Smartphones have revolutionized the way in which we do business. Unfortunately, the same features that have made smartphones easy to carry, use, and modify have also left them vulnerable to a wide range of cyber threats, from malware downloads and phishing scams to connection hijacking, rootkits, and authentication attacks.
For their part, smartphones have done little to address security concerns. Technical measures such as firewalls, antivirus, and encryption that are commonplace on PCs, are seldom found on smartphones. It is possible, of course, for organizations – particularly those involved in high-security work such as defense and intelligence – to couple employee devices with Mobile Device Management (MDM) systems.
MDMs do a good job of ensuring basic smartphone security, reducing risks from malware and coping with lost or stolen devices. They are able to report and measure device compliance, control password length and complexity, freeze or wipe a lost device, and configure and update apps. Unfortunately, even if the MDM is able to turn off smartphone settings, its OS will continue to collect and retransmit often sensitive data, as well as Wi-Fi and Bluetooth information, to the OEM and its ad-tracking platform.
This constant flow of information is, after all, a vital component of the OEM’s business model. These companies need a path to monetization, and selling targeted advertising by providing detailed information about users’ smartphone activity is it. And while collecting such data may represent an annoyance for the average smartphone user, it represents a major problem for high-security workers who need their smartphones for the productivity benefits they provide.
To date, high-security organizations have tended to respond to this issue by either accepting the fact that security risks are likely to be present in their employees’ smartphones, or eliminating all consumer-grade devices entirely and equipping workers with custom-built, highly secure devices instead. Clearly, neither of these options is acceptable. An organization that depends on a high degree of security simply can’t look the other way and tell its employees to “hope for the best.” Custom-built phone solutions such as the SME PED, however, have proven incapable of delivering comprehensive security.
The same holds true for the Mobile Device Fundamentals Protection Profile (MDFPP), often used to certify mobile devices for government use. While conforming to the MDFPP does provide strong protection against data loss, it fails to address the broader threat stemming from data trails left produced by these devices. It also doesn’t contemplate real use case requirements, such as covert use or the use of smartphones in secure facilities.
Complicating all of this is an ever-growing list of mobile security threats. A recent article in Forbes notes that there were three times as ransomware attacks in the first quarter of 2021 as there were in all of 2019 and those attacks have become increasingly sophisticated. Similarly, new threats using machine learning and artificial intelligence are constantly emerging, as is the use of mobile malware and penetration tools which are largely responsible for the increase in data exfiltration and extortion attacks.
To counter these trends, some high-security employers are beginning to take a different approach to security: modifying their workers’ own smartphones by replacing the original OS with a mobile security platform which provides them with complete control over how employee devices behave while allowing workers to access the features and functions which make the devices productive. This enables the organization’s IT administrator to approve or blacklist certain apps, block app installation by third-party sources, and impose restrictions on a per-container basis.
Modifications most organizations want typically involve disabling Wi-Fi and Bluetooth, controlling user location and activity tracking, limiting advertising tracking codes, and overriding built-in data collection capabilities. To that end, organizations should be looking for a mobile platform which provides them with a wide range of device controls, including: no pre-installed apps (eliminating the threat of bloatware); app installed white- and blacklists; Google-free devices and containers; always-on VPN implementation per container; and stingray prevention through cellular connectivity controls.
Ideally, containers should also be configured so that they automatically shut down when not in use. This prevents them from accessing memory or CPU and enables the employer to further boost security in the unlikely event that a container is compromised. If that were to happen, malware in the individual container would not be given any power when not in use. With the malware unable to access resources or execute in any way, it will be unable to infect any other containers on the device.
Centralized policy management is, of course, essential to controlling employee devices, as well as distributing policy updates and deployments. With it, high-security employers can alter employee smartphones so that they can include a geo-fenced, policy-controlled setting capable of locking down all radios, cameras, and microphones. Activating this setting will prevent social media, maps, and other leaky apps from communicating without the user’s knowledge. It will also provide both verifiable control over access to device interfaces and the ability to manage all containers (not simply the work container) on employee devices.
Just as important, an employer-controlled secure setting could put an end to the practice of high-security workers carrying one device for work and a second device for personal use. Users (or security guards during employee check-ins) would have the capability to quickly switch between containers on the same phone. And by shifting to the approved secure setting, workers would be able to use their smartphones in designated secure areas where they can safely connect to an internal wired network. This enables the device to function as intended, providing productivity features without risking sensitive information. Bottom line, it makes high-security facilities truly “high security” by encouraging productivity and innovation without sacrificing safety and security.
And perhaps that is the key: how do high-security organizations allow their employees to be as productive as possible without sacrificing data security and their own personal safety? The good news is that solutions are not only available, but increasingly are being adopted. The challenge for employers is to do their homework to find the mobile platform that best meets their own unique security requirements. With the right platform in place, employers will be able to protect both their workers and their information.