Cybersecurity Starts At The Top: Why The C-Suite Should Lead Mobile Security
By Simon Biddiscombe
Simon Biddiscombe is the CEO of MobileIron, the company that introduced the industry’s first mobile-centric, zero trust platform. When we think of who is most vulnerable to phishing attacks, C-level executives may not immediately come to mind. But as a recent study commissioned by my company and conducted by Vanson Bourne discovered, many of these leaders may be more vulnerable than average users, and not just because they are preferred targets for hackers.
According to the findings, C-suite executives are the most likely group within an organization to ask for relaxed mobile security protocols, despite being at greater risk of attack. This study also found that respondents feel hampered by security restrictions on their devices. It’s not really surprising, given that many companies still rely on passwords to protect access to mobile apps and data, and the hassle of needing to keep them updated can take valuable time away from more important work.
Striking A Balance Between Corporate Security And Employee Privacy
What is especially interesting, however, is that more than two-thirds of these executives said they actually felt that IT security put their own privacy at risk. Think about that. If company leaders don’t trust IT to protect their personal data, why should other employees? This distrust of mobile security protocols is especially prevalent in companies where users don’t have a clear understanding of which apps and data IT can see and control on their personal mobile devices. Without this confidence, users are less likely to opt-in to mobile device management (MDM). And without MDM security controls deployed on every mobile device that accesses company apps, IT can’t fully protect against cyberthreats such as phishing and other attacks. Even one unprotected device or app can leave the door open to cyberthreats.
Putting The User Experience At The Center Of Mobile Security
It’s true that far too many organizations have not quite gotten around to implementing a “zero trust” security approach on mobile. Even though IT understands the validity of zero trust — that no user, device, app, network or cloud can be automatically trusted without verification — implementing a zero trust security approach has proven to be a little more challenging. Part of the reason may be that IT is often asked to deploy technologies to support compliance without focusing on how these solutions impact the user. As a result, the user experience may suffer at the expense of security, but it doesn’t have to be this way. Organizations can meet compliance requirements without requiring users to jump through annoying security hurdles, like password resets and account lockouts. This is an opportunity for the C-suite to champion the need for a better mobile user experience, because we’re all safer when users willingly opt-in to mobile IT security.
By making security protocols like authentication easier, either through multi-factor authentication (MFA) or other methods that eliminate passwords, IT organizations also provide better protection against certain cyberattacks. The reason that old-school hacks such as phishing, stolen credentials and compromised email are still the top causes of data breaches, is because passwords are still so heavily used everywhere. While mobile technology advances at warp speed, our primary ways of authenticating to them are still very much stuck in the past. The reality is that protecting mobile devices and apps shouldn’t be that hard. It shouldn’t push C-level executives to ask for special bypasses that allow them to access business resources on unsupported devices because authentication is a pain. Passwordless access is here, whether through MFA or physical tokens such as the YubiKey, but many companies have not modernized their authentication methods as fast as they’ve modernized other parts of their mobile infrastructures. And that should be a major IT priority in the next six to 12 months.
In The Midst Of A Pandemic, Don’t We Have Bigger Priorities?
True, the era of COVID-19 has transformed most business operations overnight. There’s a lot more to figure out now than before the pandemic, and with so many teams working remotely, that can be a challenge. Regardless, cybersecurity can’t be an optional extra. Businesses need to ensure they have dynamic security in place that works for everyone in the organization, from the C-level on down. Working from home will not be going away anytime soon for many companies, so it’s now even more important to ensure that employees at every level of the business can maintain maximum productivity. This means remote workers need easier access to help desk services and freedom from productivity barriers like passwords and VPNs.
Cyberattackers know that more users than ever are working from home, often on loosely secured personal devices and networks. That’s even more reason to take an aggressive security position against phishing and other attacks. Mobile security needs to be uniformly and seamlessly provisioned on every single device across the company — no exceptions. That also means it needs to be as easy as possible, for everyone, because life is complicated enough right now.