Independent information security body, the Information Security Forum (ISF) has launched its new report, Securing Consumer Devices to provide information security professionals with advice on meeting the ‘consumerisation’ challenge. The report also coincides with the launch of the ISF’s Securing Mobile Devices Special Interest Group for Member organisations.
The ISF believes that regardless of what stage they are currently at, organisations are struggling to understand and manage the ever-increasing number of powerful consumer devices being brought into the workplace. Many of the most popular devices, particularly smartphones and tablets, were not designed originally as business tools and do not offer levels of security comparable to desktop and laptop computers.
The report also highlights that these devices are blurring the line between personal and business use and behaviour. Potential risks include misuse of the device itself, exploitation of software vulnerabilities and people downloading and using poorly tested business applications. Organisations also need to seriously consider the legal issues around who actually owns the device.
The new report, which provides organisations of all sizes with an independent, business-focused approach to planning a security response, offers best practice in several key areas, including user guidance, protection solutions, provisioning and support, and meeting the necessary statutory requirements. It breaks down consumer device security into four manageable components:
· Governance – with no control over consumer devices, little or no visibility of usage and penetration, and poor knowledge of ownership, policies or compliance, organisations need to create a framework for ensuring correct and consistent mobile device security assurance
· Users – with no control over consumer device working practices, users are free to mix work and personal tasks and data. Organisations need to ensure employees are aware of what constitutes good working practice for mobile devices, by creating an Acceptable Use Policy (AUP) for staff to sign. The report includes an easy to use AUP to get businesses started
· Devices – left unprotected and unmanaged, consumer devices are exposed to a range of potential security threats, including malware targeted at the device’s OS or apps, unauthorised connections, and compromise and irrecoverable loss of data. Organisations must put in place technical solutions for securing access to mobile devices and content
· Applications and data – the provenance of most apps designed for consumer devices are unknown, and most have not undergone formal testing. Unfortunately, most users do not think about this when downloading them. Organisations must ensure apps used for business and the types of data they can access or generate are appropriate and properly tested.
“Consumerisation is a fast-moving trend that organisations are struggling to keep up with and this report provides the first detailed examination of consumer device security, the challenges and the solutions,” according to Steve Durbin, Global Vice President, ISF. “As well as this report, we are delighted to announce that the ISF is establishing a Securing Mobile Devices Special Interest Group (SIG) to provide a collaborative environment for Members to keep on top of the rapid pace of change in this area.”