May 4, 2016
Presented by Samsung: Can the channel handle end users’ mobile security no-nos?
It seems you can’t go anywhere without seeing a mobile device, and in today’s enterprise world it’s no different.
With more and more devices coming into the enterprise space, security of those devices – and the company and personal data users store on them – becomes increasingly important.
According to various channel players, however, today’s end user – to some IT’s top security challenge – is still unaware of the threats their mobile devices are under, how to leverage mobile security available to them and what that security in place can even do.
Users just don’t understand
For some in the channel, it is still too easy for malware and viruses to attack a corporate network through mobile devices.
Khaled Farhang, CEO at MSP eGuard Technology Services, says this is his first thought when thinking of the “weakest link” aspect of mobile security.
Still, many end users do not seem to grasp this threat, especially in the SMB space, according to Farhang, which results in some devaluing the need for proper cyber security.
“Many end users do not understand the risk of mobile connectivity to the corporate network, which leaves them to be very vulnerable,” he tells Channelnomics, “Many…small-to-mid-size businesses feel there is very little risk with mobile devices and, therefore, that they are able to tolerate lack of security.”
And even where there are cyber security measures in place on mobile devices, some users are not using them properly, Dusan Petricko, digital forensics manager at MSSP LIFARS, points out. Too often the executive has witnessed passcodes as vulnerable as ‘1111’ or a mere circle pattern, he tells Channelnomics. Furthermore, Petricko says users tend to share passwords and not use encryption or other security tools the mobile device houses.
Ultimately, this is because users see these offerings as burdens, and so for a solution provider, the biggest challenge is often finding a way to get end users to see security implementations as benefits rather than burdens.
“Usually, changing the customer’s point of view from ‘okay, this action is bothering me’ to ‘okay, this action is protecting me and my data in case something happens’ is the biggest challenge,” says Petricko. “[Getting] the customer who wants to work with you and work on the security and implementation part of it…technically is easier than changing the mindset of the customer and of the people that are using it.”
But even customers on board with mobile security technology can end up exhibiting poor practices, thanks to a lack of understanding of what the technology can really do.
According to Petricko, these customers lack the proper context to understand their mobile security technology and what sort of attacks can hurt it.
“People usually don’t have the context about the technology, what the technology’s capable of and how to properly use it so it’s not misused. The awareness of how the technology works is usually a lacking point…with the end users,” he says.
An example of security technology often misunderstood is fingerprint scanning, according to Raj Goel, CTO at MSP Brainlink International. He says users tend to treat their fingerprint scan as a password, rather than the more accurate comparison of username.
And with increasing vendor marketing and the technology’s growing popularity, this “false sense of security” gets even worse, he tells Channelnomics.
“It makes my job of educating users on security harder,” Goel says. “It’s hard to say ‘do not use fingerprints’. Because a technology exists and it’s being marketed heavily, users are using it without fully understanding it has been implemented with an incorrect model.”
This also adds to channel partners’ compliance risks as end users put more and more sensitive and corporate data on their devices thinking no one can surpass fingerprint technology.
And with BYOD also gaining steam, channel partners have no control over what end users can and can’t do with devices beyond recommendation, according to Goel, which makes this knowledge gap even more concerning for the channel. For example, many SMBs don’t enforce things like mandatory wipe or data retention policy, Goel says.
Options
Ultimately, mobile security is only as strong as its weakest link, so how can partners handle these issues?
It seems the burden may fall heavily on the partner side, rather than the vendor side, as many do not offer ways to manage fleets of phones, channel players say.
For example, Farhang points to a California-based IT service provider whose client’s mobile device recently became infected with a virus, which spread to Outlook on the desktop, eventually infecting contacts and the calendar before deleting everything. The service provider learned that Office 365 does not natively back up contracts and a third-party solution would be required, Farhang says.
According to Goel, a lack of management offerings means that for channel partners, there’s limited way to keep an eye on user actions.
“Some manufactures have some way of managing it, most of them don’t, and if you’re managing a fleet of 50, 100 or 5,000 smartphones, there is no way to actually accurately determine which user is using what version of the operating system, what apps they have, what is allowed and what is not allowed,” he says.
“At this point, managing mobile is an oxymoron. We cannot really manage mobile. We can advise, we can guide, but at the end of the day, what mobile device users buy or bring into [the enterprise] is very much a conversation between them, the carrier, the carrier upgrade cycle and their feature wish list. Security and usability are not even users’ considerations.”
But there are options for channel partners looking to help bring their end users better mobile security.
Farhang says this all points to opportunity for partners to offer training that goes beyond the classroom and into C-level executive discussions on the risks involved with neglecting MDM security.
And according to Petricko, the growth of BYOD brings demand for channel partners to help implement proper practices so that things like corporate data and personal data stay separated.
“This is an opportunity for not only vendors of mobile device management solutions, but also for MSSPs that can help set up the policies, help review the policies, help pick up the right MDM and also help with explaining…that mobile device management is really needed because mobile devices are where your data is,” he says.