In today's Whiteboard Wednesday, Saj Sahay and Giri Sreenivas discuss the Bring Your Own Device (BYOD) trend and mobile device security in general. This video names the top mobile device security concerns associated with the popular "Bring Your Own Device" (BYOD) trend. Giri and Saj also discuss how you can mitigate mobile vulnerabilities so that company data cannot be accessed on your exchange servers. If BYOD and mobile device security is on your mind these days—as it is for most security professionals-you'll want to watch this video to learn more!
Read Video Transcript
Saj: Hi everybody and welcome to our next session of Whiteboard Wednesday at Rapid7. My name is Sajal Sahay and I am the Senior Director of Marketing at Mobilisafe which the recently acquired mobile security business for Rapid7. And I'm here with Giri. I'll let him introduce himself, but first of all, I wanted to welcome you to this session, which is all about mobile security concerns and the top four mobile security concerns for today. I'll turn it over to Giri at this stage.
Giri: Hi everyone, my name is Giri Sreenivas, I was a founder of Mobilisafe, and I'm now a VP and GM for Mobile at Rapid7.
Saj: Great. Thanks, Giri. It's great to have you here, and I'm looking forward to this session. Before we get into the specific concerns, maybe we could talk a little about the background on why "BYOD," or "Bring Your Own Device," is very important, and some of the risks that come from BYOD. Let me start off by just quoting Gartner, who is a very well-respected analyst company in the industry, who says that in the year 2012, almost 800,000,000 tablets and smartphones are going to be sold in the industry. And that number is actually going to grow to a billion in 2013, so it's an industry that's rapidly growing and will continue to do so over the next several years.
The most important phenomenon underneath that number is that most of these devices are being purchased by individuals; so they're personally-owned mobile devices, or, as I noted earlier, the "Bring Your Own Device" trend, or BYOD. It's no longer the case where most corporations are issuing smartphones to people; these are people bringing in their own devices, and they're using them for both work and play. So BYOD is becoming very, very pervasive in the industry, as well as in most businesses, and one of the biggest issues that has come out from BYOD is the security risk that it entails.
Just to give you a statistic, part of Mobilisafe, when we did a study in the past, we found that 71% of mobile devices had a high severity of vulnerability. So this is a real issue, it's a pretty serious issue, hence the reason today to talk about the top four mobile security concerns. So with that again, I'll turn it over to Giri, and maybe you can start off by explaining what the top four are, Giri, and then we can go a little bit deeper afterward.
Giri: Thanks, Saj. So we found these top four mobile security concerns after spending quite a bit of time talking to customers, and really spending some time understanding the market. And what became clear to us is that there is a lot of discussion out there about what the concerns are, but these four really bubbled up to the top for us, with our conversations.
So first of all, we've got concerns around device configuration. So when you go and you buy a brand-new phone or brand-new tablet, and you set it up to get access to email, what is the status of the configuration of that device? How is it being secured? What's it doing to protect my data as a company?
The second concern is around lost or stolen devices. What happens with those devices when they have access to company data with employee credentials on them, and they actually have company data that's stored on the device itself?
The third concern that we found was just frankly around visibility. Lots of companies today know that BYOD is going on around them. Folks in IT and security are looking around and they're seeing employees using their iPhones and their Android devices, but they really don't have a good understanding of how pervasive this is within their company. And so having a good understanding of that can help them prepare for what security steps they need to take moving forward.
And the last area here is around vulnerability management. As Saj mentioned, we have access to great data with quite a few different devices that we're taking a look at and the employees that were using them, and when we ran our analysis, we were very surprised to see how prevalent the vulnerabilities were across these devices. And certainly the rate at which vulnerabilities are being discovered is growing as well. And so you need to have an ability to really prioritize those vulnerabilities and take action to eliminate your risk exposure.
Saj: Great. So I would assume that these are the ones that we heard from our customers as being the most important issues that they had. Maybe, we can go a little bit deeper into these today, then. Let's start off with the device configuration and data encryption, first concern. Maybe, you can go a little bit deeper into what that means.
Giri: Absolutely. When it comes to device configuration, there are some really simple, easy-to-do things that can take some big steps forward in protecting your data. A good example of device configuration is simply enabling a password to unlock your phone. So for example, if you were to use your phone, put it down for a certain period of time, it goes idle, and you pick it back up, you've got to enter a password to actually unlock the device. This is a great security tool that you can have in your hands. In the case that a device is lost or stolen (and it's a little bit of a nag for the user, but at the same time it's providing you some assurances) you need to know a PIN to unlock the device. And not only that, if the wrong PIN is entered after a certain number of occasions, the entire device with get wiped. So this is a great step that you can take from a configuration perspective.
Also, around data encryption, data encryption is a great step you can take to protect your data. So in the event that a device is lost or stolen, if someone has ill intent with that device and they are trying to get data off that device, if the data is encrypted with the appropriate kind of password, they're going to have a very difficult time doing that. And so it's actually a great way to protect, again, your corporate data on an employee's device that's accessing your resources.
Saj: Thank you. You mentioned lost or stolen devices. Is that a big issue? And if it is a big issue, talk a little bit about the locking and wiping features that are important.
Giri: Absolutely. So lost or stolen devices are a huge issue today. There's a great statistic that comes out of New York where about one in four individuals between the ages of 25 and 35 have left their phone in a cab, so this is a pretty pervasive problem. Phones are getting smaller, they're getting easier to carry, but they're also getting easier to lose as a result. So, in the event that a device is lost or has been stolen from someone, you want to be able to take drastic steps as necessary. You really want to be able to get all of the data off of that device as needed. And so it's really important to be able to send a remote wipe command and to be able to pull all the company data off of that phone.
Saj: Great, thank you. Let's move to the third one, which you mentioned earlier, about simple visibility devices being important. Can you explain a little bit more about that?
Giri: Exactly. So rather than sort of being in the fog and knowing that you have a vague and general sense of a risk that's going on within your organization, you want to make it really specific. You want to know on common it is for people to be using iPhones and Android devices within your organization, and also what are the trends. Because it's not just about people bringing in phones today and getting access to email, it's also understanding what kind of devices they're using and where do you want to go as a company over time with regard to mobility. And so having that level of visibility can help you understand how you plan out your security program, how you want to protect that data, and how you want to protect those devices.
Saj: Wonderful, great. Thank you, Giri. And last but not least, vulnerability management. What are vulnerabilities, and why is vulnerability management important?
Giri: So vulnerabilities are basically security holes that you've got to be worried about. And in the mobile world, these are typically security holes that are in the operating system platform. These are the ones that matter. And so when you have these security holes, what happens is pieces of Malware or viruses will take advantage, and they will exploit these security holes to get access to all the data on these devices. And we've had a few pretty high-profile incidents of this, and we're seeing growing rates of Malware, certainly in some of the non-traditional markets. And the good news is that these security holes are actually being patched. And so, as an organization, you really need to understand which devices are my users using, which ones of them are vulnerable to these different kinds of attacks, and what steps can I take to actually eliminate these security holes?
Saj: Great, wonderful. Thank you so much. It's been a very great description of each one, and I really appreciate you going through all the top four security concerns, and thank you very much for joining us today for the Whiteboard Wednesday.