Tag: mobile device

Posted on

Business Data Loss is a Growing Problem

The portable computer was the secret business weapon of yesterday and is today’s essential business tool. The processing power, portability, storage, and connectivity available with laptops, tablets and smartphones has created a seamless extension to the office. Business users can work with their applications and data from just about anywhere. While mobile devices are valuable when it comes to conducting business, they also pose additional security risks. Increased efficiency, mobility, and accessibility can also mean an increased potential for a data breach or business data loss.

The workforce of today is mobile enabled. Business users, owners and managers, accounting advisors and business consultants can access all the information and analytical capability they need to perform their jobs and make informed business decisions, capturing and collecting important information while keeping productivity at the highest levels no matter where they are.

“87% of businesses rely on their employees to use their personal mobile devices to access company apps”, according to a post by Perillon. Some studies have estimated that as much as 80% of the data a company has (like customer files, contracts, financial data, product specifications) might be stored on portable devices. This means that mobility comes with risk, which is why Mendelson Consulting and Noobeh cloud services utilize cloud-based platforms and services to keep data safe and secure.

According to business data loss statistics compiled by Businessdit.com, the two most common causes of data loss are hardware failure (40%) and human error (29%). Overall, malware causes 35% of all data loss, taking advantage of the 21% of files that businesses are not protecting at all.

The stats show that it takes approximately 206 days on average to even detect a data breach, the costs of downtime and losses average around $1,410 per minute for small businesses, and 22% of SMBs close after a ransomware attack.

Data loss or theft can create big business and legal problems, too. Customer or client privacy may be compromised, sensitive information may be exposed, and confidential plans may be made public if a business doesn’t take steps to secure mobile data.

“The average cost of a data breach in 2021 was $4.24 million. That’s a huge increase from the $3.86 million cost in 2020. And it’s only going to get more expensive in the future. Companies need to be prepared to deal with the fallout from a data breach, which can include everything from legal costs to damage to their reputation.”

Businessdit.com

There’s an old saying that there are only two types of businesses: those who have lost their data and those who will. Imagine the potential chaos, risk exposure, reputation damage and the expense of losing your valuable business data or having it exposed to unauthorized parties.

While computing mobility delivers a host of advantages to the business and the user, care must be taken to ensure security, privacy, and confidentiality of the business information and protecting against business data loss.

Increased exposure to liability is a reality for any mobile business, and the risk is only multiplied by the number of systems a company has in the field. Smart businesses reduce risk by deploying secure yet versatile platforms for their workers that allow data to be stored and protected in centralized environments rather than on individual computing devices.

Via the cloud, businesses of all kinds are reaping the benefits of new and innovative service delivery, achieving the freedom and functionality a mobile working model demands. Mendelson Consulting and Noobeh cloud services have the cloud solutions and managed IT services that provide the mobile capability businesses need, but with the additional protection, additional security, and ongoing management that the value of the data demands.

jm bunny feetMake sense?

J

Posted on

4 Rules of Thumb Regarding Passwords and Authentication

Many people believe passwords are dumb.  They store their credentials for easy login, or maybe even leave the password blank if the app allows. For IT managers, forcing users to come up with a strong, unique password is definitely not an easy task.  Resting on convenience over security, many people would prefer to use familiar names and dates or simple phrases they can remember.  Even when IT departments try to enforce best practices there is often a struggle between honoring those standards and influencing user behavior.

Relaxed password standards allow users to set passwords that may be as easy to guess as they are to remember, and very strict requirements for strong and complex passwords often results with users storing passwords in document files or on post-it notes on the monitor. Setting password standards and managing the policy implementation requires a balance between usability and security, but more often than not the balance skews toward simplicity. Yet passwords aren’t going away any time soon, even while biometrics and multi-factor authentication methods grow in prominence.

It is most likely that new technologies and standards will be combined with passwords to protect critical data. Using only a password to protect information may not be the ultimate in security, but it is important to recognize that passwords remain as a key element in any security model. For now, passwords should be as strong and unguessable as possible.  As technologies and standards rise up to meet the demands of users as well as enterprises, there are likely to be changes in how passwords are used. Here are 4 rules of thumb to consider regarding passwords and where authentication technologies are going.

1. Your face might be your password.

Biometrics won’t fully replace passwords right away, but the use of biometric data for authentication is growing rapidly. Face recognition, fingerprinting and voice identification are all being employed as authentication mechanisms and users are embracing the technology because it is easier to use than a remembered password.  Smartphones and PCs have sensors for reading fingerprints and cameras for seeing faces, and microphones for hearing your voice.  Many systems are also now able to use geodata with the biometric data (matching person to place), making it harder to compromise an identity while also being less disruptive to the user. While the technology isn’t foolproof, it represents a major step towards creating more secure systems without placing the responsibility strictly on the user.

