As I have mentioned before on previous blog postings, now that we have started 2021 now, the concept of the Remote Workforce is going to be with us for a very long time to come. In fact, it has become so entrenched upon us now is that it will never leave.
While some of the American Workforce may elect to go back to the office, a majority will probably stay home and work. Why not? It is obviously much more convenient, and the hours are a lot more flexible.
Because of this, many companies are now also opting out to literally shut down their brick-and-mortar presence and go for a virtual once instead. Why not here also? After all, the thousands of dollars that are being spent on rent and such can be funneled into Research and Development, Marketing, etc.
But whatever the reasons are, these trends are going to fuel one more trend in 2021: The affection for the Smartphone and all of the Mobile Apps that you can download onto them.
Keep in mind that using Mobile Apps, especially if they are downloaded onto a company issued can be a very risk proposition, especially when IT Security teams in Corporate America are still trying to figure the best way to reach out to the remote employees so that can properly maintain and upgrade their equipment.
So, what should you tell an employee when it comes to downloading Mobile Apps and how to be safe as much as possible when doing so? Here are some key tips:
*Confirm the validity of the Mobile App:
There is a lot that goes on when creating a Mobile App, especially when it comes to the source code creation of it. Obviously, a majority of your employees will probably scratch their heads when they hear about this, but the confirmation of a Mobile App is a relatively straight forward one. First and foremost, before your employee wants to download anything, you should make it a strongly enforced rule in you Security Policies that the IT Security team must be contacted first, so that the App can be run in a sandboxed like environment in order to make sure that there are no blaring security issues with it. But this of course can take some time to do, so if your remote employee needs to download an App in order to get something done, then instruct them to conduct an exhaustive Google Search on it. If the actual name of the Mobile App does appear, and there are a lot of positive reviews for it, then the go ahead should be given that the employee can download it on a temporary basis, at least until the IT Security team can do their research into it. But even then, this is a very risky proposition, because even the reviews themselves could be canned. But overall in the end, this may be the best approach to take. For example, this method could possibly even remove the phenomenon of what is known as “Shadow Management”. This is where employees will deploy unauthorized software without even notifying the IT Security team about it.
*Be aware from the environment in which the Mobile App is going to be downloaded from:
In this instance, there are two primary places in which they can be downloaded: Google and Apple. I have read a lot about the security of Mobile Apps from these two places, and IMHO, Apple is the much better way to go. First, they maintain very stringent requirements upon software developers about testing of the source code before they are even allowed to upload it onto the Apple Store. Not only must they fill out a lengthy questionnaire about the newly create App, but as far as I known, even if the software development team has passed this first hurdle, I believe that Apple will even conduct their own security tests on it before it is released to their customers. Google, on the other hand, is quite lax about this (which is really quite surprising to me). For example, they do not maintain the stringent requirements that Apple has, and heck for that matter, Google even blatantly states that they take no responsibility whatsoever if by accident you download a rogue Mobile App. The bottom line is that if you fall victim for this, you are financially responsible for any losses that could be incurred. But at least they make these warnings pretty clear and blatant, and highly advise for anybody wanting to download a Mobile App from their store to take all of the diligence steps that they need to. More details about this can be found at this link:
Also, tell your employees to only download Mobile Apps from a very reputable vendor, such as that of Apple. You need to constantly keep reminding them of the explosion of fake and illegitimate websites that are cropping up, especially during this COVID19 pandemic. Very often, these sites will offer their own Mobile Apps, which is really nothing but a rogue one, which will contain some rather nefarious payloads once there are downloaded onto a company issued device.
Now while your employee needs to take part in protecting the digital assets of your company, you CISO, business owner, etc. have an equal stake in this process as well. It’s like a partnership in this regard. So here are some quick tips for you:
*Create list of those sources in which your remote employees can download Mobile Apps (this was just covered in the last bullet);
*You should enforce strict penalties if a remote employee downloads a Mobile App and does not at least notify the IT Security team before doing so;
*Although this may sound like a real pain, your IT Security team should also very carefully scrutinize the Terms of Agreement and Service Level Agreements of the Mobile Apps that you are considering of whitelisting. In this regard, you really want to make sure that there are no gray areas that could be present, that could cause real, serious issues down the road;
*Whenever an employee leaves or is terminated, you should immediately cut off access to all of their accounts. For the company issued, wireless devices, this is a very simple proposition: Just issue what is known as a “Remote Wipe” Command, that should for the most part, take care of everything at least from a security standpoint;
*In today’s environment, it is very crucial that your IT Security team has the ability to monitor any rogue activity from a real time perspective, or that can pick up any abnormal end user behavior. In this regard, you should consider using an Artificial Intelligence (AI) tool that can help you to do this. They are not very expensive, and nowadays, many of them come as a hosted offering, so they are now very affordable, even to the Mom-and-Pop businesses.
My Thoughts On This
The primary of objective of any rogue Mobile App is to exfiltrate any confidential information and data from your company, especially when it comes to the PII datasets. The Cyberattacker fundamentally wants to cash in on this once they have it on their hands, whether it is sold onto the Dark Web or they are used for extortion purposes. True, trying to circumvent any form of Data Leakage whether intentional or not, is a very hard thing to do these days, especially given the mesh of the Corporate and Home Networks taking place.
But the bottom line is this: Any missing data is your responsibility. And if you don’t at least take this seriously, you could be facing an audit and/or some very steep financial penalties that could be imposed by the GDPR and the CCPA.