Home discomforts

Is it too soon to start talking about the post-pandemic workplace? It would be tempting fate to assume things will be easier from now on. On the other hand, the panic that set in – the rush to make every workplace mobile, almost overnight – has given way to something a lot more like business as usual.

There’s still risk involved; there’s the threat of a second wave of the coronavirus, and some organisations have made it clear that they’re extending their work-from-home policies into 2021. Whether your workplace is among them or not, now’s the time to address security threats, and reviewing your mobile device policy is a good place to start.

“I think the pandemic put an emphasis on mobile devices, and mobile working overall, and changed people’s perceptions of how well it can actually work,” said Guido Marchetti, mobile and security solutions sales professional at CWSI.

“In the past, mobile devices were just seen as something that gave access to email. People would have a couple of business apps for things like expenses. With the pandemic, we’ve seen huge displacement of entire office blocks. Now everybody needs to have some device to connect from, to get into their email and their files.”

Covid-19 may have prompted some rapid decisions, which helped organisations to get through the challenge of working remotely at the time, but that compromised on security, and visibility of devices.

‘Device creep’, the slow proliferations of devices connected to your networks, can leave companies especially vulnerable to data breach through human error or more malicious, targeted campaigns. As is often the case with security issues, it’s something that’s hardly visible, until, suddenly, it becomes a problem.

“Security risk has never been greater,” said Neil Dover, Ireland Country Manager at HP Inc. The pandemic has brought security threats into sharper focus, he said.

“We’re more dependent than ever on our digital systems to keep our lives and our economies moving but scammers and hackers are taking advantage of the confusion to launch new attacks, and businesses may find it challenging to enforce secure policies and procedures during remote working,” said Dover.

Emerald de Leeuw, privacy lead at Logitech EMEA, takes a hardline approach.

“Personally, I’m militant about not using my work phone for private conversations, but I think that just comes with being a privacy professional and being ultra paranoid,” she said.

“If you’re traveling and one of your batteries dies, you might pick up your other, ‘personal’ phone and use it for work purposes. There are practicalities to consider. It depends on what you’re doing – it’s likely OK to do your Tesco shop on a work computer, if your company is okay with it, but messaging your friends crosses a different threshold, because you’re involving other people.”

For years, mobile device management and security products focused on what happened if a device was lost, by accident or through theft, granting the ability to remotely wipe the phone of all its data.

Device loss remains a valid concern, and the remote-wipe function remains necessary. One report from Trend Micro, published in 2015, found that device loss accounted for 41 per cent of data breaches, ranking above hacking, malware, insider leaks and fraud.

The more recent generation of security products takes threat protection further. There’s a significant focus on apps, and the threat those apps pose to your organisation; in addition to providing measures for wiping a lost device, they monitor ambient threats on the phone while it’s in use, including Trojan programmes, which turn out to be spyware after they’re downloaded.

“The phrase that’s most often used at the moment is mobile threat defence, or MTD,” said Michael Conway, director of Renaissance.

“For a long time it was about remote-wiping, but now we’re talking about all the other things that can happen with a device. That includes phishing protection, web access control, and looking very carefully at all the apps that are downloaded onto the device, and all the risks and vulnerabilities associated with them.”

Malicious apps have generated a large number of headlines recently. There were the fake Covid-19 contact tracing apps which turned out to be malware in early June, along with reports of Pegasus, a malware strain used to target human rights activists, and called “the most sophisticated attack ever seen on any endpoint” by security experts Kaspersky.

Data indicates that the number of malicious apps in the Google Play Store has doubled between last year and now. Whether state-sponsored, or built by criminals trying to steal the PIN for your banking app, these threats are becoming more common and, crucially, a lot more difficult to spot.

Covid-19 only amplified this problem, with reports emerging of a cybercrime wave engineered to prey on people working from home who would be less likely to check with IT about dubious email attachments and links.

Working from home might not have been a choice at the time, but there are lessons that businesses can take from it now to make their workforce more flexible in case of a second wave.

“Working from home already blurs the lines between staff’s personal and professional lives. This impacts security in a couple of important ways. A distracted worker is a vulnerable worker – it’s much easier to click on a realistic-looking, but actually malicious video conference link when you’ve got one eye on the screen and another on a rampaging toddler,” said Dover.

“Secondly, you’ve got multiple users and multiple devices all on the same network, which increases the risk of insecure technology and personal accounts being mixed with professional computers and accounts.”

For many businesses Covid-19 was a test of resilience, pushing security processes and policies to the limit out of necessity. “I don’t think we’ve seen anything quite like Covid-19 in our lifetimes,” said De Leeuw.

“There was nothing else in the news cycle, only pandemic updates and the death count for the day. You have the whole world distracted by one thing, and there was this mad rush to get people working from home instead of in the office... It’s the perfect storm, right? A lot of what should have been in place, in terms of security, probably wasn’t there.”

Even if your business survived the last four months without a data breach, the future remains uncertain, and preparation is key. There’s a cognitive dissonance at work in how people will expect antivirus on a laptop, among other security measures, but not on their phone. As it turns out, antivirus is only the start.

“Traditional antivirus is important, but it relies on recognising known malware or suspicious patterns, which may not be enough to defeat new or very sophisticated malware attacks,” Dover said.

Security is getting significantly more sophisticated, and autonomous; Dover described the ‘self-healing’ basic input-output system used by HP’s Sure Start technology, and Sure Run’s automatic detection system.

“It can fully recover the OS image [a file, or set of files, containing everything on your device’s hard drive] without requiring that recovery software to be present on the machine. All of these services ensure very little downtime for the end user,” he said.

Phishing also remains a significant threat.

“People are getting compromised by phishing attacks where they’re led to a malicious site posing as something legitimate. You need a security product that includes everything you’d typically find in laptop security,” said Conway.