2. Two pieces of ID are better than one.

The point of multi-factor authentication is that there are two different pieces of evidence a user must present in order to gain access. For example, a password may be the first piece of evidence presented, with a pass code sent to a mobile device as a second. Even as biometric authentication grows in prominence, industry participants recognize that no single method covers all the bases all the time. Multi-factor authentication is gaining in prominence as users become more familiar with the methods and the implementations become less intrusive. AI may also influence how these systems are applied. As user behavior and transaction parameters are “learned”, systems can identify activities that fall outside of normal routines and additionally prompt users for single-use pins or passwords sent to their mobile device.

3. Businesses should learn from past mistakes.

With news of hacking, ransomware and malware being daily fare, companies and their users are realizing that password security really is important and are stepping up their security efforts. The information is available to help prevent businesses from making the same mistakes that others have, offering worst case scenarios a’plenty to learn from.  Using default passwords and recycling passwords across work and personal accounts, using unsecured network connections, not encrypting files that contain password information and failing to patch or update systems and software are entirely preventable situations that put information at risk. Taking the reports seriously and identifying mistakes to avoid is highly useful in designing security for the business.

4. There’s a growing ecosystem for authentication.

With the number and type of systems requiring authentication – from industrial control systems to dating websites – there is a great and growing need to find highly secure methods of authentication that are actually usable for the user. Even in the world of blockchain there is a need for “identity assurance” and confirmation when documents or biometrics are captured via smartphone. Fast IDentity Online (FIDO) is a set of security specifications for strong multi-factor authentication, developed by the FIDO Alliance. The FIDO Alliance includes members such as Google, Aetna, Amazon, Microsoft, Bank of America and Samsung, and developed the spec as an initial basis for standardizing authentication across platforms and systems at the client and protocol layers.  

Technology is changing rapidly and solutions once reserved for government and large enterprise are now entering mainstream consumer use. You’ve probably already noticed that banking and other apps are employing the use of fingerprint and other biometric data with increased frequency as users demand easier access to applications and features from their smartphones and other mobile devices.

These technologies sometimes replace traditional password entry as the primary means of authentication or augment password use in some manner. Even MasterCard has announced a component in its payment card solutions that allows users of next-gen payment cards to register their fingerprint data on their credit card.

The push is to allow users to interact with their tasks without putting up barriers to access.

A combination of usability and enhanced protection, the new standards are developing to address not just system security but identity verification for various purposes. Corporate information must be secured and so must personal identity information; simply read the news to understand what can happen when digital identity information gets compromised.

Whether the data is business or personal, keeping hackers and bad actors away from it isn’t easy, so strengthening the most basic first layer of protection – the password – is the best place to start.

Make Sense?

J

Posted on

4 Rules of Thumb for Better Mobile Device Security

Security threats are everywhere, lurking in alley ways and around corners and even in your favorite coffee shop. Yet mobility is in demand, and people will use their smartphones and other mobile devices because it’s convenient, even if company policy suggests against it.

This is a big deal for IT and security professionals and CIOs, which is why it took a while for IT to recognize the need to address mobile device security rather than simply deny mobile device use. With data breaches, ransomware attacks, hacks and information leaks happening on an almost daily basis, businesses must find ways to protect their valuable applications and data from loss or misuse while at the same time enabling mobile device use.

The following 4 rules of thumb are not comprehensive but are four essential rules of thumb to help guide business owners in addressing mobility management and security within their organizations.

Rule 1: Make sure there are clear mobile device use policies and support them with ongoing administration and strict enforcement.

I can’t say enough about having good security and mobile device policies and keeping them modernized, relevant, and actually enforcing them. Too many businesses say they have a “security and use” policy in place, yet it is outdated and doesn’t reflect the actual tools or processes currently in use.  Even more frequently a business will develop a policy just to say it has one, but won’t actually train workers or enforce compliance.

Rule 2: Require and enforce strong passwords, manage access in real time, and force password changes with some frequency.

It is essential that all user access to applications or data be controlled at minimum by password-protected logins to the device and corporate resources coupled with periodic forced password changes. Users often prefer to not require passwords or other authentication for device access, but corporate policy should not only require them but also enforce their use.  Also, user access should be managed in real time, meaning that any aspect relating to access should be disabled or revoked immediately upon employee termination or reassignment. Too often these forgotten chores are relegated to after-the-fact IT administration, which allows users to access resources beyond their rightful boundaries.

Rule 3:  Do something to contain the applications and data on the device.

