Dara Security

Email On Your Phone – An Open Door To Your Data

August 12, 2014

In today's age, not having remote access to company email would be crazy. How would one stay abreast immediately about the latest events in the office? How would one access that critical spreadsheet with company financial data emailed by the accounting department or that customer leads list emailed by the head of sales? In many organizations, email is the default method for file sharing. It is also used by many to archive critical communications, notes, and any files that may be attached to them.

The Growth Of Mobile Email

At one time, remote access to these emails required the use of a laptop, but now we can access email directly from our smartphones or tablets. No application icons to double click, no user IDs and passwords to type in time after time. Once the phone or tablet's email application is configured, the email access is just there. It's perfect, right?

For companies using the default connectivity options supported by Microsoft Exchange or cloud-based offerings like Google, once a user's device has been configured to access the mail offering, it will always have access until that user is removed from the mail server. This is because access is restricted to a user ID and password and not restricted to a device. If a user has multiple devices (iPhone, tablet, etc.), each device can be used to receive mobile email and retrieve mail folders. Actually, any device that has the user's user ID and password can be used. Herein lies the problem.

The Threat Behind Mobile Email

If a user succumbs to a phishing attack and unwittingly provides their email password, an attacker can take that user's user ID and password, enter these credentials into any phone or tablet and retrieve any and all stored emails and their associated attachments. It's that easy.

So why is it that a company would allow this type of easy access? The answer boils down to ownership of the device and cost versus perceived risk.

Business Mobile Email Is Susceptible

If a company is enjoying a Bring Your Own Device (BYOD) policy, then the device belongs to the user, and the user can dictate what is installed on the device. This can be problematic when a company's BYOD policy requires the installation of software or application to control access, and the user does not comply with these installations. Ideally, the company should provide the device and set it up however the company wishes. In either case, companies should control which user can connect to the company network and what specific devices that user can connect from. Companies often overlook the fundamental concept that once a user's ID and password are compromised, then any device can be used to access the company network.

How can the type of device be controlled? Mobile Device Management software is a solution. However, this software can be expensive and requires additional employees to manage. This forces companies to deal with cost versus perceived risk. It's just email right? Actually, it's email attachments, contacts, appointments, and anything else archived or contained within the mobile email system.

How To Keep Safe On Your Mobile Device

One should look at the data contained within their mobile email system and determine what the risk would be if the email were lost to an outsider. The loss of data can be quite catastrophic and costly if you consider that emails often contain sensitive information like company financial plans, contract negotiations, and employee HR files. Just the loss of a handful of employee HR files can result in thousands of dollars spent in privacy notifications, payment for credit monitoring, and possible civil suits.

In fact, Dara Security recently responded to such a case, where the primary concern was mail transfers from compromised user accounts to devices the company did not own. Another concern was to determine if malicious codehad been installed on the systems used by the users.

Smartphones and tablets are here to stay. Users and companies will continue to embrace mobile technology in order to stay in constant contact and to improve efficiencies. However, companies should not overlook the risks of mobile device usage in the workplace. Companies should diligently pursue the most secure environment possible by fully understanding all the risks and implementing appropriate solutions.

Let Dara Security Help Secure Your Mobile Email

We at Dara Security are ready to help you achieve the most secure environment when it comes to mobile device usage in your company. Our team of experts follows a very detailed and structured methodology for performing Mobile Device Attack & Penetration Assessments. We use the mindset and methodology of a hacker as we attempt to exploit vulnerabilities and misconfigurations in your network-enabled mobile devices. Our team knows how hackers compromise networks because we do it ethically for clients and concurrently assess business impact and risk controls. You can be confident that our experience and technical knowledge will result in a complete Mobile Device Attack & Penetration Assessment tailored specifically to safeguard your organization's network.