The threat of employees bringing their own smartphones and software to work was entirely overblown. But consumerisation can still be headache.
A wave of consumer tech, it was once thought, would crash upon the enterprise with disastrous consequences for anyone who didn’t prepare. Careless employees, the story went, would bring in their iPhone and use it to leak corporate data or lose an unencrypted device. Consumer services like Gmail and Facebook was another leakage point. Then came perpetually vulnerable Android devices. And today, businesses continue to grapple with so-called “shadow IT” where employees find better apps than what the IT department makes available.
However, nine years after the iPhone arrived, there’s no evidence that ties a smartphone or personal cloud apps to a major data breach, as the numbers in Verizon’s 2016 Data Breach Incident Report (DBIR) demonstrate. That’s despite an abundance of critical vulnerabilities in Apple’s iOS or Google’s Android, a huge rise in mobile malware, and the fact a smartphone’s size makes it easier to lose than than a laptop.
“Phishing still works, ransomware still works, there are still loads of vulnerabilities [on desktop software] that are still exploitable months and years after they are published, and weak passwords, default passwords. All that stuff is still working,” Laurance Dine, managing principal at Verizon Enterprise Solutions, told CSO Australia.
The 2016 DBIR found that weak, default or compromised passwords were behind 63 percent of breaches in a dataset consisting 100,000 incidents.
The report included nearly 10,000 incidents of physical theft and loss of devices. Laptops, according to Verizon, were the top asset in this category, but even they were a distant second to paper when it came to confirmed data breaches, due to controls like encryption.
“If you lost your laptop without encryption, I don’t need your password. On a mobile device, I need your passcode,” said Dine, pointing to Apple’s recent dispute with the FBI over its troubles brute-forcing an iPhone’s passcode.
The absence of smartphones from the report however doesn’t mean they shouldn’t be a concern. Dine said he is regularly called on to break into mobile device for cases involving intellectual property theft, though that’s typically between two people using SMS or Apple’s iMessage to collude to steal data, or when a whole team moves from one business to another business.
The other frequent focus of mobile investigations is location data on the phone to see where a person was at a particular time and date. Even when granted physical access to a smartphone, Dine said it was difficult due to the sheer variety of hardware.
“We think at some stage mobile devices are going to be more prominent. Personally, I have not, in any of the breaches that I’ve investigated, traced it back to a mobile device,” said Dine.
Dionisio Zumerle, a mobile security research director at analyst firm Gartner, said he agrees that malware on mobile devices is an overstated concern. However, he still sees a problem in “leaky” third-party apps, such as cloud file storage services or apps that hoover up contact lists.
“They don’t do anything malicious but that behaviour can clash with corporate policies,” said Zumerle.
The next frontier that Zumerle sees complicating corporate policy are virtual personal assistants, like Apple’s Siri, Microsoft’s Cortana, and Google Now, where users interact less with single apps than they do with an underlying system that recommends and predicts what people want.
Artificial intelligence (AI) powered features are quickly arriving for consumer products and Microsoft, Facebook and Google are pushing this technology towards the enterprise.
In Google CEO Sundar Pichai’s first ‘founder’s letter’ in April, he outlined the search company’s vision for the enterprise as one powered by Google data centres, analytics and AI, connecting directly to employees through their smartphones.
“Your phone should proactively bring up the right documents, schedule and map your meetings, let people know if you are late, suggest responses to messages, handle your payments and expenses,” said Pichai.
Likewise, Microsoft is working to integrate Cortana with Office 365 and its Power BI dashboard.
The catch here for the enterprise is that the model of blacklisting or whitelisting certain apps may not fit so neatly within such integral components of a device's platform, leaving customers at the whim of the vendor to make them enterprise-ready.
“If you look at all these technologies, apart from policies that say avoid using certain applications when you’re sending sensitive data, the only technological answer that can come is from the vendor themselves,” said Zumerle.
One example of this dependency on the vendor is Google opening up application protocol interfaces to bette support mobile device management (MDM) on Android. Another is Evernote for Business, which allows users to create a separate work and personal space.
In the present however, many organisations are dealing with a much messier Shadow IT challenge and the question of how to improve security at the same time as supporting hundreds or potentially thousands applications that have a legitimate business use. Blacklisting and whitelisting applications both present their challenges, depending on the environment.
“If there is a purported ‘better way’ to handle a specific workload, it will have worked its way into the environment,” Mike Weber, vice president of penetration testing firm Coalfire Labs, told CSO Australia.
Weber said whitelisting would be better the better option to control shadow IT, and that organisations should consider web-based service offerings through the user’s whitelisted browser.
Still, getting a handle on shadow IT may be less a matter of technology choice than process and IT security teams communicating with different business teams.
“You may need to be open to approving “sanctioned” — as opposed to supported — services that have had proper due diligence and accept the risks of using a cloud provider, said Weber.
“In these sanctioned solutions, IT and the business may have to develop agreements on support and costs, but that can be a way to reduce “Shadow IT” instead of these offerings being considered as a formal part of the IT ecosystem,” Weber added.