Whether the approach is with containers, cloud hosting, server-based computing or something else, it is really important to try to “contain” the applications and data accessed from the mobile device. Risk is created when users sync data directly to the device’s storage or install applications directly on the device to access corporate data. Password and other security measures prevent unauthorized access, but allowing applications, credentials or data to be stored directly on the mobile device allows those things to interact with other things on the device.  Containers, hosting and server-based computing models keep the applications and data within secured spaces, often not even storing essential items on the device but only accessing them via the device. This allows the business to provide users with the access and functionality they need to do their jobs, but also reduces the vulnerability of applications and information assets.

Rule 4: Keep device software up to date and download fewer apps.

Updating mobile device operating system versions and release levels is important to make sure the device has the most current security patches and threat protection.   Some mobile OSes even have capabilities which can help keep personal and work apps separated.  Limiting the number of apps users can download to their devices should also be considered. Users may randomly download and install applications to their devices with little regard for the quality or security of the app, and often accept terms of use without really reading them. Consumer apps from app stores may pose risks to data and the device, so IT should check regularly for problematic apps if the device is used to access the corporate network, applications or data.

Mobile and wireless are in demand

Just about every business has people who use their phones and tablets for some business use, and every one of those mobile devices and the apps running on them could open the door for a hacker, ransomware, data theft or compromise. While there are many benefits to be gained by enabling remote and mobile devices in the business workflow, unrestricted access only creates risk.

Keeping mobile devices secure for business use takes multiple approaches, as there is no single method or solution that works for every situation. Our 4 rules provide a basic foundation for business mobility management, offering a starting point for developing a more thorough and detailed plan.

Make sense?

J

Posted on

Mobile IT for Contractors and Builders (for every business, actually)

The Trend Is Up For Single-Family Housing Market

Even as lot and labor shortages and other supply side constraints continue to impact builders, and while the cost of building materials continues to rise, the demand for housing continues to increase at a fairly consistent rate. “November’s builder confidence reading is close to a post-recession high-..” NAHB Chairman Granger MacDonald said in a recent release.

Supported by rising homeownership rates and a reduced number of available homes for sale, the trend up is expected to continue.

Increased competition for new business opportunities in the building market require that home builders and developers leverage available technologies and IT resources to improve operational performance and increase the profitability of every project. Applications for better estimating, project and cost management and accounting represent the foundations for information management and supporting the flow of work.Extending workflows to embrace mobile workers and remote offices is the next step to developing an efficient anytime/anywhere business. 92 percent of U.S. construction executives believe that technology will fundamentally change their businesses, and help them bridge the performance gap, according to KPMG’s Make it, or break it – Global Construction Survey 2017 report.

Collaborating while on the go and exchanging ideas and concepts quickly helps businesses be more agile and better-able to meet changing customer needs. Remote and mobile access provides businesses with mobile office options that allow users to get their jobs done no matter where they happen to be.

Business moves at a fast pace and working smarter means implementing the right IT to keep moving up with the demand and creating sustainability for leaner times.

Make Sense?

J

Posted on

Securing Business Data When Mobility is the Target

driving1-ANIMATIONToday’s workforce is a mobile workforce. Technology has enabled businesses to allow their employees to reach beyond the office walls, doing business and operating effectively from just about any location.  SaaS, online access to business data, and smart phone technologies have brought flexibility in working models previously only imagined by the workforce tethered to business locations and office computers. Yet this flexibility comes at a price if the business is to keep up with securing and protecting data assets as readily as it extends access to them.  The bad guys are well aware that mobile computing and remote access working models are growing in adoption with businesses, and are finding ways to take ever-greater advantage of the situation.

Teleworking, which is not quite the same thing as telecommuting, is on the rise and it doesn’t look to be a trend that will slow down any time soon. According to GlobalWorkplaceanalytics.com, “telework is defined as the substitution of technology for travel”.  Those who work sometimes from an office, but sometimes not, are teleworkers. Working at the office during the day and then taking work home at night makes you a teleworker. The primary tool of the teleworkforce is the smart phone – the mobile computer with built-in connectivity and enough processing power to handle many basic office workloads.

  • 50% of the US workforce holds a job that is compatible with at least partial telework and approximately 20-25% of the workforce teleworks at some frequency
  • 80% to 90% of the US workforce says they would like to telework at least part-time. Two to three days a week seems to be the sweet spot that allows for a balance of concentrative work (at home) and collaborative work (at the office).
  • Fortune 1000 companies around the globe are entirely revamping their space around the fact that employees are already mobile. Studies repeatedly show they are not at their desk 50-60% of the time.  http://globalworkplaceanalytics.com/telecommuting-statistics

The number of teleworking employees is on the rise, and so is the variety of devices used to facilitate mobile working.  Smartphones, tablets and phablets and, of course, laptop computers are used by mobile workers – often in addition to the company-supplied desktop in the office. The variety and number of computing devices per user is growing. Knowing this, businesses must take increasingly expansive steps to strengthen and secure remote access systems and business data, yet many organizations are just beginning to fully realize that the mobility they extend to their users is part of the reason for the increasing number of data breaches and attacks against business information systems.

