Protect Your Enterprise by Setting Standards for Mobile Security
By Matthew Montgomery
Policy enforcement, deployment, updated and most importantly, standards, are all vital components of a mobile device security strategy.The year 2019 has been a banner year in the world of cybersecurity, with thousands of high-profile compromises impacting organizations across all sectors – from education, to financial services, to healthcare, to the public sector. To the average enterprise security director, the increasing complexities of the ever-evolving digital landscape might make it seem like an attack is an inevitability.
Despite the recent prevalence of compromises, enterprises of all sizes have not yet set up the proper defenses to combat these persistent threats – overlooking even the most basic cybersecurity principles, and thus, leaving their organization (and their customers) vulnerable to attacks that can be user behavior based, app based, device based or network based.
However, one distinct factor is often missing when assessing an organization’s security risk: compromises that occur because of mobile device vulnerabilities.
According to Verizon research, nearly half of enterprises willfully sacrifice mobile security (whether that be a smartphone, tablet, laptop, or connected device) in order to improve speed to market and profitability – up from nearly one third in 2018. In return, these organizations face the recurring risk of data loss, downtime and damage to both their reputations and their customer relationships.
Mobilizing Mobile Security
Though mobile devices have caught up to fixed connection in terms of their general capabilities and the ability to access corporate resources (including bank details, billing information, customer lists and employee personal data), enterprises continue to give preferential security treatment to those fixed connections, despite the workforce’s increasing reliance on mobile devices to do their jobs. In fact, mobile devices are arguably more prone to certain types of attacks – like phishing and badly coded sites – than their fixed connection counterparts.
Compromises of a mobile device can be just as damaging to an enterprise as those to a fixed connection such as a desktop computer – with the potential to undermine an organization’s customer data, intellectual property, core systems and of course, overall reputation.
Most enterprises, no matter their size, remain ill-prepared and ill-equipped to take on these persistent mobile security threats, so it is crucial to understand the ways in which you can mitigate mobile security threats in order to keep your employees’ and customers’ information secure.
Size Doesn’t Matter
While larger organizations tend to have the resources to better face the challenges of mobile security threats (including the expertise on staff to detect those threats), smaller businesses often lack those same resources to effectively manage and monitor their digital perimeter. On the other side, the larger the organization, the greater number of employees and employee devices (both mobile and fixed connection) there are to oversee and keep protected. Despite the gap in expertise and resources, the likelihood of experiencing a mobile security compromise tends to be consistent no matter the size of an enterprise.
Without adopting even the most basic precautions to ensure they aren’t as susceptible to mobile security compromises, organizations large and small repeatedly make themselves a target to hacks – from cryptojacking to malware. While these organizations continue to focus on servers and personal computers as the top priority for protection, mobile devices remain in constant jeopardy to potential attacks.
Thus, it becomes a matter of enterprise security leaders reevaluating and adjusting their lines of defense. Once an organization puts mobile security on par with fixed connection security, they not only need to educate employees to recognize and report potential threats, but also design and apply an across-the-board standard that can automate and enforce security policies.
Setting the Standard
The best defense is a good offense.
It will no longer suffice to respond to an attack quickly and strategically, enterprises must also put security practices in place to anticipate and defend against an attack before it occurs.
But there is no quick and easy fix that an organization can adopt that will forever immunize it from potential mobile attacks. Instead, you should incorporate a multi-step plan of action that can ensure you are both knowledgeable of how an attack can occur and prepared to combat those attacks.
1. First, assess your current security situation – determining where their internal weak spots are and how you can rectify them in order to avoid a major compromise. Whether that is through the devices that employees work from, the data, or who has access to the devices and data. Enterprise security leaders must create and uphold a standard to measure success against, like instituting comprehensive accepted use policies (AUPs) for all employees in order to define what acceptable, “normal” behavior is on mobile devices. The standard, once agreed upon, can then be repeatedly referenced by security throughout the year to analyze the threat landscape and security posture.
2. The second step is to make efforts to protect against these threats, through measures such as a device enrollment policy for employees, two-step authentication factors for logins, limiting Wi-Fi to approved networks, or preventing employees from downloading or installing unfamiliar applications to their devices. If enterprise security leaders are able to set controls for employees’ mobile devices that are in compliance with the AUPs, they can better identify user misuse and use activity-based monitoring to block bad actors.
3. Third, enterprise security leaders must set up controls that allow them to better detect oncoming compromises in order to ensure a fast response that can lessen impact. In order to accomplish this, you can deploy mobile threat detection software that automatically scans for weak spots or potential threats and instantaneously report misuse. Putting detection tools in place helps to shrink security blind spots for an organization, and allows for IT departments to better pinpoint the source of a potential attack.
4. Last, it is imperative that an enterprise implement the tools needed to respond to attacks to ensure a speedy recovery. This could be through something as straightforward as setting up a policy that contains attacks by locking down employee and customer personal information and isolating infected or missing devices. By doing this, enterprises are across-the-board better prepared to remedy security situations quickly and efficiently.
Actions Before Reactions
Regardless of industry or organizational size, compromises and attacks are not an inevitability due to the changing digital world. Rather, it is the lack of prior planning, vigilance and consideration of mobile devices that repeatedly makes organizations vulnerable.
Mobile protection is not about taking the path of least resistance, or finding the easy way out in order to get the job done. When organizations cut corners with mobile security, they are more likely to be hit and hit hard. Nor does mobile security rely on taking every precaution, no matter the expense. If you implement one or two policies like two-factor authentication and blocking external application downloads, you are making progress to combat against potential attacks.
Once long-term solutions are set in motion to educate organizations (from the top down), analyze security weak spots, protect against threat actors and enforce rules that maintain a standard of compliance for employees, enterprises are better able to navigate the threat landscape in order to act against threats rather than react once a compromise has taken place.