Auditing Your Company's Mobile Devices Institute of Grant Thornton. All rights reserved. Auditing Your Company's Mobile Devices Institute of Internal Auditors Raleigh-Durham Chapter

© Grant Thornton. All rights reserved.

Auditing Your Company's Mobile Devices

Institute of Internal AuditorsRaleigh-Durham Chapter

Jim CulbrethDirector

© Grant Thornton. All rights reserved. 1

Presentation Focus

Today’s presentation will focus on the following:

• Understanding the security basics of mobile devices.• Understanding the risks associated with mobile devices.• Discuss best practices for securing the Company’s use of mobile

devices.• Identify methods for auditing the Company’s use of mobile devices.


Agenda

• Mobile Devices Overview• Risks and Audit Strategies• Q&A

BigData


Mobile Devices OverviewGroup Discussion

1. What type of mobile devices does your company allow to connect totheir computer networks?

2. What are the top five risks associated with mobile devices?

3. Has your company performed a mobile device audit?

4. Are you aware of any data security issues at your company related tomobile devices?


Mobile Devices OverviewDefined

• Small computing device used for the assistance andconvenience of certain aspects of a conventional computerin environments where carrying a computer would not bepractical.

- Smartphones- Tablets- Smart Wear?


What is Bring Your Own Device

• Allowing employees to use their personal devices to accesscompany information, but where do companies draw theline?

– Using their personal laptop to conduct companybusiness?

– Using personal devices such as smartphones or tabletsto access company email?


Components of a Centrally Managed Solution

Policy Examples:• How to Use the Device

• GPS Location Detection

• Encryption

• Remote Wipe

• Monitor outflow ofinformation


Components of a BYOD Solution

Policy Examples:• Password

• Encryption (?)

• Remote Wipe (?)

• Access Control (?)

• Data removal atseparation (?)

• Audit / Quarantine (?)


Using your Personal Laptop

• Allowing employees to use laptops to conduct companybusiness.

• Incompatible hardware

• bringing your bad habitsfrom home

• insecure personalhardware

• theft/damage

• Non Bare-metalDesktop Virtualization

• ApplicationVirtualization

• VPN

• Encryption

Risks Solutions


Using your Personal Mobile Device

• Allowing employees to use their mobile devices such assmartphones and tablets to check company mail andaccess company data.

• Incompatible Hardware

• Bringing Your BadHabits From Home

• Insecure PersonalHardware

• Theft and Damage

• Enterprise MobilityManagement (EMM)Software

• Remote Wipe

• Encryption

• PC ApplicationMobilization

Risks Solutions


What about my new smart watch?

• Syncing your corporate email and calendar to your smart watch can be donein seconds.

• Most BYOD policies do not cover smart wear yet.

• Educate yourself on what your device is capable of and how to secure it fromcyber threats.

• Companies must update their risk assessments and policies to address thesenew devices.


Security Findings


Mobile Devices OverviewUnique Challenges

• Management wants increasedproductivity and satisfaction foremployees

• Executives and business owners aredictating technology decisions basedon personal perspectives

• Employees want to use personaldevices to connect to Company ITsystems


Mobile Devices OverviewUnique Challenges

• IT management is challenged toimplement a solution beyond basic e-mail, contacts, and calendars

• Technology is often deployed withoutunderstanding the risk

• Technology is also key to interactingwith customers and increasing salesand communications


Mobile Devices in the Work Place

• The GoodThe average American BYOD user saves 81 minutes a weekwhen using his or her personal device.

-Cisco

• The Bad"The average global enterprise has approximately 2,400 unsafeapplications installed in its mobile environment."

-Veracode

• The Ugly35 percent of workers say they store their work passwords ontheir smartphone

-SecureEdge Networks


Mobile Devices in the Work PlacePros and Cons

"The biggest risk is not having anysort of BYOD policy in place"

-Shaun Smith, technology practice director at Xceed Group


The Difference between Google's Android andApple's iOS

• Partially open Source

• Used by MultipleManufacturers

• Closed Source

• Present solely on AppleProducts

Android OS Apple iOS


How much more safe are iPhones than AndroidPhones?

"Five times more OS X malwareappeared in 2015 than the previousfive years combined."

- Bit9 + Carbon Black

In 2014 nearly one in five Androidusers encountered a mobile threatat least once during the year

-Kaspersky Security Bulletin

THE GOOD news: Halfof all Android deviceshave gotten fairly recentsecurity updates,patching the hackableflaws that leave usersvulnerable to digitalcrime and espionage.The bad news? Theother half hasn’t.

– Wired, 2017


The Real Risk is in the Application Layer

• Update OS and Applications(but not right away)

• Is the Wi-Fi Secure?

• Know where your Data andMoney are going


How to Improve Mobile Application Security

1. Conduct a segmentation exercise and a mobile momentaudit.

2. Conduct an enterprise mobile risk assessment.

3. Define policies by segment.

4. Define clear roles and responsibilities for security andoperations staff.

5. Implement an enterprise mobile control point.

6. Define procedures for vetting new applications.

7. Use pilot groups and implement your program in phases.


Mobile Devices OverviewManagement Solutions


Mobile Devices OverviewManagement Solutions (cont'd)


Agenda


BigData


Risks and Audit StrategiesLessons from Dilbert


Risks and Audit StrategiesMalicious Apps


Risks and Audit StrategiesMalicious Apps


Risks and Audit StrategiesTop 5 Risks

1. Theft of sensitive data stored on the device due to loss of the deviceand/or viruses and malware

2. Unauthorized use of the device to access sensitive and confidentialcomputer systems located in the Company's data centers

3. Productivity issues (including poor internal and external customerservice) due to device/system outages (i.e., broken device, Spam, etc.)

4. Increased IT infrastructure and support costs due to additionalhardware, IT support, and training requirements

5. Unique Legal and HR issues


Risks and Audit StrategiesTop 10 Best Practices and Audit Strategies

1. Implement a corporate mobile devices policy thataddresses supported devices, security policies, end useracceptable use policy, etc.

2. Define specific controls (i.e., items included on this list) forpersonally owned devices in the corporate mobiledevices policy.

3. Implement data encryption and strong passwordcontrols on all aspects of the device.

4. Implement "remote wipe" functionality.5. Require anti-virus and anti-malware software.


Risks and Audit StrategiesTop 10 Best Practices and Audit Strategies

6. Restrict mobile device capabilities (i.e., installed applications,use of "Wifi" networks, etc.) and monitor usage (i.e., log textmessages, etc.).

7. Require VPN access (including password token technology)to connect to the Company's computer systems.

8. Automatically back-up key device settings and data to asecure location.

9. Provide end user training, including security awarenesstraining, on a regular basis.

10. Involve the Company's Legal, HR, and Audit Departments.


Security Goals and Audit Objectives


Agenda


BigData


Q&A

Documents

Auditing Your Company's Mobile Devices Institute of Grant Thornton. All rights reserved. Auditing Your Company's Mobile Devices Institute of Internal Auditors Raleigh-Durham Chapter