Fielding says represent the fastest-growing vector for the introduction of malware.

"An employee's kids have been on some website they shouldn't on the home PC. He brings in his USB and plugs it into the network. Because the autorun file has been corrupted, the malware is injected directly into the veins of the organisation and there's nothing you can do at that point because the anti-virus is only as good as what it knows and this stuff is changing all the time."

The Bad USB bug discovered by researchers last year exacerbates this issue, he said. "If the architecture of a USB drive isn't securely implemented then [an attacker] can manipulate the firmware to make it look like any other USB peripheral and thus initiate an attack."

4. Assume storage devices will be lost and IT not informed

In a large organisation, someone's small, portable mobile computing device or USB storage drive will inevitably get lost or stolen before too long, probably sooner rather than later.

"You can identify every single form of attack, but you still can't stop user error," Fielding said. "So the question is, what are you going to do about it?"

The answer is to ensure all storage devices are encrypted and to have a console-based management system capable of tracking the devices either when they are switched on or, in the case of a USB stick, plugged into a network, and then disabling them temporarily, wiping them or killing them outright via MDM or MAM software.

5. Assume an organisation's first and last defence against a security breach is its own employees

Employees need to know how to protect their systems and also what to look out for.

"Encouraging better security can be prescriptive, as with rules about how you can use this or that device for work, or it can be educational," Fielding said.

"I think you need a bit of both. If it's too prescriptive an environment, you don't get any buy-in. If you can explain to employees that this is for their benefit; that it is these security measures that enable them to work more flexibly and have the freedom to work how they want to, you have a much better chance of getting it adopted."