Question... who here uses your personal device for business (and vice versa).
A decade ago that would have been laughable.
Consumer smartphones weren’t nearly secure enough for employees’ everyday use while simultaneously handling critical business data.
But things have changed since then. The way we work (and the way we handle our data and security), has changed drastically.
“The evolution over the last decade has gone from taking your Windows laptop experience and boiling it down to a really small device, to almost the flip - people want the mobile device experience for that work environment.”
That’s Andrew Nichols, head of solutions architecture at Samsung and one of my latest guests on .
Andrew was kind enough to spend more than an hour with me in September, talking through the current state of business network security, the challenges that a remote workforce provides, and what he sees on the horizon.
If you met Andrew on the street, you might not immediately think his career revolves around providing secure devices for some of the biggest companies in the world. He fully admits that part of what has made him so successful is that he doesn’t come from a traditional engineering or computer science background.
A theatre major from the pacific northwest focused on set design and directing, he kind of stumbled into the world of IT while trying to find a job.
The rest, they say, is history - although Andrew’s history takes him on a direct line through a job with Boeing as a mobile security architect and into Samsung, one of the leading smartphone providers on the planet.
For the past eight years, he has been working closely with Samsung Knox - something he is passionate about - the hardware-focused security foundation that is built directly into the company’s devices.
Launched in 2013, Knox has secured more than a billion devices to this point and is a class-leading solution used by Fortune 500 companies and government agencies all over the world.
Getting a look behind the curtain with Andrew was a bit overwhelming at times, but his knack for explaining complicated technology in easy-to-understand terms made it rewarding.
Our battle with COVID-19 is far from over, but businesses and industries need to look forward to what our next steps will be as a global workforce. When I asked Andrew what he has witnessed over the past two years in terms of business vulnerability, he explained how so many companies had treated security:
“There was this huge shift to try to get business to continue as normal as possible. And the security aspect of it just needed to catch up.”
According to a Microsoft study, 73% of employees want remote work to remain moving forward. The pandemic opened pandora’s box when it comes to this kind of flexible work-from-home scheduling, and the industry will likely never be the same.
But while companies rushed to get everyone set up - taking risks and opening vulnerabilities in the process - security solutions had to keep pace. There needed to be a way to quickly get people working from mobile devices, but there was never going to be the option of keeping business and personal separate.
Enter Andrew and his team at Samsung.
It might seem like a daunting task, to protect a company’s data and infrastructure even while connecting it to hundreds if not thousands of devices spread out over the globe.
But when I asked for a breakdown of how he thinks about it, his explanation didn’t seem so complicated.
Step 1: Securing the device
The first step is securing the device itself. This can be done in a few ways, but the most important is to focus on what data is stored locally on the device.
If an employee’s phone is lost or stolen, you don’t want sensitive company information falling into the wrong hands. The same goes for if an employee leaves the company - you want to be able to remotely wipe any company data from their personal device.
There are several ways to do this, but one of the most effective is through a Mobile Device Management (MDM) solution. This way, you can set up rules and restrictions on what data can be stored locally, as well as remotely wipe company data if necessary.
This is also where Andrew's Knox expertise comes into play, as an out-of-the-box hardware solution built into the device itself. It is physically separating home and work information into containers that can't infect each other, no matter what your employee downloads or visits.
Side-loaded applications, which for so long have been the bane of network security professionals, can be controlled and even prevented with an MDM solution.
Step 2: Securing the credentials
More than 70% of breaches come by way of compromised credentials, according to a study from Positive Technologies, which focused on the financial, energy, government, and industrial sectors.
All of us (myself included) have re-used a password when we really shouldn’t have. It’s an easy thing to do, but it’s also one of the most common ways that bad actors gain access to company data.
That’s why two-factor authentication (2FA) is so important. By requiring not just a password but also something that only the user has - like a fingerprint or code sent to their phone - you can be sure that only authorized people are accessing company data.
Andrew had some interesting insights on 2FA, suggesting that using SMS for it is probably the worst example of a good idea. Without getting too technical, he suggested that the market is already starting to shift away from SMS, and toward other ways of authentication.
The point is that no matter how secure the device is, credential protection is just as important.
Step 3: Securing the network
You know when you are trying to connect to your home wifi network and there are dozens of other networks available from your neighbors or businesses nearby?
This presents an issue for companies, as it’s possible for an employee to connect to the wrong network and open up their device - and by extension your company - to attack.
The best way to combat this is through a Virtual Private Network (VPN). This creates a secure connection between an employee’s device and your company network, no matter where they are in the world.
It’s important to have a robust VPN solution in place, as well as clear policies for employees on when and how to use it.
Andrew sees the VPN as an important piece of the security puzzle, but not the only one. He suggests that a multi-layered approach is best, with different solutions working together to create a more secure environment.
These steps won’t be new information for the organizations that Andrew works with on daily basis but as he tells it, the work-from-home model has disproportionately added risk to growing businesses.
“Most of the customers that I work with are already starting to practice these things. It’s those small to medium businesses which are exposed to risk but don’t have the support organizations to tell them that they have been compromised.
That’s the scary part - as they get increasingly connected, they may not even be aware that someone is already in their email service. They don’t know that someone has already taken a device and put information onto it because the corporate credential was the same thing someone was using for LinkedIn.”
Scary part indeed…let me just go change something.
Whenever I get to talk to someone that is at the forefront of a field like data security, I try to probe them for what they think is coming next. What will be the next scary thing on the horizon; what keeps Andrew up at night? He pointed to two things and did his best to explain to me why he thinks they are vulnerable.
Firmware attacks
“You know, as the industry has been patching security vulnerabilities, and has been learning from academia, the thing that that's starting to scare me is that the attacks are getting much more sophisticated and are happening at the chip level.”
If that is a bit over your head, you’re not alone. He went on to explain it to me, noting how it’s not just the email worms that you and I might think of when we picture data hacks. It’s Bluetooth attacks that rewrite the chip firmware that isn’t controlled by the OS.
Protocol attacks
“Don’t be the lowest hanging fruit.”
Andrew also pointed out that companies are also too hesitant to install or implement updates, making it easier for bad actors to target them. His point was to make sure you’re always on top of those things so that you aren’t the target in the first place. I don’t have to outrun the bear, I just have to outrun you, as the saying goes.
Scary? It is for him too, so he is on a mission to educate consumers and businesses about selecting the correct device, ones that have systems like Knox to help guard against the next generation of attacks.
This is just brushing the surface of what I talked about with Andrew. We also touched on things like:
How device manufacturers can be confident in their product Playing security whack-a-moleSecuring a supply chain And so much more!
If you want to hear the entire talk, be sure to head on over to the Success Story YouTube channel, where you can also check out hundreds of other interviews with thought leaders and entrepreneurs.
Until next time - keep that device secure!
Also Published here