What COVID-19 Risk Management And IT Risk Management For Financial Institutions Have In Common
If there’s one thing that we have learned from the recent COVID-19 crisis is that nothing is without risk. Any salesman that comes along and tells you that something is “risk-free” is not telling you the truth.
Whether you drive a car, ride your bike to work, or take the subway in a big city, there is risk involved.
Author: John McMahon
Read time: 6min
Life is Risk
What the financial markets have learned over the past decade is the fine art of managing risk.
Now, more than ever, our economy is dependent on you, our financial services and banking institutions, in conjunction with the Fed to manage the risk of inflation/hyper-inflation – avoiding the financial collapses seen in great civilizations before us like Athens, Rome, and the Weimar Republic in Germany.
But while you and your colleagues are working on helping our country walk this fiscal tightrope on a global stage, there’s one more thing you have to add to your collection of spinning plates.
You’re already all too aware of the problems of cybercrime stemming from lone-wolf hackers, cybercrime syndicates, and rogue nation-states. So, we won’t get into that.
The risk factors that you might not be considering right now are:
Crashes of Outdated Hardware
Sluggish Legacy Applications that Drain Resources
Mismanagement of Big Data
IT Compliance Challenges
The Incorporation of Unproven Technology and AI
The list could go on and on, but you get the idea.
Even if we ignore cybersecurity challenges (and you shouldn’t), there is still inherent risk in running financial services and banking IT systems.
What Do We Learn From COVID-19 About IT Risk Management for Financial Services and Banking?
1. Put the Professionals to Work – Whether you are a fan of the current administration’s handling of the COVID-19 crisis or not, you can certainly agree that we need to listen to the healthcare professionals. Why? Because most of us are not epidemiologists. The healthcare professionals can diagnose the problem, give us guidance to get things on track and provide ongoing support to keep the virus at bay. In reality, the CDC, WHO, and HHS are risk management teams. Dealing with risk in your IT environment really is no different, you need to get the professionals involved. Not somebody just out of “med school” but an experienced IT team that can give high-level guidance.
2. Containment and Mitigation – Here’s the hard truth. As long as you have an IT system in your firm or banking institution, there are going to be people trying to leverage that IT system against you for their gain. Technology professionals, like those on the IronOrbit team, have numerous ways to contain and mitigate threats (risks) to your proprietary data and confidential client info. One of those ways is called “sandboxing.” Simply put, an IT “sandbox” is a virtual IT environment in which we can run suspicious apps and open strange files and emails, so if one of them is dangerous, it never comes in contact with your cloud-based environment. Sandboxing is just one of the dozens of tools in the Iron-Orbit containment and mitigation arsenal.
3. Build New Systems – You already know that all systems were not created equal. This is a lesson that we have learned the hard way in the healthcare field during the COVID-19 crisis. In this challenging time, everything from medial logistics to food supply has had to be reconfigured or reinvented to meet the risk the virus is to our society. IT systems are no different. Many banking institutions and financial services firms (maybe yours) operate today on IT systems that are on the brink of failure. Their risk is high. To lower the risks we’ve mentioned above, IT systems have to be reimagined by technology professionals that deal with digital transformation technologies on a daily basis.
Want to know more about lowering your IT risk profile?
We’ve got all the details, and we’d be happy to help.
Send an email or give us a call to begin a no-obligation conversation
Or click below to learn more about our finance solutions.
“This changes everything.” We’ve heard this many times before. Also, “This time, it’s different.”
Usually, it’s not different. Things feel different for a little while, and then things return to normal.
This time, I think, truly is different. The COVID-19 pandemic has forced most businesses to close their doors. Conferences, concerts, and sporting events have been cancelled. And companies have their employees working from home. More employees now work from home than ever before.
Remote work probably is here to stay. For that reason, honing your remote work policy is my number one recommendation during the pandemic. I also recommend working on and practicing your disaster and contingency planning policies, storing sensitive data centrally, and encrypting sensitive information.
A little background on me: I’m a former CIA officer, so I know a thing or two about traveling and working remotely. Almost 15 years ago, I started working “remotely” under minimal supervision. My work was representing the US Government in meetings with other governments. These were countries most people have never heard of.
When I left the Agency, I found myself consulting and working remotely for companies throughout the US and throughout the world. My clients extended as far away as Poland and Ukraine. I never met my clients Poland face to face. The business was entirely remote.
I co-founded a company. My partners and investors were based in Boston. I worked, you guessed it, from home. My responsibilities necessitated travel. I had to spend some personal time with my team in Boston. I spent about one week each month onsite.
The amount of time needed on-site could vary. While my startup required a good deal of me being onsite, many consulting projects were done remotely. I’d say most any job can be accomplished remotely.
There has been significant discomfort in the past about remote work. I have experienced this first hand. As I rose through the ranks at the CIA, people wanted me for increasingly senior positions. My working from home became more of a problem for my supervisors. Companies might be comfortable with a developer or designer telecommuting. They are definitely not comfortable when it comes to a job that involves managing a team. Last January, I had discussions with companies who loved my skills and experience. They wanted what I had to offer. But the distance and telecommuting was a deal-breaker. So they backed out because they were uncomfortable.
Technology has made Location Irrelevant
Before the coronavirus, management and HR policies were stuck with the old ways of doing things.
The need for physical distancing has forced us to work from home. Many business leaders, managers, and even employees were uncomfortable with the concept. Most will find remote work isn’t bad or scary. Many will even become comfortable with remote work as standard policy. An April 6, 2020 ZDNet article reported that 74% of CFOs say they expect to move previously on-site employees remote post-COVID-19. Gartner found that a quarter of respondents will move at least 20% of their on-site employees to remote work permanently.
Pandemic Recommendation #1: Hone the Remote Work Policy
Remote work is here to stay. Remote work maximizes worker time by cutting out commutes. It decreases the need for parking and office facilities. It saves energy too. Not as much gasoline is used. There are fewer traffic accidents. There is less pollution because people are not driving to work en mass.
But remote work also raises a whole new set of security issues. How do we keep customer or other sensitive data secure when that data is in an employee’s home?
Do you remember the Equifax incident? Equifax couldn’t be counted on to patch its centralized systems. Their systems contained huge amounts of personal information. How can we handle personal information printed on little Johnny’s color printer? No company wants to be responsible for the next Equifax-type incident because its employees are working from home.
Having employees work from home presents more vulnerable endpoints. “More personnel telecommuting adds to cybersecurity risks. These people carry devices packed with data. “Opening remote access creates more challenges,” according to Parry Aftab, Executive Director of The Cybersafety Group. Be sure you have considered endpoint security as part of expanded remote access.
And what happens if a worker is injured while working from home? Will they be eligible for Workers’ Compensation benefits?
For these reasons, my number one recommendation is to hone in on your Remote Work Policy. If you don’t already have a remote work policy, then you need one right away. What is the policy now, and what will it be after the crisis is over. If you do have one, now is a great time to review the policy. Make sure it still fits today’s needs and contexts. Update the policy as needed.
The policy should include the expectations of employees. What security measures are employees expected to use at home. Clarify legal liabilities. How will you protect privacy and remain GDPR and/or CCPA compliant? What are the company’s policies on equipment use and repairs? A complete Remote Work Policy will address these issues.
Ensure that employees maintain a safe remote work environment. Secure their devices with anti-malware software. These devices should have personal firewalls, and regular patching for software vulnerabilities.
A few years ago, I was walking the halls of RSA with one of my clients, helping them make sense of the complex and confusing world of cybersecurity. RSA is *the* conference for cybersecurity. 45,000 people attend each year including more than 600 vendors. We were walking the expo halls. We saw an endless supply of hi-tech security offerings. There were vendors offering proactive protection. Some had advanced threat detection, while others had automated or AI-augmented remediation tools.
Out of the 669 vendors at RSA, how many were there to help companies prepare for disaster recovery and contingency plans? I didn’t see one. When it comes to pandemic, we’re mostly on our own. There is no Coronavirus as a Service (CaaS). When we face potential times of crisis, it’s a good reminder to test our continuity plans. If there are no continuity plans to test, then it is vital to create them.
It all starts with your business continuity & disaster recovery plan. Such a plan is a standard part of a NIST 800-53’s CP-1. It includes strategies like having alternate data storage sites. Alternate data storage sites are important if the main storage site becomes inoperable or compromised. Backups should be in multiple locations far from each other. If one is on the west coast of the United States, the other should be on the east coast. The midwest is also a very good location for remote workers. That region is good for fail over data centers or other cloud resources.
You will want to review your plan. Identify and account for all assets, both technology and human.
Review alternate operations center options. Current areas of operations may become inaccessible. A pandemic may make it unsafe for people to congregate in one place. This is a good time to review or create work-from-home programs. Consider remote fractional vCISO services. Ensure you can maintain your security operations even if employees can’t physically come to the office.
Pandemic Recommendation #3: Store Everything Securely
With so many employees working from home, it’s easy for sensitive information to leak. Remote work often involves creating and editing work-related information. These can be emails, Word documents, and Excel spreadsheets. A customer’s personal identifying information could be left on a personal printer. Sensitive business information can end up on a CD that gets misplaced. There are number of possible security mishaps.
Imagine you recently became GDPR compliant. At a cost of more than $100,000 for 74% of organizations, according to a CPO Magazine article. If you don’t protect personal information at your worker’s homes, you might still be facing a GDPR fine. According to the UK Information Commissioner’s Office, a company in England was fined $340,000 for leaving documents with personal information unlocked,
To reduce this risk, it’s important to store files in a centralized location. A secure cloud is the best location. If the information stays in your cloud, it’s much less likely to end up somewhere it shouldn’t be.
Pandemic Recommendation #4: Encrypt Data
When more employees work from home, it’s more likely that their devices will be lost or stolen. Encrypting these devices prevents others from reading and using the information on a stolen or lost device. Full disk encryption on personal computers, phones, and tablets is a good method. It will encrypt all storage on the employee’s device. Or at least create an encrypted partition to store sensitive data.
Advanced Encryption Standard (AES) is a good encryption standard to use. The US Government uses AES to keep classified data secure, according to an article in TechRadar.
Even if an employee’s computer is encrypted, there are security risks. The data may not be encrypted when it’s in transport. If an employee has full-disk encryption, the data will not be encrypted in transit. Ensure that data is encrypted before transit. This way anyone who intercepts the data cannot do anything with it. Another good strategy is to set up a secure protocol like Transport Security Layer (TLS).
Technology can go a long way to keep your data secure, but security is essentially a people business. Most breaches occur when people make mistakes. There is no substitute for educating your team. Train and retrain them on the fundamentals. Establishing standards for shutting down each day is a good idea.
Data breaches are happening at an alarming rate. In fact, the threat of ransomware attacks has become elevated to crisis levels. While there’s increased awareness, attacks are becoming more sophisticated. A variety of large and small organizations are being attacked. No one is immune. The healthcare industry has been and continues to be, prime targets. And for good reason. Healthcare organizations are considered low-hanging fruit by cybercriminals. Hackers know healthcare centers are notorious for having inefficient security. Most hospitals don’t have procedures in place to restore a network once locked by ransomware. Most applications in Hospitals have little or no network segmentation. There are no firewalls between workloads. Basic security protocols are not in place.
Besides the alarming ransomware statistics, there are some attacks that never get reported. The U.S. Department of Health and Human Services experienced 52 data breaches in October. Last year, hackers stole over 38 million medical records. These sobering statistics have made the healthcare industry take notice. Many healthcare organizations are taking steps to increase cybersecurity. But more can be done. This article will take a look at some of the more recent ransomware cases. We’ll look at some mistakes that were made in dealing with cyberattacks. And we’ll offer ways to improve cybersecurity and protect patient data moving forward.
The consequences of a data breach reach far beyond the breaking news story. There’s more to it than the short news article that appears on your computer screen. A single attack can close down an organization for good. It can happen in a few minutes. The consequences can have long-lasting implications. This is particularly true for the healthcare industry. Sure, the reputation of the healthcare center gets flushed down the toilet, but there’s a real impact on the patients. These incidences are not merely expensive inconveniences. Cyberattacks disrupt the entire eco-system of the institution. It puts people’s health, safety, and lives at risk.
Often, the healthcare center gets victimized twice. First, there is a ransomware attack. Second, the healthcare system becomes the target of a class-action lawsuit from a community of angry patients and their families.
Consider the New Scientist article about the 2016 attack on the Hollywood Presbyterian Medical Center. It was a Friday afternoon when malware infected the institution’s computers. The attack seized patient data and prevented the staff from further communication. The date was February 5. The same day computer hackers tried to steal 1 billion from the Federal Reserve Bank of New York. It all happened in a matter of seconds. Medical records had to be kept by using pen and paper. They used old fax machines. Patients were sent to other hospitals, operations canceled. The medical center was back on-line after a 2-week standoff. But not until after paying a ransom of 50 bitcoins (the equivalent of $17,000 at the time).
Malware can infect the entire computer system. Someone clicks on a link to a booby-trapped website or opens an attachment in a phishing email. Immediately, malicious malware gets to work encrypting the files. Some malware can immobilize entire IT infrastructures. If data is backed up and you get an attack of malware or something, you can always go back to yesterday’s data. Healthcare targets often have their backs against the wall during a cyberattack. Because they don’t have their files backed up.
In most cases, a ransom is paid. The hackers deliver the decryption key. And medical centers are able to decrypt the seized files. The Hollywood Presbyterian Medical Center was straight forward. They handled the crisis as best they could. See the above comments about using pen and paper. They negotiated a lower ransom and their data was returned. More recent victims haven’t been so lucky.
Medical malpractice has been part of the healthcare landscape since the 1960s. Now there is an additional risk of medical malpractice during ransomware attacks. If the ransomware attack affects the patient in any way, there will be repercussions.
Take the cyberattack on LifeBridge Health systems. Seven months after the incident, the Baltimore-based health system faced another problem. A class-action lawsuit was filed against them. The lawsuit claimed negligence on the part of the medical center. It also accused LifeBridge of waiting 2 months before informing the affected patients.
LifeBridge had to respond to the allegations. The organization contracted a national computer forensic team to investigate the attack. Patients were offered credit monitoring and identity protection services.
Clearly there are basic mistakes made that contribute to breaches. Mistakes can allow the infiltration to happen in the first place. Resolving a ransomware situation is stressful. People can do things that t make the situation worse.
Ransomware Recovery Mistakes
Health Management Concepts in Florida was attacked with ransomware. The official report was made on August 23. HMC learned about the incident on July 16. The ransom was paid. The attackers delivered the decryption keys. The hospital IT administration immediately took steps to decrypt the data. To their horror, the HMC staff realized they made the problem worse. They accidentally sent files containing patient information to the hackers.
UnityPoint Healthcare had the misfortune of suffering two security breaches in 2018. The second attack compromised the data of 1.4 million patients. At least, that’s the official tally. A series of phishing emails had been made to look like they were from a top executive within the company. An employee fell for the scam. It gave hackers the opportunity needed to penetrate the entire system.
Recognizing the Risk is the First Step Toward Protecting Patient Information
The onslaught of cyberattacks against healthcare is relentless. There are inspiring stories of medical centers fighting back. They’re defending themselves against nefarious cyberattacks. They’re saving lots of money. Increasing their efficiency. And better protecting their patients.
One such story belongs to the Interfaith Medical Center of Brooklyn, New York. It’s a 287-bed non-profit teaching hospital that treats more than 250,000 patients every year. They were able to avoid malware outbreaks. Their proactive approach enabled them to detect and respond immediately to advancing threats. Their strategy involved an assessment of threats and implementation of policies and procedures.
Incident response time is critical. Measure it with a stopwatch, not a calendar. All the segmentation in the world isn’t any good if the door won’t be closed in time. Their program was successful. It identified malware infections long before they had a chance to become a problem. They were even able to identify a malware-infected medical device after it came back from a repair vendor.
The Interfaith Medical Center anticipated a ransomware attack and took steps to prepare for it. In a September 3, 2019, Healthcare IT News article, we learn how Christopher Frenz – the VP of Information Security protected the non-profit’s IT system. “One of the ways I approached this was simulating a mass malware outbreak within the hospital, using a custom-developed script and the EICAR test string. Running the script attempted to copy and execute the EICAR test string on each PC within the organization to simulate the lateral movement of a threat within the hospital. Exercises like these are great because they help an organization identify what security controls are effective, which controls are ineffective or in need of improvement, how well or not the staff response to an incident will be, and if there are any deficiencies in the organization’s incident response plan,” he explained.
“We have successfully avoided malware outbreaks and are actively detecting and responding to advanced threats, long before they impact privacy or operations.”
Christopher Frenz, Interfaith Medical Center
The article ends with some excellent advice from Frenz. “Healthcare needs to begin to focus on more than just compliance alone, as it is far too easy to achieve a state where an organization meets compliance requirements but is still woefully insecure. Organizations need to put their security to the test. Pick solutions that can empirically be shown to improve their security posture.”
There are basic steps healthcare organizations can take to minimize their risk of ransomware attacks. Learn as much as you can about ransomware attacks. Consider all possible points of entry. Where is your IT system vulnerable? Medical software used for patient data has numerous vulnerabilities. Healthcare cybersecurity statistics by Kaspersky Security Bulletin found easy access to 1500 devices used by healthcare professionals to process patient images such as X-rays.
Improving the cybersecurity of a healthcare organization, whether large or small, has two parts. One part has to do with the design and implementation of the IT system entire (i.e. whether-or-not there’s back-up and disaster recovery features in place). The other part has to do with your human capital.
Malware can be introduced from any number of locations along with your network. Often the attack is designed with multiple points of entry. It could be phishing emails where an employee is tricked into clicking on something that is booby-trapped. It could be a bogus email from what looks like an upper-level executive but is actually from a hacker.
ON-GOING EDUCATION AND REFRESHER COURSES
Human beings make mistakes. This is especially true in the busy high-stress environments of hospitals. Or in situations where doctors, nurses, and orderlies work extended 10 to 12-hour shifts. People have to be educated about the risks of cyberattacks and what forms such attacks might take. It’s easy for a rushed employee, at the tail-end of their shift, to unknowingly click a file, download an unauthorized software, or be tricked into loading a contaminated thumb drive. There are basic security processes that should be implemented. These are things like creating strong passwords and changing them at regular intervals. Duel factor protection is also a good idea.
Cybercrooks study the vulnerability of humans. Hackers continually figure out ways to exploit human traits and their gullibility. Through social engineering tactics, cyber attackers design pathways to plant ransomware or get a foothold in an information system.
SECURITY IS NOT ABOUT QUICK FIXES
Take the time to ensure the staff and vendors are mindful of what they’re doing. Review policies and procedures regarding handling patient data. Review how to avoid security incidences. As we have seen, any data breach has legal ramifications. There needs to be a systematic response that is carefully considered and forged into a process. Additionally, partner with the right vendor who can design and provide a holistic security solution that will protect your patients.
Ransomware is a dangerous and growing threat. Find out how security-minded executives establish best-in-class protection.
2019 has proven to be an alarming year for cybersecurity professionals and cyber-attacks show no signs of slowing down in 2020.
One cybersecurity firm characterized the rapidly growing pace of cyberthreats across all industries as an “unprecedented and unrelenting barrage”. Within 24 hours of its report, the City of New Orleans and several other municipal organizations fell victim to ransomware attacks.
But it’s not just large-scale enterprises and public institutions that are under attack. Small and mid-sized businesses offer low-hanging fruit for opportunistic cyber criminals, who often use automation to widen their area of attack.
Small businesses, large enterprises, and public institutions alike have all struggled to respond decisively to the ransomware threat. Until recently, executives had few options – and fewer defenses – in their fight against cybercrime. Now, Desktop as a Service (DaaS) solutions offer comprehensive, scalable ransomware protection services to organizations of all sizes.
What Exactly is Ransomware and How Does It Work?
The typical ransomware attack begins with the stealthy takeover of the victim’s computer. This may be accomplished through phishing, social engineering, or a sophisticated zero-day exploit – the goal is to have access to the network while remaining undetected.
Upon compromising the network, the cybercriminal can begin slowly encrypting important files. Most ransomware applications do this automatically, using a variety of different methods to evade detection. The process may take days, weeks, or months to complete.
Once the ransomware encryption algorithm reaches critical mass, it then locks users out of the network, displaying a ransom note demanding payment for a decryption key. Sometimes the demand is small – on the order of $500 to $1000 – and sometimes the demand reaches into six-figure sums.
Small sums make paying the ransom a tempting option, but a dangerous one. There is no guarantee that the cyber attacker will relinquish control of the network. Instead, executives who pay up reinforce the cybercriminal profit cycle. It is only a matter of time before the ransomware attacker strikes again.
Famous examples of ransomware variants include WannaCry, which spread to over 230,000 computers across 150 countries in 2017, and Petya. The WannaCry crisis targeted healthcare clinics and hospitals, causing untold damage and highlighted the risk that outdated IT systems represent in these industries.
Petya was unique because it did not encrypt specific files. Instead, it encrypted the local hard drive’s Master File Table, rendering the entire device unusable. There are dozens of other variants out there, and each one uses a unique strategy to take advantage of victims. NotPetya developed on Petya’s attack method, using the same vulnerability previously exploited by WannaCry.
Who Is At Risk of Ransomware Attacks?
Everyone. Although high-profile targets like hospitals and municipal institutions make headlines, thousands of business owners are defrauded every day. On average, one business falls victim to ransomware every 14 seconds.
Small and mid-sized businesses are especially vulnerable because they typically do not have access to the kind of comprehensive security resources that large enterprises can afford. Small businesses that do not rely on reputable third-party managed service providers make especially easy targets.
Cybercriminals have shown that they are willing to target hospitals and public institutions without shame. The greater the need for functioning IT systems is, the more likely the cybercriminals are to get paid. This is how the cybercrime profit cycle perpetuates itself.
What Can Small and Mid-sized Businesses Do About Ransomware?
Preparation is key to successfully resisting a ransomware attack. Organizations that cannot afford to develop, implement, and deploy state-of-the-art security resources need to contract a reputable third-party vendor for the purpose.
Even enterprise-level organizations with tens of thousands of employees often find themselves opting for a managed solution instead of an in-house one. The cybersecurity industry is experiencing a widening talent shortage, making it difficult even for deep-pocketed businesses to hold on to their best security officers.
IronOrbit achieves best-in-class ransomware protection through a unique approach to cloud desktop hosting. There are three key processes that must work together flawlessly to guarantee ransomware resilience:
The best way to prevent a ransomware attack from taking place is preventing the initial malware deployment. Firewalls, email filters, content filters, and constant patch management all play a critical role in keeping malicious code out of DaaS systems.
Maintaining up-to-date software is more important than most executives and employees realize. Since NotPetya used the same attack vector as WannaCry, its victims entirely consisted of individuals and businesses who neglected to install security patches after the WannaCry crisis.
There is no way to guarantee 100% prevention. However, business owners and their IT teams can circumvent the damage ransomware causes with consistent backup and restoration tools. IronOrbit’s disaster recovery features can wind back the clock, reloading your entire suite of business systems to the state they were in just before the attack occurred.
Ransomware recovery cannot guarantee business continuity on its own without best-in-class remediation tools. Without the ability to trace the attack to its source in a fully logged environment, there is no way to tell whether the attack has been truly averted or not. IronOrbit uses state-of-the-art digital investigation tools to track ransomware attacks to their source and mitigate them.
Schedule a Consultation with an IronOrbit Security Expert
IronOrbit has helped numerous businesses capitalize on the efficiency and peace of mind that secure DaaS solutions offer. Protect your business from the threat of ransomware with the help of our expertise and knowledge.
The world we live in is changing at an amazing pace.
The innovation enabled by the rapid growth and worldwide adoption of the internet has been absolutely incredible. Surely that’s no surprise to anyone connected today, but let’s take a moment to put it into perspective the jaw-dropping scope of the number of connected devices.
One of the trendiest buzzwords to hit the market today is the IoT (Internet of things). The IoT is exactly what it sounds like; a collection of devices that connect to the internet.
This could be anything from your Nest thermostat, that Tesla roadster parked in your garage, or the far more common smartphone sitting in your back pocket. Sounds like that could be a lot of connected ‘things’, right? Well, as of 2018, the IoT was a $151B market with 7B connected devices and is expected to reach 10B by 2020.
What exactly does this have to do with MobileIron or Intune? Well, as the number of connected devices skyrockets, organizations are scrambling to protect their data that could invariably find their way to those devices.
Traditionally, a business would view their datacenter as the security boundary. But as we dive into a more cloud-first, a mobile-first world that simply is no longer true. We need to ensure that data is protected, regardless of which ‘thing’ it ends up on. In order to accomplish that, businesses are transitioning to unified endpoint management (UEM) solutions like Intune and MobileIron.
Let’s dive into this Microsoft Intune review.
In the past, companies would use device management solutions to enforce strict control over devices before granting them access. Sounds good, right? Well, what about situations where end-users bring their own devices or try to access your data from a device not owned by your company?
Sure, you could choose to block those devices but that means you’ll need to provide those users with devices to work with remotely. Even in that scenario, most individuals would prefer not to carry a personal device and a work device.
Modern management solutions take that struggle into account and allow application-level control of your data, regardless of what devices it ends up on. This is where solutions like Intune or MobileIron shine. They allow you to ensure that data you’re putting on a specific device stays on that device.
You’re able to enforce data encryption. You’re able to ensure the data can’t be moved to an unmanaged location. As an administrator, you are able to effectively remove your data from that device when necessary.
Comparing Intune versus MobileIron in Managing Your Data
Now let’s take a minute to compare both Intune and MobileIron when it comes to managing your data on end-user owned devices (BYOD). Both solutions offer great functionality here; they grant you the ability to ensure that your data doesn’t leave the application that it started in. No copy/paste, no save to the device, no save to unsupported cloud locations, enforce encryption, etc.
The problem is that both solutions require you to use their client (Outlook, OneDrive, Apps, Docs, or Mail+). Things like the default applications in iOS and Android are out of the question due to a lack of SDK (Software Development Kit) support.
MobileIron struggles here because typically, in order for you to actually get the required app, you need to enroll the device and enforce a wider area of control. More control than some individuals are comfortable granting to their employer over their personal devices.
Microsoft’s Intune allows for application management (MAM) without enrollment. Simply use the Outlook app (or OneDrive, SharePoint, Box, Dropbox, etc.) and sign-in from any device as you normally would to access your data. At that point, policies created by the administrator are enforced on the application itself and not on the device. Again, the goal here is to prevent someone from taking sensitive information and copying directly to their iOS mail app and forwarding it outside of your scope of influence.
Consider that the Enterprise Mobility and Security license required for Intune also includes Azure AD Premium for auditing and reporting in Azure as well as Conditional Access to restrict access or require multifactor and it’s a pretty compelling argument for Intune.
Management of the device as a whole is a little easier to accomplish and has been an industry mainstay for a decade. Both Intune and MobileIron are excellent options if you’re going to require all devices to be enrolled and managed centrally.
In fact, MobileIron was selected as the industry leader by Gartner in 2017. The problem of needing specific applications on the device to access the data is easily overcome by simply pushing the required application to the device in question.
Of course there’s more to working remotely than just using applications; you’re also able to push configuration like WiFi profiles to allow them to automatically connect to the office WiFi or deploying certificates to the device to allow a more secure, seamless sign in experience when they open up their work apps.
Requiring enrollment is the big gotcha here. It’s difficult to require an end-user to enroll their device; after all, it is theirs. And what happens when one of those 10B other connected devices is able to be integrated in the near future (here’s looking at you Alexa, Cortona, and Ford)?
While MobileIron may be a great option for mobile device management today, there are some glaring limitations that they need to address. Today, MobileIron is truly only an MDM/MAM solution with Android and iOS in mind. It struggles with cloud integration for the directory which means that the future is a little murky when there may no longer be an on-premises ‘identity’ for your users.
It also doesn’t have a way to integrate Windows devices (or platforms that may operate as ‘dumb’ devices, like Alexa); which will be a key differentiator in the future as more and more of that IoT make their way into the business landscape.
Intune is already built with Azure Active Directory as it’s backbone to provide conditional access, multifactor authentication, and all the analytics and telemetry you need to find out who signed in, how many times, and from where.
Microsoft has positioned Intune as the clear replacement of System Center Configuration Manager (SCCM) for modern endpoint management, all while allowing for device co-management with SCCM still in the picture to handle legacy endpoints.
Intune Takes the Lead
Not only has Microsoft built a solution in Intune that disrupted the enterprise mobility market, they immediately doubled down by partnering with other major players to ensure that as industry evolves, they’ll not be left out.
Now all this isn’t to say that MobileIron (or any of the other current solutions) isn’t an excellent answer to the problem of securing your data on mobile devices. MobileIron scales incredibly well with numerous deployments exceeding 100,000k devices and there’s an on-premises offering for organizations that are entirely cloud adverse.
But the question really is; why would I choose MobileIron over Intune and considering the way that Microsoft has positioned themselves to take advantage of connected devices in the future with Azure, MobileIron has a tough time standing up.
If youÛªve ever submitted any kind of private or sensitive information to a websiteÛÓincluding usernames, passwords, credit card numbers, social security numbers, addresses, and phone numbersÛÓthis security alert applies to you.
This week, security researchers discovered a serious vulnerability in the OpenSSL encryption software. Two-thirds of all websites use OpenSSL, as do many email, instant messaging, and virtual private network (VPN) services.
These services use OpenSSL to establish an encrypted connection between them and the user (or between two or more users) to prevent the data transferred between the two from being intercepted.
Usually, not all of the pages on a website that uses OpenSSL are encrypted. Just the pages that require a secure connection. Like those where the users input their usernames and passwords or submit their credit card information.
The Heartbleed Bug Explained
The vulnerability in question has been nicknamed the ÛÏHeartbleed Bug,Û since it is located in the code for the ÛÏheartbeat extension,Û a part of OpenSSL that controls how long a secure connection can remain open.
A hacker could use this vulnerability to gain access to OpenSSLÛªs encryption keys. Which could then be used to intercept and decode all data sent to and from the service.åÊ As well as steal access to any existing info stored in the serviceÛªs databases.
Therefore, not only could a hacker with the OpenSSL encryption keys of a website intercept any data (usernames, passwords, credit card info, etc.) you send to the site after itÛªs been hacked. The data that you submitted to the site in the years before the infiltration occurred is also at risk.
The first version of OpenSSL to include the ÛÏHeartbleed BugÛ was released in December 2011. In addition, exploits of this vulnerability donÛªt leave any trace. So, itÛªs impossible to tell if a hacker has ever used the vulnerability to intercept or steal data from a certain website.
How to Protect Yourself From the HeartBleed Bug
The ÛÏHeartbleed BugÛ in no way affects any of IronOrbitÛªs hosted solutions, our website, or any of the systems that we use to process and store your payment information.
In general, though, here is what you need to do in order to protect yourself from this vulnerability:
Make sure that a site is secure before you send any of your sensitive data to it. You can use this app to check if a site has a secure version of OpenSSL.
Make a list of all of the websites that youÛªve ever sent sensitive data to. Change your passwords for these websites only after youÛªve confirmed that they are running a secure version of OpenSSL. Or alternatively, that they never used the insecure version of OpenSSL.
Find out if your companyÛªs website used or is using OpenSSL versions 1.01 through 1.01f. If it is, update OpenSSL to version 1.01g immediately. Then, replace your encryption keys, and ask any users that your site has to reset their passwords.
To ask for assistance in responding to the ÛÏHeartbleed BugÛ or for more information, IronOrbit users should contact IronOrbit 24x7x365 technical support at [email protected] or (888) 753-5064.