The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices.
Mobile devices are now ubiquitous in the workforce due to the vast range of benefits offered to employers. They allow individuals to readily communicate with each other and access resources, even if they are not on-site. Mobile devices allow organizations to improve efficiency and productivity at every level. However, due to the increasing threat posed by hackers and other cybercriminals, these devices can also introduce security issues which are often overlooked.
The devices typically have an always-on Internet connection and lack the robust security controls that are applied to devices such as desktop computers. Users could potentially download malicious apps without first obtaining authorization from the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data.
Organizations need to have total visibility into all mobile devices used by employees for work activities, and they must ensure that mobile device security risks are effectively mitigated.
If these security measures are overlooked, hackers or other threat actors may hijack the device and access a potential wealth of sensitive information stored in email accounts on the device. Information such as financial or health data has a substantial black-market value due to its potential use in fraud. The black-market provides substantial incentives for hackers to launch sophisticated attacks aimed at obtaining access to employee mobile devices.
In response to this threat, NCCoE has published ‘NIST Special Publication 1800-21’ to help organizations identify and address risks and improve mobile device security to reduce the likelihood of unauthorized device access and data loss and theft.
The guidance includes how-to guides and an example solution developed in a lab environment using commercially available mobile management tools which can be used by enterprises to secure their Apple iOS and Android devices and networks while minimizing the impact on operational processes.
The guidance was developed by NIST and technology partners Kryptowire, Lookout, Appthority, MobileIron, Palo Alto Networks, and Qualcomm and is available for downloaded from NCCoE on this link (PDF – 14.5MB). Comments are being accepted until September 23, 2019.
Further guidance on mobile device security for Bring Your Own Device (BYOD) is currently under development.