These programmes can run a background check on the websites you access, and the apps you download. “They’ll let you know if it’s clean and has a good reputation,” Conway added.

“The thing is, some apps might be known for bringing people to bad places, or storing data in jurisdictions that you might not wish your data to be stored in, but they’re still legitimate apps. You don’t always know what’s happening in the background. It might have been built by a very reputable company, but then have been compromised by a vulnerability they didn’t know about.”

In addition to responding when something goes wrong, these products aim to pre-empt data breaches entirely.

“It’s an issue that requires constant monitoring, not just for organisations dealing with ‘top secret’, sensitive data, but for ordinary organisations that want to make sure their devices are secure. Think of it as a duty of care, in terms of your customers and your employees,” said Conway.

With mobile devices it’s easy to fall into complacency, believing certain platforms to be safer than others.

“There’s a popular misconception that certain ecosystems, iOS in particular, are more secure than others,” said Marchetti. “But we’ve seen with the Pegasus case that these threats can apply across all platforms.”

Conway made a similar point: “iOS is traditionally seen as a safer option. They have a lot of good controls over the storefront, and they verify everything, but it’s still possible to catch something.”

There’s also a significant risk of human error, and intentional, internal threats.

“What happens when somebody accidentally moves data sideways, or saves it in an area they didn’t mean to?” asked Marchetti. “There are some cases where this is malicious, too. If someone’s leaving the business, they might use certain loopholes to take data with them.”

There are several approaches organisations can take to address these threats, each of which comes with advantages and disadvantages. “Of course you can take the approach of doing a clean sweep, and buying new devices for everybody, but that requires a substantial budget,” said Marchetti.

“We see an awful lot of different scenarios and use cases. There’s a large number of corporate-owned but personally-enabled devices. This means the device is delivered by the company, but they allow employees to use their personal Apple ID or Google ID with it.”

Shortened to ‘COPE’, this approach joins a host of acronyms (‘BYOD’, meaning ‘Bring Your Own Device’, and ‘CYOD’, ‘Choose Your Own Device’, among others) applied to mobile security.

Beyond the policy on hardware, there’s the software to consider; there are traditional enterprise mobility platforms, and unified endpoint management platforms where the device can be monitored and controlled at the level of applications.

“It depends on a company’s infrastructure, the services, whether it’s Google cloud or Office 365, and then it depends on the platform you use to control the applications,” said Marchetti.

“Whether it’s Microsoft’s Intune, or VMWare, or Workspace ONE, you’ve got the capability to control apps to stop the sideways movement of data, accidentally or on purpose.”

As ever, security is an ongoing process, rather than a question of finding the ‘perfect’ product to solve all your problems at once.

Dover advised a combined approach; using advanced security software to pre-empt threats and detect and address them when they occur, but also putting an emphasis on communication, even if your workforce is scattered, and at home.

“Right now, steady communication that reminds workers of their responsibility and the resources at their disposal is critical,” he said. “In the absence of a physical IT department, remind them where to report an incident, and where to seek guidance. Provide regular updates on best practices, including which platforms for messaging and video conferencing are approved for use.”

Now is the time to plan for a workforce that is sometimes at home, and sometimes in the office, with an all-encompassing mobile device management policy to match.

This might mean adopting a more thorough approach; Marchetti noted a move towards a ‘zero trust’ security posture; one where the organisation trusts nothing outside its own perimeters, and verifies everything that connects to its systems

“If the device and the identity aren’t linked, and aren’t known, then you can’t access those services, whether they’re on-premise or cloud-based,” he said.

De Leeuw said the issues with improving mobile device security were not down to a lack of effort.

“There’s so much uncertainty around people going back to work, because their kids can’t go back to school. I know a lot of companies are allowing people to work from home if they want – they’re not going to force people to come back. So you end up needing both; security on site, but also enhanced security for the people who work remotely,” she said.

Malware, much like coronavirus, isn’t going away anytime soon, and the care and attention you put into securing your business today will leave you better placed to address an uncertain future.

“We probably do more business on iOS and Android devices than ever before,” said Conway. “The pandemic has proven that to be true. We’re all mobile, now. Life is mobile.”

The cost of free apps

Back in 2012 (a very long time ago in data protection years) two researchers from Carnegie Mellon University published an academic paper in which they estimated how long it would take the average American internet user to read all the terms and conditions attached to the apps and services they use.

They arrived at a figure of 76 work days per year, calculating an annual cost of roughly $781 billion in lost work hours.

Questions around mobile devices in the workplace open onto a broader issue; the apps we use day to day, in our lives outside work, and the data we give them in return for their use.

Malicious apps – those that pretend to be one thing, then morph into spyware, or ransomware – pose significant problems, but it’s also important to watch out for the entirely legitimate, legal apps which still use your data, and even leave your information visible to others online.

“It’s very difficult to see exactly how apps are sharing your data,” said de Leeuw. “You don’t know how apps are siphoning off your data. You don’t get a notification. You just have to agree to the privacy policy, or consent to have your data stored and processed by the app and its business partners.”

This is the other side of mobile device security in the workplace; the equal level of diligence required to take care of your data outside work. Education is important here – no one expects you to spend 76 days reading terms and conditions, but all of us can benefit from exercising caution.

There are signs of this cultural shift already appearing. In January of this year, Google announced that it intended to phase out third-party cookies gradually by 2022, and in March, Apple announced an updated Safari feature which will allow users to block cookies entirely and prevent tracking, available right now.

De Leeuw advised suspicion of free apps, in particular.

“If it’s free and it’s not well-known, you should probably not download it. They’re making their money some way, and it’s usually by selling your data,” she said. “In general, my motto is that if you can get an ad-free, paid version of an app you’ll avoid a lot of problems.”