When the first virus for smartphones arrived on the scene back in 2004, organizations didn’t have a way to protect their devices, the data on the devices or the users themselves. Fast forward almost 20 years, and mobile security is a major component of enterprise security strategies. Today, 85% of Americans own a smartphone, according to the Pew Research Center -- and many of them use those smartphones in both personal and professional capacities.
The combined personal/professional use of smartphones is why so many organizations continue to seek effective ways to protect corporate assets. At the same time, organizations want to respect the right of employees to use their devices of choice. It’s a tough balance, especially as threat actors capitalize on the fact that the workforce is highly mobile today, moving between office and home environments. Organizations have seen an increase in mobile application security threats, web-based mobile security threats, mobile network security threats and mobile device security threats.
Efforts to thwart security breaches have largely fallen short, given the staggeringly high levels of incidents in recent years. An October 2020 report from Omdia and Google found that nearly half of businesses had experienced a mobile-related security incident in the previous 12 months.
The situation has caused organizations in all industries to take a fresh look at how they handle mobile security. Here, experts provide six mobile security tips for rethinking your approach.
Make mobile security a foundational element of a broader zero-trust access approach.
Interest in and adoption of zero-trust security and conditional access capabilities has grown. Businesses are looking to strengthen security as employee behaviors change, while ensuring those new security measures won’t result in negative user experiences, said Adam Holtby, principal analyst for the mobile sector at Omdia. For example, replacing traditional VPN technology that relies on a concentrator in a corporate data center with a cloud-based alternative can provide the same benefits but in a zero-trust context.
Understand your users and business cases.
One size does not fit all in mobile security. To tackle mobile security issues effectively, organizations must know exactly what their users download onto their mobile devices. For example, do users download sensitive or proprietary data?
It can be highly challenging to figure out how users circumvent existing protections to get work done, said Daniel Spicer, chief security officer at software vendor Ivanti. “It’s almost like a forensic exercise, where you have to see what applications users are accessing and where sensitive data is actually being used,” he said. “You always want to secure the users and devices [that have] the keys to the kingdom first.”
MDM is just part of the answer.
Mobile device management (MDM), which allows IT administrators to securely monitor and manage mobile devices that access business resources, is an critical part of a mobile security strategy. It’s not enough to simply have MDM technology, however. MDM can cover some percentage of threats, but bad actors can often bypass the controls, said Brian Linder, a threat prevention expert at security vendor Check Point Software.
Comprehensive mobile security requires another layer -- typically broader mobile security management (MSM) technologies (sometimes called mobile threat defense tools). MSM products help businesses prevent, detect and remediate security threats that target the mobile workforce, including mobile endpoint, application and network attacks, by gathering threat intelligence from devices and other sources.
Look for these capabilities in an MSM product.
At a minimum, an MSM offering should have the following capabilities:
- Prevent users from downloading malicious applications.
- Stop phishing attacks through a browser in real time. Users can often absentmindedly click seemingly harmless links that turn out to be malicious.
- Ensure that all applications and device settings are fully updated at all times. Out-of-date applications are playgrounds for threat actors yet are very common. For example, research by Verizon found that 93% of Android devices ran an out-of-date version of the operating system. MSM products should automatically require users to upgrade applications before they can gain access to them, Linder said.
Politics be damned. BYOD shouldn’t be an inhibitor to comprehensive mobile security.
Some organizations are afraid to put checks and balances on employees’ own devices, even if those devices get used for work purposes. It’s time to get over that fear, Linder said. “Businesses don’t want to interfere with an employee’s Instagram or Facebook or photos or data, but if the device is touching corporate data on the corporate network or even on an as-a-service platform in the cloud, the enterprise must protect access,” he said. “Not doing so is a missed opportunity to protect the enterprise.”
Mobile security is about much more than the devices.
In addition to mobile security policies around devices, businesses should consider related vulnerabilities. Those vulnerabilities include mobile apps, web apps and the various networks that the mobile workforce relies on, Holtby said.
What mobile security tips would you add to this list? Let us know in the comment below!