Five Deadly Sins
The privacy pitfalls to avoid when choosing a mobile threat defense solution
In our experience, mobile is almost always used for both personal and business purposes regardless of who is paying for it. So, whether it’s COPE or BYOD, it’s always going to be used for both personal and business purposes. It is true that some organizations try to operate with highly locked-down phones, but in our experience, this approach tends to break down: there are always requests to whitelist a new ‘vital’ app, and there is always resistance to having to carry two devices.
Mobile security and employee privacy
Monitoring is inherent to security solutions by the nature of the job they are tasked to perform. As a result, having regard for employee privacy is always an issue when we’re dealing with security. Employees know this and are understandably wary of any new security solution. This means that addressing employee concerns about the privacy implications of mobile security solutions is essential if you are to get buy-in. And buy-in is essential because invariably, there are ways in which disgruntled users can frustrate the rollout and maintenance of a solution. This is partly because mobile operating systems are user-centric: the user of the device has a much great degree of control of the device than is normal in corporate IT.
IT professionals who have been involved in the rollout of mobile device management solutions will be well aware of employee resistance to having their devices managed. These concerns have meant that organizations have had limited success in persuading employees to allow BYOD devices to be managed. This has multiple practical implications: BYOD devices may need to be restricted from accessing certain enterprise applications, and/or organizations are forced to provide mobile devices.
It needs to stack up
The technology industry has an unfortunate but well-deserved reputation for hiding unacceptable privacy practices behind weasel words. Craftily crafted privacy statements conveyed a false sense of security and suggested only the most benign data collection practices. There has been a backlash against this and a growth in the wariness of employees. Soothing phrases are no longer enough. To address these concerns properly, there is no alternative but to studiously avoid collecting sensitive private information. And avoid the need to come up with privacy statements which gloss over questionable practices.
But how to do this
Below we explain the five deadly privacy pitfalls to avoid when implementing a mobile endpoint security solution for your organization.
Location, location, location
There is no reason why a mobile security solution should need to know an employee’s location. In reviewing a range of solutions, we have seen that a considerable number ask employees for permission to access their location. It’s often unclear as to why this is required. It is true in Android that this permission is required to access information about the SSID of the current Wi-Fi network. Some providers claim that knowing this allows them to identify rogue hotspots. Our analysis suggests that this ability is of little or no value. Other solutions use location information simply as an excuse to show pretty maps in their administration consoles!
You’re reading my files – WTF
Another cardinal sin, in our opinion, is asking employees to give a mobile security solution access to all files stored on their devices. This means giving my employer access to all the rich range of images, messages, videos, logs and recordings that a typical user stores and which are the very definition of private material. Again, our assessment is that reading files from a mobile phone is not something needed to secure a device.
You’re logging my keystrokes
A number of mobile security solutions implement their anti-phishing protection simply by reading the URL that an employee types into the browser. In order to do this, they need to be given what is known as the Accessibility permission. The Accessibility permission, as its name suggests, is designed to help people with certain disabilities interact more easily with mobile apps… It is an extraordinarily powerful and broad permission which allows the application to take complete control of the device, read messages, overlay screens, log keystrokes, and more. It’s a permission that is widely abused by malware, and so it seems perverse to us that a product designed to keep employees safe would misuse such a capability.
You’re monitoring my browsing
Filtering out suspicious content is a foundational capability of any mobile endpoint security solution. For this reason, it’s important to be able to monitor the flow of internet access requests and block those that could cause harm. This harm may be in the form of a phishing link, a link to a malware download server or a request to access risky or inappropriate content.
Monitoring can be implemented in ways which are good or bad: highly intrusive or highly privacy sensitive. At the privacy-sensitive end of the spectrum, you have the approach that Corrata takes. The Corrata agent running on the device filters internet requests in real-time, keeping no record of the 99.99% of requests which are benign and only collecting information relating to malicious domains. What’s more, lookups to threat intelligence are also anonymous. As a result, Corrata has no way of reconstructing user browsing history from the information it collects. This is the gold standard when it comes to providing effective mobile endpoint protection while maintaining user privacy.
In contrast, some other approaches to web filtering are highly intrusive. The most extreme are approaches that route all of the traffic from a device to a central monitoring point. That means that whoever has access to this monitoring point (the security provider or the client organization) has access to all the information related to the employees’ browsing activity. Less catastrophic from a privacy perspective but still unacceptable, are solutions that adopt a similar approach to Corrata by filtering on the device but which do not maintain anonymity.
We know from dialogue with clients that not only are they concerned with employee privacy, but they’re also concerned about the data protection obligations flowing from an unnecessary collection of personal information. Solutions that collect information about employee location, files, or browsing history are the kinds of solutions which give Data Protection Officers nightmares. And IT Security professionals are well aware that they don’t want to upset their DPO unnecessarily!
Getting it right
Taking care to avoid the pitfalls outlined above allows you to be upfront and straightforward in explaining to employees how your mobile security solution operates and how it protects.
In our experience, this approach wins out. What has been particularly notable in many of our deployments is the level of trust and degree of reassurance achieved with employees. So much so that employees, on multiple occasions, have asked for permission to install the Corrata mobile threat defense solution on devices used by their children or other loved ones. And there is no better recommendation than that.