As COVID-19 vaccines roll out, visions of busy cubicles begin to seem less distant. But the return to full office buildings will only happen gradually and probably not noticeably until the third quarter.
Even then, as companies realize savings and productivity gains (in some cases) from keeping their workforces at home, widespread remote work is probably here to stay, in some form, for the foreseeable future. MSPs and IT stakeholders that were forced into a fly-by-the-seat-of-the-pants approach to security in 2020 will have to adapt to the new post-pandemic normal in 2021.
“One of the areas of chronic concern is personal device vulnerability,” says Craig Maines, a cybersecurity consultant in Phoenix. Maines advises that security stakeholders too often overlook devices and that workers continue to treat the devices too casually.
“There’s sort of this built-in `comfort’ with one’s phone,” Maines points out. “Think about it. Your smartphone includes family vacation photos, you text your spouse with it, you have your grocery list on it, you simply aren’t thinking of that phone as a trove of valuable data that needs to be protected. For many, it’s just a third limb.”
The vulnerability of the “third limb”
But this “third limb” can be a real vulnerability when it comes to cybersecurity.
This problem was highlighted in a report released this month by Wandera. Among the findings:
-
- Over half of organizations – 52 percent – experienced a malware incident on a remote device.
- Of devices compromised by mobile malware in 2020, 37 percent continued accessing corporate emails after being compromised, and 11 percent continued accessing cloud storage.
The report also shows that there is still much more to be done when working with people to secure their personal devices.
“These devices pose a direct risk and secondary risks,” Maines says. Personal devices can be used, he adds, depending on how they are configured, to make a direct lateral move into a corporate network. But even if the device isn’t directly connected, many people still have troves of data that a hacker might find of value. This data can range from stored passwords, emails, and proprietary corporate information. Even seemingly mundane social media information can be repurposed and weaponized by hackers to help craft especially effective social engineering campaigns.
Still, how much control do MSPs have over personal devices being used remotely? Mobile device usage policy for work is an area, Maines advises, that is still a work in progress because it is relatively new.
Implementing MDM
“People have been using personal devices for work for decades, that part isn’t new, but the pandemic has accelerated this trend,” Maines states, and this is forcing companies to play catch-up when it comes to policies. This is where there is an opening for MSP to get out front, Maines asserts. Mobile Device Management (MDM) solutions are becoming an increasingly important part of an MSP’s security arsenal. MSPs that don’t offer robust MDM solutions should quickly get up to speed or risk missing out.
Maines says some necessary steps MSPs should implement as part of an MDM package include:
-
- AUDIT: “You can’t secure what you don’t know about,” Maines says, advising that MSPs need to do company-wide audits of who is using what where. You won’t get everything. Someone will forget to mention that they use their tablet at the public Wi-Fi network at Starbucks. Still, you’ll get enough compliance to at least get the broad contours of what type of cybersecurity terrain you must defend.
- PROACTIVE AND PROTECTIVE POLICIES: MSPs can help companies craft employee-wide policies that outline acceptable mobile device usage for work. Again, this won’t reduce your risk to zero. Policies are like speed limit signs, Maines stresses, you will have violators, but if you succeed in slowing down most of the traffic for fear of getting a ticket, you’ll have reduced risk to your client 10-fold. And, like speeding, a policy violation needs to have some sort of penalty to encourage compliance.
- STRONG ANTI-THEFT MEASURES: Unfortunately, accidents happen, and they can be costly. Someone’s personal laptop inadvertently left behind in the airport terminal could contain sensitive data that could be a nightmare if it fell into the wrong hands. There need to be strong SIM controls, the ability to remotely lock a lost or stolen device, robust GPS tracking of devices, and the ability to wipe a device.
These are just three baby steps towards implementing a robust MDM package. There are plenty of software solutions, Maines says, that combined with the right policies, anti-theft measures, and awareness training won’t eliminate the risk that mobile devices pose, but it will reduce exposure.
“Cybersecurity is a game of inches. You will never take over the whole battlefield, so you do what you can do to reduce risk. MSPs that can offer a sweeping MDM package and a reasonable price will be ahead of the game,” Maines concludes.
Photo: