Enterprise mobility management and mobile security best practices are hot topics these days in the enterprise, but they are also highly relevant to NGOs and other nonprofit organizations.
To discuss mobile security management for nonprofits, associations and beyond, Samsung Business Insights sat down with Mickey Panayiotakis, managing partner at Infamia.
Q: Having worked with both enterprises and nonprofit organizations, what are some of the primary differences when it comes to mobile security management?
Panayiotakis: I think the primary difference is that a lot of nonprofits, associations and NGOs tend to be less security-forward than enterprises. Enterprises understand security because they have trade secrets and so on. Nonprofits are more open by default.
When we’re looking at mobile security with nonprofits, it’s not so much, “How do we protect our data?” They don’t really see that as a primary concern. What they do see as a concern is, “How do we keep from getting hacked? How do we protect our staff out in the field?” A lot of times the associations and NGOs we work with have staff overseas working in developing countries where the regimes aren’t as open to free speech as we are. So privacy, in many ways, is more important than security to some nonprofits.
Q: What are some of the ways you advise nonprofits to maintain privacy so they can protect their employees in the field?
Panayiotakis: The biggest things I can think of for nonprofits are pretty simple: encryption and virtual private networks (VPN). Unfortunately, they’re not widely used. VPN is important on two fronts — one is to be able to communicate securely and anonymously when you’re in hostile environments, but also, a VPN lets you connect to a resource without opening the resource up to all other addresses.
Q: Encryption and VPN do seem to be pretty straightforward mobile security best practices. What’s holding back NGOs and associations? Why haven’t they adopted these measures?
Panayiotakis: I think a lot of the security that we’re looking at in nonprofits happens outside the firewall. In the nonprofit world, we see security ending within the office parameters. Thus, the primary security flaw I see with associations is that they may have some sort of office VPN, but it’s only configured to access the office. It doesn’t really route other traffic around it.
Q: In terms of mobile security, what are the top five features you think an enterprise mobility management solution should have?
Panayiotakis: I like to start any security project by thinking about the data and people we have to secure, and mobile is no different. To that end, I would say the top five mobile security best practices I would include are:
- User education: we have to work at minimizing human error through training.
- Ease of use and implementation: the most secure solution is worthless if it’s not implemented.
- Strong encryption, including data (at rest), communications and geolocation.
- The ability to delete or encrypt data, or otherwise secure a device, remotely.
- Intrusion (malware and jailbreak) detection.
Q: What are the biggest mobile app security risks associations should consider when developing or implementing a mobile app?
Panayiotakis: The most common risk I see is organizations do not take a full lifecycle view of the product. In the world of nonprofits, I see a lot of excitement — and often grants available — for creating a new app. Unfortunately, this is not always coupled with an ongoing maintenance component.
There is a lot of excitement to launch an app, but then a year later, it comes down to how much money an organization wants to spend maintaining it as opposed to some other exciting project that pops up. To that end, I think it’s important to put in the resources and get buy-in from all levels of the organization about what it means to maintain the app month to month, year to year, including feature updates and security updates and pushing those out to the end users.
Q: What is the best way for associations to keep up-to-date with the latest known mobile security vulnerabilities?
Panayiotakis: If you don’t have an in-house security team, the best way is to outsource to a team that can look at the full security picture for the organization. There are too many new issues to keep up with and the risks are too high to ignore. US-CERT does a good job of publishing specific threats, but alerts are issued after the vulnerabilities are already known.
Q: Are there any other mobile security best practices you think it’s important for associations or enterprises to think about?
Panayiotakis: I want to reinforce the point that technology is always getting better, but especially because we are technology professionals we tend to look at all problems as technology problems. A lot of times the risk of failing is not so much with the technology as it is in the lack of understanding, the lack of training, the lack of involving the actual people across the organization.
We like to live in this rose garden of our little technology world and say, “You can do this. You cannot do that.” And a lot of times, especially with IT security, teams tend to be less willing to discuss, accept and train the end users. I think that’s an important component that’s often missing.
For more insights on mobile security management from Mickey Panayiotakis as well as Carhartt CIO John Hills, tune into Samsung’s Business Disrupted podcast, Episode 3: Mobile Security and the Enterprise.