Mobile Device Management with true end-to-end encryption
Why locked down encrypted phones are a must in your organisations device management strategy.
by Geoff Green, Myntex Inc. President and CEO
I am always amazed by the corporate bring-your-own-device policy that has flourished, especially since people started working from home during the pandemic. As an employee, why would you ever accept a Mobile Device Management policy being applied to your personal device? It’s an invasion of privacy and could expose your personal data.
As devices are the starting point for your MDM strategy, it makes sense to mitigate the associated risks of allowing your employees to use their personal smartphones within your restricted network. This cost-saving measure is reckless. The risk from phones loaded with third-party apps is the weakest link in your corporate data security. By including end-to-end encrypted phones in your MDM solution, you not only mitigate the potential for data loss or introducing a virus to your system, but you may also save your company from costly regulatory compliance violations.
The U.S. Department of Commerce National Institute of Standards and Technology publication on concerns with BYOD is illuminating. In addition to stating the obvious, “An ineffectively secured personal mobile device could expose an organization or employee to data loss or a privacy compromise,” the National Cybersecurity Center of Excellence collaborated with providers of cybersecurity and mobile devices, to create a comprehensive analysis of the threats posed. A suite of commercial products was used for the simulation to conduct the study. The summary noted the National Cybersecurity Center of Excellence doesn’t endorse any one of the products used, nor does it guarantee the recommendations made will comply with any regulatory initiatives.
The NIST Mobile Threat Catalogue includes a long list of Application Vulnerabilities, which should be reason enough to ensure your enterprise restricts the use of outside apps on employees work phones. Threat descriptions ranged from allowing unencrypted transmission of device data, to Man-in-the-Middle attacks, eavesdropping on unencrypted app traffic, malware, hijacking of devices for DDoS attacks, covert tracking of device location, poorly implemented cryptography, and compromised backend servers.
Clearly, the need to use a secure mobile device, free of third-party apps and built from the ground up to ensure the privacy of its users should be the foundation of every MDM solution.
Best practices for your MDM need to be based on education. Even the most secure system should be coupled with in-depth and frequent employee cybersecurity training. Social engineering of phishing attacks is becoming increasingly sophisticated, designed to bypass filters and trick users into acting on the urgency conveyed in messages sent through email, text, and SaaS.
You cannot rely on anti-virus software alone to prevent worms, trojans, ransomware and spyware from infiltrating your endpoints. And with the amount of ready-to-deploy malware available on the dark web today, hackers no longer need to be coders.
More shocking than the 8 billion data breaches reported in the last two years is the suggestion this type of privacy and security violation is inevitable. The blockchain start-up organization that assembled this timeline claims, “We have to register for online accounts in order to participate in a modern society and have to swallow the fact that the centralized databases containing our information will sooner or later suffer a breach.” This type of complacency, which is seemingly shared by much of the general population online is astounding.
Of all the replies returned in a Google search to the question, “What is Mobile Device Management?” — the Faculty of Medicine, surprisingly, at Stanford University said it best. “MDM is a set of configuration and management tools for mobile devices, which automatically enables encryption and strong password protection. It also supports the ability to remotely erase a device if it is lost or stolen.” Yes! So, why do so many of the world’s leading MDM providers avoid the mention of encryption across the solution? Could it be the reluctance of users to give up their beloved apps and addiction to surfing the internet with their smartphones? Yes, that’s precisely it. Rather than separate essential tools for work from those used in one’s own free time, businesses are playing a game of roulette with their cybersecurity.
What are the biggest mistakes companies make with data security? The vast majority are related to either trusting inadequate technology or having insufficient end-to-end protection, including data encryption in transit and at rest. Not knowing where sensitive data resides is limiting business from setting effective policies to take control of their data. Improper classification of data is another issue. As is files storage and retention policies. Not encrypting data before uploading it to a cloud is a risk factor. Sharing encryption keys. Building a backdoor into your server. Policies such as these can leave your data at risk and thwart your efforts as well as jeopardize your reputation.
Ultimately, a highly secure, private operating system for your MDM would provide the users with the best protection. In the absence of that, operating your own custom data centre and not outsourcing guarantees you have granular control over your devices.
