LATEST THINKING


Mobile Cyber-Security: A new approach

Accenture suggests four principles to effectively guide development of a security strategy or initiative for mobile technologies.

Overview

From smart phones to tablets to laptops, mobile technologies have become a standard part of work life, offering productivity and efficiency gains as well as enhanced services for customers. But there’s a catch: The ways in which these technologies interweave work life and personal life raise a major security challenge for companies, government agencies, and other organizations.

Mobility comes with risks that are different from the standard enterprise IT environment. Mobile technologies require a different response from the executives charged with defending their enterprise from cyber attacks and enabling the enterprise to improve operations and expand their markets more effectively. Learn more about the nature of the risks and a set of principles developed by Accenture Mobility that can guide IT executives as they plan cyber security initiatives for a mobile work world.​​

Background

The competitive and productivity benefits of mobile technologies have driven widespread adoption. Smart phone sales roughly doubled in the last quarter of 2010—and four out of every 10 iPhones sold during that period went to users who worked for large corporations. It would appear that tablets are beginning a similarly strong growth curve. 

In tandem, connection has become near ubiquitous through Wi-Fi, mobile hotspots, Bluetooth and other networks. 

For mobile phone manufacturers, however, security features remain a relatively low priority, forcing employers to worry about how to secure these devices and protect their corporate networks. The security challenge will be broadened as other types of mobile technologies bring new functionalities to business operations, particularly in the machine-to-machine space, which will include remote medical diagnosis, sensors in smart electricity grids and mission-critical military field operations.

Mobility Risks

Companies are making progress in improving the security of their products, which is forcing cyber criminals to focus more on mobile devices. Here are a few ways your data can be compromised.

Theft, loss, or improper decommissioning of devices and data. Smart phones, tablets, net books, and similar devices are relatively small and easy to steal or lose. Compromised devices can be mined for sensitive data. Attackers have become more sophisticated and can use forensic techniques to recover data that the owner thought was deleted.

Compromise via wireless technologies. Wi-Fi, cellular, and Bluetooth can now be combined into one device. Integrated GPS can track a user’s location, and attackers can gain unauthorized access to private networks. Wi-Fi can be picked up from miles away, and hackers have demonstrated that they can intercept and decrypt cellular data traffic.

User habits. Users often lack the proper awareness of and training in the risks posed by accessing corporate resources while mobile.

Malicious code. Viruses, worms, and Trojans are being created specifically for mobile devices. Malware download and execution typically needs the acceptance of the user, but there are cases where this interaction is not required and a malicious SMS can lodge automatically on the user’s phone. Location disclosure. While most apps have privacy settings for controlling how and when location data is transmitted, many users are unaware, or forget, that the data is being transmitted.

Phishing. An attacker collects user credentials (passwords, credit card numbers) using fake apps or SMS messages that appear to be genuine.

Spyware. A smart phone with spyware installed allows an attacker to access or infer personal data.

Network spoofing attacks. An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.

Diallerware. An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or phone numbers.

Impact on customers. Subscriber data manipulation or other negative experiences can increase customer care costs, customer churn, open liability exposure, and corrode the brand image.

Network congestion. Network resources may get overloaded because of unauthorized smart phone usage, leading to network unavailability for genuine users

Figure: Mobile malware can enter a device at many points, so security should take an end-to-end approach.

Security Principles

Accenture’s experience working with a wide range of companies and public sector organizations shows that it’ sworth rethinking security strategy asit applies to mobility. Mobile security is sometimes deemed less worthy of company resources than infrastructure security because the risks appear to be lower. But in many cases, the risks have not been accurately identified or the potential negative impact has not been properly assessed.

Accenture recommends the following principles to effectively guide development of a security strategy or initiative for mobile technologies.

  1. Address four main layers of security
    The network, device, application, and back-end system.
    The network Wireless networks are relatively open and can be used as a door through which to mount an attack. CIOs should demand that their network service providers, whether for IT or cellular communications, demonstrate what kinds of countermeasures and policies are in place and whether they can be audited.

  1. Build a hardnosed “culture of security”.
    Organizations that exhibit a culture of security make responsibilities and accountabilities explicit, by putting in place strong policies and processes.

  2. Use carrots, not just sticks, to motivate behavior.
    Organizations that embrace mobility in a thoughtful way are bound to add value to their employees and their customers. This may require negative reinforcement at times, such as prohibiting certain behavior, but also should include positive reinforcement.

  3. Know your enemy.
    There are all types of technology users out there, ranging from the everyday to the rogues and the clueless. To fully reap the benefits of mobile technologies, companies and government agencies will need to become more aggressive about securing mobile devices and enterprise environments.​

Recommendations

Accenture employs a “defense-in-depth” strategy that protects the information accessed by mobile users through a balanced approach incorporating people, processes, and technology. Accenture can tailor an engagement of any size and scope using secure, platform-agnostic, industry-relevant mobile solutions that can integrate seamlessly with legacy systems and processes.

Specific offerings may include, but are not limited to, the following:

  • Develop or revise existing IT policy to support or prohibit the use of the specific mobile devices

  • Provide cost-benefit analysis

  • Develop an enterprise security strategy for managing, integrating, protecting, and supporting capability-driven mobile devices.

  • Engineer IT systems and networks to support mobile services and applications

  • Perform risk assessment to determine vulnerabilities and impact on mobile platforms

  • Conduct mobile and wireless penetration testing and threat analysis

  • Support Certification and Accreditation (C&A) of mobile infrastructure

Learn more about Accenture's full range of mobility services, or Contact us to find out how we can tailor a mobile security solution that adds value to your business.

Industry & topics highlighted

Technology