In June 2019, a study on mobile app vulnerabilities presented some incredible and worrisome findings. Most notably, high-risk vulnerabilities were found in 43 percent of mobile apps for Android and 38 percent for iOS, according to Positive Technologies. Now, consider this: In terms of market share, per IDC, Android owns nearly 87 percent and iOS owns around 13 percent.

Putting it all together, what does this mean for mobile security?

It means that many of us are walking around with devices that are probably highly exposed. The mobile security problem doesn’t just present high risk to individual users and organizations, but it is also widespread, making mobile device management (MDM) doubly difficult.

Balance Business and Security Needs

The magic act of identifying the right mobile security solution for you means finding that happy balance between the speed of business and the necessity of security. Along the spectrum today, these two issues could not be further apart.

If I’m a business professional, I want every tool, every piece of data and every gizmo possible on my mobile device so I can pull it up in a flash, analyze and crunch the data and, quite candidly, make the sale. That’s my driver. Anything that slows me down just prevents me from conducting my business. I really don’t want to expose the business to any harm, but I need to get my job done and I can’t be slowed down by security.

On the other hand, if I’m a security professional, I want to limit every tool that isn’t deemed necessary (and test the ones that are), limit what data can be viewed and ensure these gizmos aren’t creating a mess that I’m going to have to clean up later. Honestly, I don’t want to slow down the sale, but I also don’t want to leave such a glaring hole in our security posture that we lose the company at the cost of closing a deal.

As you can see, these two interests couldn’t be further apart. The situation reminds me of the old saying: “Don’t lose sight of the forest for the trees.”

Both users and security staff need to be cognizant of the fact that they’re operating in the same forest, and it’s not that one grows the forest and the other protects it. Rather, both are responsible for growing and protecting it. It’s a shared responsibility.

So how do we get to a mobile security solution that grows the forest?

Assess Your Environment First

With so many technical solutions out there, the key to getting it right begins with asking the right questions. That means making the correct assessment of your IT environment. On the best of days, this is no easy task, but along with defining your risk tolerances and understanding your business processes, these three areas require an in-depth and sober understanding if you want to get your security process right.

Get these wrong, and you might find yourself going out of business in the near future. Go security-heavy, and you may find yourself unable to conduct business. Go business-heavy, and you may find yourself out of business because a malicious actor just stole all your intellectual property, competitor analyses and bid strategies.

So how should you go about assessing your environment for a mobile world? IBM Security developed a handy best practices white paper that is a great place to start when trying to decide what your mobile security path should look like.

Is BYOD Worth the Additional Risk?

I want to focus on best practices Nos. 7 and 8, because those are the ones that pay specific attention to mobile apps. I’m personally not a big fan of bring-your-own-device (BYOD); it presents an unbelievable convenience for so many users, but the associated enterprise security risks are becoming a bit too unwieldy for my liking. Therefore, if I’m part of the C-suite, I’m really starting to reconsider these practices.

Here’s why: I’m not all too concerned about the technical solutions. They’re actually becoming quite good. You can sandbox applications, there are service kiosks that allow only approved mobile apps and endpoint management tools are only getting better with the integration of artificial intelligence (AI). My concerns rest elsewhere — human behavior and potential legal issues — but first, a quick comment on technological gaps.

Good code is expensive. It’s an important issue because, as the Positive Technologies report stated, “Risks do not necessarily result from any one particular vulnerability on the client or server side. In many cases, they are the product of several seemingly small deficiencies in various parts of the mobile application.”

Mobile apps also present a “death by a thousand cuts” scenario, which is another reason why I think BYOD practices need to be reevaluated.

Decide How Much Risk You Are Willing to Accept

Back to human behavior and potential legal issues. Just like phishing, where one bad click could expose you to an array of nastiness, the same can be said for one bad mobile app. Therefore, if you’re following BYOD practices, make sure to look at step No. 7 from the IBM Security white paper and ensure your MDM solution is locking down what needs to be locked down.

If you follow the best practices guide, points No. 7 and 8 speak of control on the device and device location abilities. That’s where I see legal issues, such as privacy concerns, on the horizon. Sure, employees can agree to certain terms, but if I’m using a personal device, why shouldn’t I be able to download any mobile app I want? Who cares if the app may have flaws? The device is mine, after all, isn’t it?

It all comes down to determining what level of risk you’re willing to accept. It’s always going to come back to that, along with knowing your environment and understanding your business processes.

Therefore, with so many risky mobile apps out there, one way of reducing this risk may be to start looking into your BYOD practices and determining if they make sense for your organization. The convenience may not be worth the hassle.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…