Implementing mobile security in the BYOD era

In Singapore as around the world, the Bring Your Own Device (BYOD) trend is becoming commonplace, with Forrester Research predicting that 350 million employees globally will use smartphones and 200 million will bring their own mobile devices to the workplace by the year 2016. BYOD is touted to increase productivity and worker efficiency, as well as improve employee satisfaction. But the real challenge presented by BYOD for businesses is security – IT administrators are unprepared to deal with security issues that may occur as a consequence of bringing personal devices into the workplace, such as dealing with lost or stolen devices, many which will have confidential corporate data on them.

 The combination of the proliferation of mobile devices and cyber criminals becoming increasingly savvy means that the risk of mobile security incidents is increasing and these can be very costly. In a research report by Check Point, it was revealed that 79% of companies had reported security incidents in the past year, whilst the cost cited as a result of these incidents exceeded $500,000 for 52% of large businesses.

A key concept to combat this risk is the separation of personal and work data, such as the containerization approach.  This approach provides businesses with an avenue to address this risk and thereby meet the request by employees who wish to use their own mobile device for business. Containerization creates a designated separation between work and personal use, with only the corporate information being controlled (by the MDM) within a distinct container.  This separation approach goes further in that it disables the ability to copy business data to the personal side of the device, i.e. personal Apps or storage. This solution benefits employee in that it assures that their personal content is private as it is not controlled by the MDM and to business the benefit is that all work content is controlled and secure.

But aside from the approach, what are some of the criteria which businesses should examine when selecting a security solution? I would like to take this opportunity to share a little bit on the key elements of mobile security.

One of these is encryption technology, which is critical to protecting the confidentiality and integrity of a digital transaction between two endpoints, such as a mobile device and a corporate server located behind a firewall. Providing an integrated approach to mobile security, in which data is encrypted while at rest (stored on a digital device) and in transit (during transmission), is the best protection against the loss of data or a security breach that could impact the profitability, competitiveness, or reputation of an organization.

Strong encryption guards against data being compromised in an untrustworthy environment; such as an external network or in sensitive sectors such as the military where data is a high potential target. It’s important to note that encryption technologies differ significantly in the degrees of protection they offer. At the highest level, AES-256 encryption delivers unsurpassed encryption capabilities.

To gain a deeper understanding of encryption we need to dive into the realm of cryptography and explore the topic of entropy, which plays a significant role in determining the effectiveness of a modern encryption system. At a high level, entropy is a measure of how much randomness you have. Simply put, the more entropy you have the more effective your encryption can be. Consider the differences between seeking a needle in a haystack and looking for one hidden in an acre’s worth of haystacks. The procedures are essentially the same; it’s the level of difficulty and complexity that differs substantially between the two scenarios. A secure end-to-end solution for mobile security will rely on multiple sources of entropy to create a dynamic and effective security environment that ensures encrypted data remains unreadable until it is decrypted at the end of its transmission.

The other discussion area that I would like to bring up is spyware. Businesses or organizations using mobile devices that have open development platforms are especially susceptible to attempts to exploit users through spyware. It is also a favorite tool of cyber criminals, who are increasingly targeting mobile devices as access points into the confidential data of organizations for purposes that range from nuisance to nefarious. Disguised within a consumer application, malware can be used to gain access to personal information, for anything from marketing to identity theft to compromising corporate data. This real and growing threat requires security solutions that properly safeguard the privacy of governments, enterprise workers, and individual users. 

The fact that the number and utility of mobile devices will only increase means that the boundaries of the modern organization will be stretched to include hundreds or even thousands of mobile end points possessing access to the most precious assets, such as intellectual property. Security in this environment cannot be an afterthought. It must be built in at every layer — hardware, software, and network infrastructure — to ensure end-to-end protection.

Ian Gardner is Director, APAC Enterprise Business Unit, BlackBerry