Mobile devices have taken over the enterprise. Ninety-five percent of us own a cellphone, and a full 100 percent of people between the ages of 18–29 carry one, according to Pew Research Center. And those mobile devices are making their way into the workplace, whether they are corporate-owned or via a bring-your-own-device (BYOD) policy. In any case, once these devices are in the workplace, they are always nearby, turned on and ready to use.
While smartphones and tablets have become more ubiquitous in the workplace, organizations are flat-out ignoring mobile security risks. In fact, according to studies released during RSA Conference 2019, many enterprises tend to cut corners when it comes to mobile security. By not emphasizing the security of mobile applications, chief information security officers (CISOs) and other security leaders are opening up the organization to all sorts of security threats and data compromise.
The Mobile Disconnect
Data breaches and other cybersecurity incidents tend to focus on network infrastructure. Whenever a major incident occurs, security experts and the media both focus on the genesis of the incident, such as a phishing email or third-party vulnerability. According to Verizon’s “Mobile Security Index 2019,” compromise that occurs due to mobile devices is rarely included in those discussions. Yet, as the report noted, 33 percent of companies reported having suffered a compromise due to mobile security risks.
Here’s the problem: While the focus is on how an incident happened (e.g., an employee clicking on a malicious link in a phishing email) or what was compromised in the incident (e.g., passwords, medical information, credit card numbers), we ignore where it happened. As more employees rely on their smartphones and tablets for work, both in and out of the office, chances are greater than ever that the phishing email responsible for the compromise was read on a mobile device or the third-party breach was due to malicious mobile applications on a vendor’s phone.
If CISOs and security leadership aren’t putting more emphasis on where the incident was generated, they also aren’t putting more emphasis on addressing those risks. They are disconnected from mobile’s impact.
This means mobile devices and applications aren’t receiving the same level of cybersecurity protections as other parts of corporate infrastructure. The Verizon report found that two-thirds of respondents admitted they were less confident about the protection of their mobile resources compared to the protection of desktop computers and other endpoints.
Mobile Security Risks in the Age of Data Privacy
Mobile applications are the Achilles’ heel of mobile security risks; they are the most likely places for data leakage and malware infection. They collect vast amounts of information that often have nothing to do with the app’s function — for example, why does your phone’s flashlight need to know your location or have access to text messages? Add to that the disconnect from overall security that surrounds mobile devices and you have a recipe for violating any one of an increasing number of data privacy regulations.
Pradeo’s “Mobile Security Report” even refers to mobile applications as “privacy’s sworn enemy.” According to the report, free mobile apps embed an average of six marketing libraries from which user data is collected and resold. That in itself may put the mobile app in violation of Vermont’s new data privacy law, which allows users to opt out of having their information resold by data brokers.
What if that app is gathering information about your organization’s customers? Now, it isn’t just the mobile app that is violating the law, but the organization that hasn’t taken steps to warn customers of the threat to their personal information. If leadership isn’t paying attention to data privacy risks because they aren’t paying enough attention to mobile security, it could be costly in both fines and the financial losses of hurt reputation.
BYOD also makes it more difficult for CISOs and IT to monitor the data that is on mobile devices or in shadow cloud applications that have access to enterprise files. A stolen or lost phone, or a phone compromised by a malicious app, puts the organization at risk of a General Data Protection Regulation (GDPR) violation, depending on the type of data put at risk.
In the age of increasing data privacy awareness and regulations, data compromise via mobile device is more than an inconvenience. The rise of awareness and regulations, on the other hand, may be what brings mobile security the attention it needs. While some organizations will do the minimum necessary to meet compliance, it still means that someone is paying attention to mobile’s role in data privacy.
Have You Taken Steps to Secure Your Mobile Devices?
Still, there is a lot of work to do. Employees need more awareness training that provides guidance and understanding of mobile risks. CISOs, IT and other security decision-makers need to recognize mobile’s role within the organization, how employees use devices for work and play and that data compromise is more likely to come from a smartphone as it is to come from a desktop computer.
Now that mobile devices have taken over the enterprise, it is time for leadership to approach these devices and their security as they would traditional workplace technology.