By now we’ve all heard the term Bring Your Own Device (BYOD). This phenomenon is becoming increasingly popular as people have access to far more advanced consumer tech in their personal lives and wish to replicate this in the business environment.
As a result many are worried about the security of business data stored locally on devices. While this is a legitimate concern, that in reality also applies to company owned devices, there is a bigger threat – the credentials stored on mobile equipment. This was brought up in the recent X-Force document, a quarterly report on the state of cyber security published by IBM, and prompted me to consider the issue further.
Think about how many passwords are saved on the average smartphone. Whether it be email, mobile apps, web applications, or even simple web pages, there are probably quite a few because users like the convenience of immediate access. But what if the device is compromised? The bad guy(s) responsible now also gain immediate access to all of the same applications and services.
Now for the average smart device owner this may not be much of a concern. However when we consider who is currently using mobile technology in a business context, we find it’s a lot of execs or managers. Should their stored credentials fall into the wrong hands, potentially far more sensitive information could be accessed than that actually resident on the device. This could be anything from intellectual property to financial data all the way through to personal information.
This is a real risk, so how can it be dealt with? Below are solutions that represent a good starting point:
- Education – Many security breaches come from inside the company. This could be due to malicious intent or users simply not knowing what they don’t know. Mobile security is no different. Training is one way to reduce the chance of these situations occurring and regular refresher courses can decrease this further.
- HR policy – Some guidelines, such as using strong passwords, setting short time out periods and regular password changes can be rolled out as formal policies. And where appropriate employees can be made subject to disciplinary action if particularly important policies are not adhered to.
Of course besides managing people, technology can be also used to help minimise the risk. Relevant solutions include:
- Two factor authentication – Users can be forced to use a password and another method of authentication, such as a randomly generated one time pin, to get into an application/service.
- Splitting the device – Vendors are now offering software to separate the business and personal side of smartphones/tablets. The business side is accessed with a separate password (or two factor authentication mechanism) after accessing the personal side. This part of the device contains separate company applications that and data it contains is encrypted.
- Central policy enforcement – The rules mentioned previously can be managed through appropriate tools such as MDM, EMM, etc. (see here for a fuller discussion of this).
The main point is that the risk of stored credentials is often overlooked or set aside in the name of convenience. No matter how much users grumble, however, it is a threat that needs to be taken seriously. By not protecting yourself from these dangers you could provide the first step for more severe security breaches.
Content Contributors: Jack Vile