to Overcome Vulnerabilities in Your DSD Mobile Security Strategy

More documents

Recommendations

Info

5 Ways to Overcome Vulnerabilities in your DSD Mobile Security Strategy Introduction Thanks to advances in mobile technology, you hold a world of information in your hands. Merely a decade ago, the notion of holding a full-powered computer in your palm was a novel idea. Today, it’s your business partner—and productivity would plummet without it. Anyone who works in the direct store delivery (DSD) environment understands the value in the progression of mobile technology and wireless access. The pre-sale environment is increasingly defined by low-cost wireless order transmission. And a delivery process that used to require 48 hours has been slashed in half, driving the market—including your customers—to demand faster, more accurate and more cost-effective service. The DSD distribution chain, from plants to wholesaler warehouses and sales departments, today insists on increased productivity and near real-time communications: on-the-spot messaging capabilities so products flow to the right places, exactly when they’re needed and in the precise quantities desired. While the rewards of mobile sales and delivery management are notable, there are new risks to consider. In fact, the risks related to mobile devices are increasing. There are more and more attacks aimed at snooping wireless 802.11 (“WiFi”) communications and Bluetooth® technology (a wireless standard for short-range data sharing), and an increasing number of worms and viruses targeting mobile operating systems. Just as viruses, worms, and spyware evolved, from targeting floppy disks and spreading through sharing files in the 1980s to exploiting e-mail and the Web in the 1990s, attackers will continue to follow technology wherever it goes. Your business needs to have the right defenses in place to protect against these threats—malicious viruses, eavesdroppers and attack exploits that threaten the integrity and confidentiality of your information. Networks are built to facilitate the ease of communication. They’re based on standards that aim to enable the free flow of information and access from anywhere. But this increases complexity and makes them quite vulnerable to those who would tap in and destroy data—just because they can. However, with the right set of tools and proper management, the potential for danger can be diminished dramatically. But it does take an ongoing commitment to security. Because mobile technology leaves the relative security, stability and comfort found behind the corporate bricks and mortar, your IT department must manage and update handheld systems properly. Every effective security strategy and technology that protects the core company network and systems can be applied to each device, no matter how small, mobile or dedicated its function. What You Will Learn in This Report This report highlights the five most common vulnerabilities that weaken mobile IT security for many businesses, and what you should do to overcome them. It underlines the importance of establishing a specific mobile security strategy and describes the technologies and processes that should be implemented to help ensure device connectivity and availability remain high, and that the information residing on these devices stays private and secure. Five Ways to Overcome Vulnerabilities in Your DSD Mobile Security Strategy 1 Lack of a Cohesive Mobile Security Policy Just as your IT department has security policies in place for corporate servers, desktops and notebooks, (such as regularly patching software, updating firewall rules and having anti-virus protection in place) the same scrutiny must be given to all mobile devices that carry and transmit company information. The first step is to inventory all mobile devices in the field, who is assigned to each, and how they’re being used. The goal is to establish a baseline security framework to ensure that the devices and information are properly maintained, and that they minimize risk to the corporate network and applications when they connect. Vital aspects of your policy should include: • Deciding which devices and/or users will be permitted to connect to internal applications and communication servers and how they’re authenticated (by the device, assigned IP address, and/or username and password, etc.) • Establishing policies on password strength (how many characters, how many need to be upper-case, the mix of numbers and letters, etc.) • Determining how data will be protected (encryption, password access to the device, etc.) on the device • Establishing security during transmission. If you’re relying on a private network carrier that encrypts data transmission, you may already have this vulnerability solved. If users connect remotely from WiFi hotspots, or transmit by synchronizing from remote PCs, you’ll want to consider deploying a virtual private network (VPN). 2
5 Ways to Overcome Vulnerabilities in your DSD Mobile Security Strategy You’ll also need formal policies that mandate how and when mobile devices will receive application and operating system security patches and updates, as well as how they’re protected from malicious software, such as viruses, worms and Trojan horses. These suggestions are a good starting point. But your IT department needs to be your central ally when establishing your mobile security policies and strategy. Lean on IT for advice. 2 Ignoring It doesn’t matter how many controls companies put into place: data encryption, secure network transmission, anti-virus software, strong passwords: all of these can be circumvented if employees and contractors aren’t made aware of the risks. Lack of understanding is one of the primary reasons why many users view security software and policies as barriers that slow down their efficiency. The fact is that security actually enables organizations to safely conduct business remotely, in ways that don’t jeopardize the availability or integrity of information and networks. By educating users through e-mail newsletters or training sessions, they’ll understand the risks to your business when security policies aren’t followed. Few people understand the risks associated with mobile viruses, or with connecting to the network from a public hotspot or café. Studies show that users who experience security training are less likely to visit potentially malicious Web sites, share their password with a crafty social engineer, or make other security-related mistakes. 3 Not Security Awareness Training Securing Data in Transmission How you secure data as it is transmitted to and from your mobile devices and corporate applications depends largely on the type of network you utilize. If you’re using a private network, such as those provided by the major telecommunication carriers, your transmissions may be encrypted already and will be much more difficult for potential attackers to identify. If devices are connecting from external hotspots, the only safe assumption is that anyone can access, read and modify what’s being transmitted. In addition, if users are connecting to home or remote PCs, synchronizing and then transmitting data, that traffic also can be accessed easily. In these cases, you’ll need to deploy a VPN. VPNs help to authenticate that the user accessing your network or applications is legitimate; then, all communication that travels between the device and your network is securely encrypted within the VPN “tunnel.” Now, anyone trying to eavesdrop on the communication will see only gibberish because it’s scrambled on the device before it’s transmitted and decrypted on the other end of the connection. Anyone without VPN credentials is kept out. 4 Not Securing Mobile Device Data News stories about large corporations, government agencies and other organizations losing notebooks, handheld devices and removable storage media abound. One of the most crucial aspects of your security strategy needs to be putting into place defenses that protect not only the device itself, but also the information it contains, including user names and passwords that could be used to access even more sensitive corporate information and network systems. First, these devices are easily lost. So, make certain that any sensitive information users don’t need isn’t stored on handhelds: customer numbers, passwords and sensitive financial information. Whatever is confidential and you wouldn’t want competitors or business partners to access should not reside permanently on the device or persist there any longer than necessary. Likewise, whenever upgrading to a new device, take care to remove all information before the device is discarded. Second, utilizing user names and passwords goes a long way to keeping unauthorized users from accessing applications on the device. Check with your DSD software provider to see if it offers capabilities to centrally manage user passwords. If necessary, consider installing third-party software that will enable you to centrally manage user names, or PINs, that can be used to lock down the device when it hasn’t been used for several minutes. Ideally, look for software that provides the ability to wipe the device clean after a certain number of invalid login attempts. But be careful: these controls need to be centrally managed. If users have the ability to set and change their own passwords, managers and even the IT team may not be able to access information on the device should the employment status of the user change. Locking down the device will not protect the data if it is stored on removable media. Removable media cards can be inserted into another device to gain access to your data. Make sure sensitive data is stored in an encrypted format or storage card encryption is used. At a fundamental level, all wireless communications, including Bluetooth capabilities, need special attention. If there’s no need for users to share data with other mobile devices, PCs, or cell 3
Page 1: Whitepaper 5Ways to Overcome Vulner

to Overcome Vulnerabilities in Your DSD Mobile Security Strategy

Create successful ePaper yourself

Delete template?

Save as template?