Underestimating the Importance of Mobile Security
Suppose one of your business’s employees was out and about one day and her mobile device got hacked. The general consensus would be it’s not exactly a disaster. It’s unlikely that you store your enterprise’s intellectual property on a given employee’s smartphone.
It’s not as if we have seen a string of headlines about seven-figure mobile device breaches. Even then, the device is enrolled in an unified endpoint management (UEM) system of some sort, maybe a container is used, and I use encryption or a VPN, and don’t let mobile devices on my network.
I am fine, right?
In the world of IT security concerns, a mobile device breach is perceived as an annoyance, not a catastrophe. Preventing such a breach would no doubt be a good idea, but it doesn’t even come close to being mission critical, right…
Why everything above is 100%, flat-out wrong
The fact is, mobile security is one of, if not the single most important facet of enterprise security being overlooked or under-supported, therefore posing a massive threat to organizations.
To understand why mobile security is vital, let’s put some context around the role of mobile devices in the enterprise. To start with the broadest stroke, enterprise cybersecurity is concerned with securing an organizations data and business. The focus has traditionally been on the network, endpoint from an intrusion prevention, and insider threat perspective in simplistic terms.
As network security has undergone changes we all recognize (e.g. cloud computing, virtualization and software-defined everything), endpoint security has been undergoing a less obvious change.
Over the course of the past decade, mobile has become the number one endpoint in use within most organizations, while the focus from an endpoint security perspective remained on traditional desktops and laptop workstations. Today, the majority of enterprises have no similar security controls on mobile that they have on those traditional endpoints.
There is a huge gap in endpoint security for the vast majority of organizations.
Mobile devices are not just AN endpoint, they are THE endpoint
Any conversation around endpoint security should begin with mobile devices. Here’s why:
First, in terms of sheer numbers, mobile devices make up some 60% of enterprise endpoints while desktops and laptops account for only ~40%.
Mobile devices are one of, if not the single greatest enabler of worker productivity in the enterprise. These devices are provisioned with access to the back end, touching cloud repositories, data sharing and other resources.
In fact, they increase productivity by 34% and give companies an extra 240 hours of work per employee per year. From an access and rights perspective, these devices have the same level if not more access than most traditional endpoints, and are used more.
With respect to information security, mobile is the new RSA fob or key to user identity. It is the second factor authentication at minimum for most organizations. Employees also put all their passwords in password vaults on their devices – and not just personal passwords, but their work passwords, for network sign-on, email access, application access, etc. All this data is localized on the employee’s mobile device.
This is not even taking into account the amount of access mobile devices are granted from email, document sharing and collaboration tools, communication apps, etc.
Mobile devices are at their core communication devices, and as such are exposed to phishing vectors like SMS, user apps, personal email, etc. that organizations have no visibility into, much less the ability to prevent.
To put a finer point on this, there is a reason why organizations wipe corporate data and access from physically lost devices using an UEM. This data and access is valuable, and worth protecting. However, most organizations have no visibility into whether an attacker is actively attacking a device to gain access to the same data they are trying to protect with those workflows, much less if they can even take action on it.
It’s worth repeating. Mobile is not just AN endpoint. Mobile is THE endpoint for the enterprise.
Mobile devices are disastrously under-protected
Mobile is clearly the main endpoint in every enterprise. That’s the new reality, but it is also a problem, because there is a sense of trust we have extended to mobile devices, with no valid reason or method to validate that trust.
While every security team has defense-in-depth solutions protecting desktops and laptops, there is no such depth of protection for mobile devices. We do have management tools on them, such as access control tools and UEM’s. However few organizations have true security tools from an endpoint protection standpoint. Even MDM’s offering jailbreak detections are woefully inadequate with the evolving threat landscapes.
Most cannot tell you if a device was compromised or attacked unless it was a user initiated jailbreak, and not a true attack scenario, much less how such a compromise was made with associated forensics – – whether by a malicious or risky app, from connecting to a compromised Wi-Fi network, or from a mobile phishing attack. This demands an approach that can detect and defend across the full spectrum of attack vectors mobile devices are increasingly exposed to.
Phishing detection and prevention is particularly important for mobile. Unlike desktops and laptops where security teams can install proxy services and route all traffic through gateways, such approaches do not translate well to mobile. Additionally, mobile devices are designed for communication. As a result, they have more attack vectors for phishing than desktops.
For example, you can phish through SMS text messaging on a mobile device, but not on a desktop. What’s more, traditional endpoint security tools have zero visibility into those attack vectors coming from non corporate controlled applications like WhatsApp, Wechat, and other personal messaging apps. Attackers know this, and are increasingly targeting the corporate persona of a user using their personal communication channels.
Ask yourself: if I am an enterprise, do I know with certainty whether my employees have clicked on a phishing link that originated from WhatsApp, WeChat, Facebook Messenger, SMS, or personal email on mobile?
Hint, the answer is typically no.
We all agree these attack vectors are major security issues, so we invest in protection against them for traditional endpoints such as desktops and laptops. We need to start making those same investments to protect what is now the endpoint: mobile devices.
What you don’t know about mobile can and will hurt you
IT and security teams have long had excellent visibility into what’s happening on desktops and laptops. By contrast, most organizations have zero visibility on mobile devices. What this means is there may already be attacks launched against your business through mobile devices that you don’t even know about.
To understand the scope of the problem, one study found one in three security and IT pros think their organization has experienced a mobile breach. Our own data (based on over 45 million endpoints that our customers allow us to analyze anonymously) shows 100% of enterprises with devices under protection have been subjected to a mobile attack. If you think your enterprise has not been subjected to a mobile attack, it is a near certainty that you have, and simply do not know about it…yet.
If you need it for desktops you need it for mobile
What all of this means is that mobile security is not just a “nice-to-have.” It falls under the category of “I have to have it.” Here’s how you can make that crystal clear.
Assess every form of protection you have for your mobile devices right this minute. Now ask yourself: if that was all I had protecting other endpoints, such as my business’s desktops, would I be OK with it? In all likelihood, many security teams would be very uncomfortable with that scenario to put it mildly.
Mobile is the endpoint and demands the same or similar security approaches around management, endpoint protection, and access controls as traditional endpoints.
Additionally, mobile requires a solution that has been designed from the ground up to exist in the mobile ecosystem due to all of the threat vectors, privacy concerns, and mobile specific items that prevent traditional endpoints solutions and approaches that work on desktops and laptops from working on mobile. If you are interested in learning more, we’re here to help.