Welcome to 2015: Time to Give Up Outdated Security Models

Posted on January 07, 2015

Once upon a time, the goal of IT security professionals was to create an impenetrable security wall to protect company assets from outside thieves and hackers. IT World Canada says that's an outdated idea, and CIOs in 2015 have given it up in favor of more achievable goals.

The article by Nestor Arellano says that mobile device headaches have changed cyber security forever, and that connected devices of all kinds have created a third platform that forces CIO's to shift their focus towards risk assessment rather than the "outdated perception" of creating an impenetrable wall around the corporate network.

In its IDC FutureScape: Worldwide CIO Agenda 2015 Predictions, IDC says that by 2017, 80% of the CIO's time will be focused on analytics, cyber security and creating new revenue streams through digital services. Citrix weighed in with the prediction that the number and type of employee-owned devices will continue to increase this year, and for the foreseeable future, predicting 10.2 billion employee-owned devices in the workplace by 2018.

Jared Hansen, CEO of mobile security leader Breezy says that for many companies, 2015 will be the year that they begin the processing of accepting that they cannot block employee-owned devices from accessing the corporate network. "Many employees now have multiple mobile devices, and their use has already changed the way people work. IT has to keep up, and that means accepting reality and focusing on assessing and managing risk."

Worrying New Threats Ahead

As IT departments and CIO's relinquish old ideas about data security, they're increasingly focused on planning ahead for new threats. By far, the most talked-about new threat is the Internet of Things, or IoT. The IoT is made up of devices, machines, and computers connected to each other through the internet. Among other areas, the concept can be applied to medical systems, home automation, transport systems, printers, wearable devices, and the machines used in heavy industry. Gartner forecasts that 4.9 billion smart devices will be in use by 2015, up 30 per cent from 2014, and will reach 50 billion by 2020.

All of these new connected devices create new paths for attack. According to Gartner, a common problem within organizations is that existing security models don't account for the dynamic way organizations operate in 2015. In an interview with Networks Asia, the analyst firm says that the ability to adapt quickly to changing user behavior is critical to network security as the Internet of Things (IoT) becomes more of a reality in the business world.

"We've been talking about how the number of connected devices is skyrocketing for several years," Hansen says. "But this is likely to be the year that a major data breach from an unexpected source brings the lesson home. I hope that I am wrong on that. Until now, we have seen only relatively minor data breaches caused by printers and mobile devices, but I think that has largely been because there have been soft targets elsewhere, like the point-of-sale systems that caused so much trouble for several major companies last year.

"As those systems become more secure, and the number of connected devices continues to grow rapidly, I think we are going to see more stealth attacks from other sources."

A recent study by HP claimed to have found approximately 25 vulnerabilities in each of 10 popular smart devices, including thermostats, smart TVs and webcams.

In addition to the vulnerabilities introduced by new devices, companies around the globe are seeing an increase in other kinds of threats, including:

The ongoing war between cyber criminals and IT is like an escalating arms race, experts say. So what's the best way to protect your company and its employees in 2015?

First, face reality. BYOD isn't going away, and the number of devices connected to any company network will continue to grow rapidly. Intel predicts that 50 billion devices will be connected worldwide by 2019. The University of California, Riverside's Bourns College of Engineering demonstrated the vulnerabilities in mobile operating systems like iOS, Android and Windows, and claims a success rate of 82-92% in accessing personal and company data after penetrating popular apps like Gmail, personal banking sites, and cloud storage systems.

If mobile devices and apps are that vulnerable, the only way to protect your network is with a comprehensive enterprise mobility management (EMM) solution that includes protection for the most common connected devices, including printers accessed from mobile devices.

Second, take the time to train your employees and create an ongoing training and incentive program to encourage them to help you protect your data. "The human firewall " that is trained, aware, motivated employees " are your best protection," says Breezy founder Jared Hansen. "No CIO can afford to forget that employees don't want to put data at risk. They simply don't understand what risky behaviors they're engaging in, and it's up to us to remind them. A single training session or policy review when they're hired doesn't work " it has to be ongoing, and it has to be frequent. Your employees are unsuspecting victims with cheap and accessible hardware, facing off with sophisticated, well-funded attackers."

Last, but not least, it may be time to take a fresh look at the physical security of your network. Not in the sense that you need more locks on the server room door, but perhaps in the sense of looking for fake femtocells, base stations and access points that are driving new kinds of targeted attacks. "Does anyone really have enough WiFi bandwidth these days? Sit at your desk, and click on the WiFi menu on any device. How many of the unprotected, open access points you see do you recognize", Hansen asks.

Remember that the default setting in most cell phones, and many apps, is to connect to the cellular towers with the best signal first, so even carefully selecting which WiFi network to connect to doesn't protect users from attacks carried out through the cellular network.

Add in the new Wi-Fi standards now available (802.11ac Waves 1 and 2, 11ad, 11aq and 11ah) that enable Wi-Fi to provide mobile data offloading, namely the use of complementary network technologies for delivering data originally targeted for cellular networks, and experts think that a compromised 3GPP WiFi network is one of the biggest new threats for mobile devices.

"Man-in-the-middle attacks against a compromised WiFi network attack by easily interrupting, redirecting and intercepting mobile voice and SMS traffic has never been easier," Hansen says. "So on-device encryption will be more important than ever as the new threats become reality.

For more information on mobile device security and secure mobile printing, watch this video from Breezy, download The Definitive Guide to Mobile Printing, a free ebook, or click here to schedule a Breezy demo now.

Easy to deploy and manage

Customers report that Breezy installations are among the easiest they’ve ever seen for an enterprise product.