Mobile devices have taken over the enterprise. Ninety-five percent of us own a cellphone, and a full 100 percent of people between the ages of 18–29 carry one, according to Pew Research Center. And those mobile devices are making their way into the workplace, whether they are corporate-owned or via a bring-your-own-device (BYOD) policy. In any case, once these devices are in the workplace, they are always nearby, turned on and ready to use.

While smartphones and tablets have become more ubiquitous in the workplace, organizations are flat-out ignoring mobile security risks. In fact, according to studies released during RSA Conference 2019, many enterprises tend to cut corners when it comes to mobile security. By not emphasizing the security of mobile applications, chief information security officers (CISOs) and other security leaders are opening up the organization to all sorts of security threats and data compromise.

The Mobile Disconnect

Data breaches and other cybersecurity incidents tend to focus on network infrastructure. Whenever a major incident occurs, security experts and the media both focus on the genesis of the incident, such as a phishing email or third-party vulnerability. According to Verizon’s “Mobile Security Index 2019,” compromise that occurs due to mobile devices is rarely included in those discussions. Yet, as the report noted, 33 percent of companies reported having suffered a compromise due to mobile security risks.

Here’s the problem: While the focus is on how an incident happened (e.g., an employee clicking on a malicious link in a phishing email) or what was compromised in the incident (e.g., passwords, medical information, credit card numbers), we ignore where it happened. As more employees rely on their smartphones and tablets for work, both in and out of the office, chances are greater than ever that the phishing email responsible for the compromise was read on a mobile device or the third-party breach was due to malicious mobile applications on a vendor’s phone.

If CISOs and security leadership aren’t putting more emphasis on where the incident was generated, they also aren’t putting more emphasis on addressing those risks. They are disconnected from mobile’s impact.

This means mobile devices and applications aren’t receiving the same level of cybersecurity protections as other parts of corporate infrastructure. The Verizon report found that two-thirds of respondents admitted they were less confident about the protection of their mobile resources compared to the protection of desktop computers and other endpoints.

Mobile Security Risks in the Age of Data Privacy

Mobile applications are the Achilles’ heel of mobile security risks; they are the most likely places for data leakage and malware infection. They collect vast amounts of information that often have nothing to do with the app’s function — for example, why does your phone’s flashlight need to know your location or have access to text messages? Add to that the disconnect from overall security that surrounds mobile devices and you have a recipe for violating any one of an increasing number of data privacy regulations.

Pradeo’s “Mobile Security Report” even refers to mobile applications as “privacy’s sworn enemy.” According to the report, free mobile apps embed an average of six marketing libraries from which user data is collected and resold. That in itself may put the mobile app in violation of Vermont’s new data privacy law, which allows users to opt out of having their information resold by data brokers.

What if that app is gathering information about your organization’s customers? Now, it isn’t just the mobile app that is violating the law, but the organization that hasn’t taken steps to warn customers of the threat to their personal information. If leadership isn’t paying attention to data privacy risks because they aren’t paying enough attention to mobile security, it could be costly in both fines and the financial losses of hurt reputation.

BYOD also makes it more difficult for CISOs and IT to monitor the data that is on mobile devices or in shadow cloud applications that have access to enterprise files. A stolen or lost phone, or a phone compromised by a malicious app, puts the organization at risk of a General Data Protection Regulation (GDPR) violation, depending on the type of data put at risk.

In the age of increasing data privacy awareness and regulations, data compromise via mobile device is more than an inconvenience. The rise of awareness and regulations, on the other hand, may be what brings mobile security the attention it needs. While some organizations will do the minimum necessary to meet compliance, it still means that someone is paying attention to mobile’s role in data privacy.

Have You Taken Steps to Secure Your Mobile Devices?

Still, there is a lot of work to do. Employees need more awareness training that provides guidance and understanding of mobile risks. CISOs, IT and other security decision-makers need to recognize mobile’s role within the organization, how employees use devices for work and play and that data compromise is more likely to come from a smartphone as it is to come from a desktop computer.

Now that mobile devices have taken over the enterprise, it is time for leadership to approach these devices and their security as they would traditional workplace technology.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…