Cybercriminals and their crafty programs are often able to steal important information or access a network by first infecting computers and devices used for telework.  Many of the devices available to the attackers are not company-owned, but are introduced to the system by contractors, vendors and employees (BYOD or bring-your-own-device users).

Even if the device isn’t a vehicle delivering a nasty payload into the network, data breaches may still occur when business information is stored on an improperly secured device. Most people who work with computers have some recognition of the potential for virus attacks and malware, but far fewer recognize the threat potential of attacks against mobile devices such as phones and tablets, and even fewer may implement meaningful protections on those devices.

“To prevent breaches when people are teleworking, organizations need to have stronger control over their sensitive data that can be accessed by, or stored on, telework devices,” said Murugiah Souppaya, a NIST computer scientist. [1]

Providing guidance and information to the public on such topics, NIST (National Institute of Standards and Technology) is revising its publications on telework to cover growing use of BYOD and how contractor and vendor devices are increasingly used to access company information resources.  Two new publications – one for organizations and one for users – are now available for review and comment.  You can find them here.

“As one of the major research components of the National Institute of Standards and Technology, the Information Technology Laboratory (ITL) has the broad mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology through research and development in information technology, mathematics, and statistics.”  [NIST Information Technology Laboratory Mission]

The rising number of threats, attacks and breaches caused by compromised devices used for teleworking is nothing to take lightly, and protecting against them shouldn’t be approached as a merely perfunctory obligation. Organizations must create and consistently update policies and requirements relating to protecting information accessible by remote workers if they intend to reduce business risk and provide assurances to stakeholders and customers that the information is adequately guarded.  But it doesn’t stop with the policy; businesses must also make an effort to properly educate their users (employees, contractors, vendors, etc.) on those policies, ensuring that all parties involved understand the responsibilities and requirements and strictly adhere to them.

jmbunnyfeetMake Sense?

J

[1] http://www.nist.gov/itl/csd/attackers-honing-in-on-teleworkers-how-organizations-can-secure-their-datata.cfm
Posted on

Mobile Device Security is a Moving Target

Mobile Device Security is a Moving Target

mobile-devicesAs businesses mobilize their workforces and processes the volume and variety of sensitive data passing through and sitting on mobile devices increases dramatically.  Even though the business owner or IT manager may recognize the importance of mobile data and device security, doing something useful about it is altogether another issue.  New considerations enter into the picture frequently, turning mobile security into a moving target. Protecting the business – the organization, its employees and its customers – requires adopting mobile security strategies that cover a broad range of issues.

First of all, is there any means of monitoring the activities of the connected or mobile devices?  Knowing which devices are interacting with your information would seem to be an essential part of business information security, yet smartphones and tablet devices often fall under the proverbial radar of IT or business management.  Actually, business management is likely among the base of users with the very mobile devices in question.

Are there ways to limit what information is accessible via these mobile devices, and is that data encrypted?  Consider also that data is sometimes at rest (like when it is just sitting on a hard drive) and sometimes in transit (like being uploaded/downloaded/transmitted over the wire).  In either state, the data should be encrypted in order to be more secure.

Is there a standard set of apps or services that users can enable, or is it pretty much personal choice?  Too often a user will innocently install a malicious app on their device, exposing the business to a variety of potential threats.  Creating strict policies around app selection and use is a really good idea, and finding a way to actually enforce them is even better.

The big issue is separation of work and personal apps and content.  Especially in small businesses where personal devices are the norm (well, not just in small business… Hey Hillary!) it is quite a challenge to create any useful separation between personal and business use.  The mobile device is often adopted as a personal choice of the user – who elects to invest their personal mobile device in their work – so exacting any real level of control in how the device is used is tough.  The security of the information is only as good as the security of the device, meaning that it is usually up to the device owner to decide if a password or pin is required.  Unfortunately and for the sake of convenience, there is often little or no real security on the device meaning there is no real security around the information on the device in the event that it becomes lost, stolen or compromised.

There are a lot of things that the business can do in order to improve the security of their business data in a mobile device environment.  Here are a few of the basics:

  1. Have defined procedures for what happens when a device is lost or stolen; make sure they’re followed
  2. Have a way to do a remote wipe of the device
  3. Make sure all devices lock after a period of inactivity, and that they have password or pin protection
  4. Have a mobile device use policy, and make sure all employees understand why it matters and agree to it.

jmbunnyfeetMake Sense?

J