Mobile security, especially regarding personal electronic devices, is unique because the threats and vulnerabilities are different from those of other endpoints. Whereas computers in their factory settings are often undersecured in terms of operating system configurations, missing patches and the like, modern mobile platforms like iOS and Android are reasonably secure from the get-go.
That’s true even on personal systems. In these cases, it’s not usually an outdated web browser facilitating exploits. The primary concerns in mobile security are the actual users of systems and the environments in which they operate, rather than threat actor infiltration. It’s what your users are doing with business assets via enterprise and personal apps that creates exposures; it’s the physical security risks and who steals a system or comes across it once it’s been lost.
How to Keep Pace With Changing Environments
This risk shift and the corresponding security approach has caused a lot of people to let their guard down in terms of properly securing their mobile environments. There’s a common assumption that all is well because policies are documented and technologies such as mobile device management, enterprise mobility management (EMM) and unified endpoint management (UEM) are in place. In the spirit of trust but verify, the assumption that business risks are minimized because the mobile security checkbox has been checked is often a mirage. In many organizations, mobile environments are creating indirect, yet tangible risks.
Businesses should move toward substantive mobile security practices. Talk is cheap, and you can’t base your mobile security on guidelines and recommendations alone. Take, for example, the following statements pulled from some mobile and bring-your-own-device (BYOD) security policies:
- The scope of this policy applies to all forms of information and computer systems, including speech, whether spoken in person, communicated by phone or radio, or stored and processed via mobile phones.
- All personally owned mobile systems must have:
- Power-on passwords;
- Encryption;
- Passwords that meet or exceed existing domain password requirements;
- Software updates; and
- Data backups.
- It is the responsibility of each employee to ensure that this policy is followed and the responsibility of management to ensure that it’s enforced.
The statements sound official, look great on paper and will undoubtedly contribute to a resilient mobile computing environment. But they’re vague on the details of practices and accountability and are simply not enough. Like many security policies, in the greater scheme of things, they really mean nothing unless they are made known and actively enforced.
Get a Grip on Personal Electronic Devices
There are four areas you must address to get ahead of mobile security challenges:
- Acknowledge that mobile computing is not an auxiliary part of your overall security program; it’s just as integral as any other network-connected device security.
- Get to know your mobile environment, including what platforms are being used, what percentage of devices are corporate-issued and what percentage are personally owned, along with how they are being used in day-to-day business practices.
- Fully understand your current level of mobile risk — not just your overall information security posture but your mobile-specific risks that can be measured, such as vulnerable business workflows, app usage, file sharing and syncing, and so on.
- Determine which security technologies and processes can provide you with the necessary visibility and control to either eliminate or minimize the high-priority risks that you have identified.
This approach may sound somewhat elementary, but you’d be surprised how many people ignore one or all of these steps. This is the level of focus required to acknowledge and resolve mobile risks.
Establish an Enterprisewide Security Mindset
Perhaps most importantly, a measured approach to mobile security needs to apply from the top down, starting with executive management. Be sure to include mobile phones and tablets, but don’t forget about the risks associated with laptop computers — especially personally owned systems that are accessing business information and network connections, yet may not be properly protected.
In the end, the mobile component of your overall security program relies on organizational culture as much as anything else. From the board and executive management down to the most junior employees, mobile operations need to be treated as an essential business function.
Read the Forrester Report: Mobile Vision 2020
Independent Information Security Consultant