Businesses in a variety of sectors and industries are increasingly becoming mobile-powered. Through mobile devices and applications, organizations are delivering more convenience, boosting productivity, and speeding innovation. As such, we’re now seeing the rise of the mobile-first business.
The emergence of the mobile-first business has fundamental implications for security teams. The explosive growth in mobile device and app usage has created an ever-growing attack surface—and increasing numbers of sophisticated cybercriminals and nation-states continue to exploit these areas of vulnerability. This post will look at this expanding vulnerability gap, and outline the five key principles to secure the mobile-first business.
The Expanding Vulnerability Gap of the Mobile-First Business
In the mobile-first world, security teams are seeing an increase in all of the following:
- More unmanaged devices are accessing the network than ever before.
- The number of mobile apps available—and downloaded on a user’s device—continues to grow rapidly.
- Threats targeting mobile devices and apps keep growing in scale, frequency, and sophistication.
- Security and privacy regulations continue to evolve.
In stark contrast, there are some things that remain relatively flat, namely, the budgets and staffing levels of the security teams trying to contend with these growing demands. Consequently, today’s teams are confronting large and rapidly growing vulnerability gaps.
The Five Principles for Securing the Mobile-First Business
To secure the mobile-first business, new approaches and technologies are required. Here are the five critical principles to follow:
1. Prioritize Risk at the Edge
The reality is that many know they need to address their vulnerability gap but aren’t sure where to start. For enterprise security teams, it’s vital to focus on the vulnerable endpoints that provide an entry point into the enterprise. Within many enterprises today, that’s through mobile devices and apps.
Many of us now use our personal mobile devices to get work done, whether to check email or use multi-factor authentication (MFA) on the phone to gain system access. As the lines between personal and business blur, the distinction becomes academic. Ultimately, employees’ mobile devices must be secured, or organizations’ systems and assets will increasingly be exposed to cyber threats.
This is also true for mobile apps. App developers are under pressure to speed up the delivery of new offerings and features. Consequently, they frequently turn to open-source code, software development kits (SDKs), etc. It is vital for developers to ensure their apps and their code —whether internally written or from a third party—don’t introduce vulnerabilities.
2. Operate in a Known State
Too often, teams don’t know about a breach until they’re notified, either by a law enforcement agency or, worse, a criminal seeking ransom.
To counter this situation, teams need to establish as much visibility as possible within the mobile ecosystem. It is vital to gain a current, complete view of the security posture and risk level of your mobile ecosystem. Organizations need to implement this visibility without hindering the productivity of developers or employees. It is also vital to establish quantifiable, auditable, and ultimately insurable best practices.
3. Establish Step-Up Detection and Response
With legacy security tools, teams essentially have taken a binary, history-driven approach. For example, an anti-virus tool will have a database with the signatures of previously detected malware and use that to permit or deny traffic.
The reality is one can’t know where the attacks will come from or which tools or tactics bad actors will use. Further, the level of risk can vary substantially depending on the situation. There’s a big difference between a user accessing an unsecured Wi-Fi at a local coffee shop and a device infected by a remote access trojan attempting to infiltrate a corporate network.
Security teams need to establish a strategic approach in which they embed security across the application lifecycle and the device. They need to be able to detect and prioritize anomalies, respond to threats based on context, and proactively resolve vulnerabilities and incidents. With these capabilities, teams can begin to build tamper-proof, optimized defenses.
4. Start the Autonomous Journey
The next phase is to leverage automation and ultimately establish an autonomous approach, enabling fast, dynamic responses to ever-changing mobile ecosystems and threats. Ultimately, security teams will need to integrate threat detection, vulnerability and risk management, mobile device management (MDM), security information and event management (SIEM), and extended threat detection and response (XDR). Teams need to make sense of all the data various security systems are generating.
With these integrations and capabilities, teams can ensure systems are in place to respond immediately to attacks and threats. For example, in the event of a device compromise, a system can automatically isolate the device and prevent it from accessing sensitive systems or assets. It is only through this autonomous approach that teams will be able to scale to accommodate their rapidly growing ecosystems, vulnerabilities, and threats. In this way, they can better ensure the security and resilience of their environments.
5. Never Break the Law
Around the world and across industries, regulations and rules continue to evolve. It is vital to stay informed about various security and privacy regulations, including current and pending mandates. Just as with breaches and vulnerabilities, it is far better to be proactive in complying with regulations rather than scrambling to respond after a fine is levied or a compliance audit has failed.
Lastly, it is important to underscore the cross-border nature of these requirements. Quite simply, just because an organization isn’t headquartered in a state or country with strong privacy regulations doesn’t mean they’re not responsible for complying with those requirements. Often, if you do business with organizations or serve customers in a particular region, you’ll be responsible for adhering to that region’s rules and mandates, such as GDPR, CMMC, NIS2, etc.
For the mobile-first business, the opportunities are enormous—but so are the risks. By employing the five principles outlined above, teams can start to capitalize on the potential of mobile devices and apps while safeguarding their devices, assets, and business. To learn more about how the Zimperium Mobile-First Security Platform™ can help you take the first step, contact us today.