Question

1. What additional security risks do mobile devices pose vs. traditional PCs and laptops? What means (both administrative and technical) can IT departments use to mitigate these risks? What are the trade-offs for users/employees in convenience vs. security? Answer briefly in your own words.

Answer 1

The additional security risks do mobile devices pose compared to traditional PCs and laptops are:
* Mobile devices are more vulnerable to being stolen (physical robbery).
* They are more vulnerable to be affected by wireless or Wi-Fi networks (public networks) that are not at all secure or are less secure, i.e., unsecured Wi-Fi.
* Most of the Android OS based mobile devices run on the open-source Android software with less support, hence they are prone to attacks when compared to most of the Apple mobile devices that run on iOS OS on them that are more secure due to the OS' proprietorship and as it has been commercialized, hence the support will also be better.
* There are many other generic and specific mobile security threats.
* There is a data leakage problem.
* The devices are attacked through network spoofing.
* The devices come under the phishing attacks influence.
* They are attacked by many spyware.
* The devices, the software running on them, and the applications used by the users on them would have security with broken cryptography.
* The devices come across many improper session handling issues.
* In general, these mobile devices lack physical security.
* These devices are used for multiple users logging into them.
* There are issues users come across through mobile browsing.
* There are application isolation issues.
* Users do not carry out system updates on the device. They forget to do so or are simply lazy to do so, or even think it is not important.
* There are mobile device coding issues with many mobile devices as they come in varied models and OS.
* Mobile devices see many Bluetooth attacks.
* Users' lack of awareness about the security for mobile devices.
* Cybercriminals could impersonate users or employees to loot and hack their accounts.
* They can implement face and voice biometrics as credentials for users to authenticate and log in to their systems and accounts.
* Authentication through an SMS code sent to the employees' mobile device can be a stronger security process than the password mechanism.

The administrative and technical means IT departments can use to mitigate these risks are:
* IT departments can use Mobile Device Management (MDM) systems, services, software, and applications to better administer, monitor, manage, and control the mobile devices of their organization's users or employees.
* There are wipe clean feature that can be enabled in all mobile devices in case of theft so all the confidential and critical data of the organization can be deleted without any thief, attacker, or hacker getting hold of the data and misuse it.
* IT departments should mandate the company's users and employees to use cloud services, save, and store all their and company's data on the cloud, so the data is always available and accessible even if the mobile devices are damaged, lost, or stolen.
* IT departments could force the users and employees to update all the mobile device OS software, other software, and applications with any and all feature updates, patches, and critical security updates.
* IT departments should let users download, install, run, and use only relevant and secure applications and software on their mobile devices, the applications, and software available only on the trusted, strongly secured, and legitimate app stores, software download websites and centers online.
* There are many other generic and specific measures, steps, and solutions that IT departments can implement and deploy so users have a secured experience of using their mobile devices.
* IT departments should implement stronger authentication beyond passwords using Multi-Factor Authentication (MFA).

The trade-offs for users or employees on convenience compared to security are:
* In general, the more the security set up on mobile devices, the less convenient, comfortable, available, and accessible the mobile devices would be for the users or employees.
* The more the convenience the less the secure the mobile devices would be making them vulnerable for attacks in every direction.
* Ideally, users should concentrate more on security than convenience. Hence, they should set up an optimum solution with equal levels of security and convenience on their mobile devices.
* Security should be at every level and step of the usage of the mobile devices.
* Convenience is good, but it comes at a cost of security. Hence, every step of convenience should be backed by a step of security. After all, the very purpose of the mobile device and its usage is to provide convenience, availability, and accessibility.
* The users when they use MFA bringing in security, but they lose convenience as it consumes time, effort with an additional step of the security process for them to go through.
* When the users use Virtual Private Network (VPN) on their mobile device, it does give them security, however, users lose convenience in terms of performance and time it takes to access services, applications, and data on the Internet.
* Passcode key fobs, complex passwords, passphrases, and challenge security questions provide security, however, on the other hand, they also block legitimate users from accessing their own accounts.
* Users save the passwords, passphrases, save and store their device details, their demographics, personal details, etc on their mobile devices. However, when they access their accounts, data, and services from a different place and mobile or other devices, all their configured security settings would not work and are required to go through all the steps which are difficult and most of them do not remember many of their security and other details. Hence, they get locked out of their own accounts.