Mobile devices have taken over the enterprise. Ninety-five percent of us own a cellphone, and a full 100 percent of people between the ages of 18–29 carry one, according to Pew Research Center. And those mobile devices are making their way into the workplace, whether they are corporate-owned or via a bring-your-own-device (BYOD) policy. In any case, once these devices are in the workplace, they are always nearby, turned on and ready to use.

While smartphones and tablets have become more ubiquitous in the workplace, organizations are flat-out ignoring mobile security risks. In fact, according to studies released during RSA Conference 2019, many enterprises tend to cut corners when it comes to mobile security. By not emphasizing the security of mobile applications, chief information security officers (CISOs) and other security leaders are opening up the organization to all sorts of security threats and data compromise.

The Mobile Disconnect

Data breaches and other cybersecurity incidents tend to focus on network infrastructure. Whenever a major incident occurs, security experts and the media both focus on the genesis of the incident, such as a phishing email or third-party vulnerability. According to Verizon’s “Mobile Security Index 2019,” compromise that occurs due to mobile devices is rarely included in those discussions. Yet, as the report noted, 33 percent of companies reported having suffered a compromise due to mobile security risks.

Here’s the problem: While the focus is on how an incident happened (e.g., an employee clicking on a malicious link in a phishing email) or what was compromised in the incident (e.g., passwords, medical information, credit card numbers), we ignore where it happened. As more employees rely on their smartphones and tablets for work, both in and out of the office, chances are greater than ever that the phishing email responsible for the compromise was read on a mobile device or the third-party breach was due to malicious mobile applications on a vendor’s phone.

If CISOs and security leadership aren’t putting more emphasis on where the incident was generated, they also aren’t putting more emphasis on addressing those risks. They are disconnected from mobile’s impact.

This means mobile devices and applications aren’t receiving the same level of cybersecurity protections as other parts of corporate infrastructure. The Verizon report found that two-thirds of respondents admitted they were less confident about the protection of their mobile resources compared to the protection of desktop computers and other endpoints.

Mobile Security Risks in the Age of Data Privacy

Mobile applications are the Achilles’ heel of mobile security risks; they are the most likely places for data leakage and malware infection. They collect vast amounts of information that often have nothing to do with the app’s function — for example, why does your phone’s flashlight need to know your location or have access to text messages? Add to that the disconnect from overall security that surrounds mobile devices and you have a recipe for violating any one of an increasing number of data privacy regulations.

Pradeo’s “Mobile Security Report” even refers to mobile applications as “privacy’s sworn enemy.” According to the report, free mobile apps embed an average of six marketing libraries from which user data is collected and resold. That in itself may put the mobile app in violation of Vermont’s new data privacy law, which allows users to opt out of having their information resold by data brokers.

What if that app is gathering information about your organization’s customers? Now, it isn’t just the mobile app that is violating the law, but the organization that hasn’t taken steps to warn customers of the threat to their personal information. If leadership isn’t paying attention to data privacy risks because they aren’t paying enough attention to mobile security, it could be costly in both fines and the financial losses of hurt reputation.

BYOD also makes it more difficult for CISOs and IT to monitor the data that is on mobile devices or in shadow cloud applications that have access to enterprise files. A stolen or lost phone, or a phone compromised by a malicious app, puts the organization at risk of a General Data Protection Regulation (GDPR) violation, depending on the type of data put at risk.

In the age of increasing data privacy awareness and regulations, data compromise via mobile device is more than an inconvenience. The rise of awareness and regulations, on the other hand, may be what brings mobile security the attention it needs. While some organizations will do the minimum necessary to meet compliance, it still means that someone is paying attention to mobile’s role in data privacy.

Have You Taken Steps to Secure Your Mobile Devices?

Still, there is a lot of work to do. Employees need more awareness training that provides guidance and understanding of mobile risks. CISOs, IT and other security decision-makers need to recognize mobile’s role within the organization, how employees use devices for work and play and that data compromise is more likely to come from a smartphone as it is to come from a desktop computer.

Now that mobile devices have taken over the enterprise, it is time for leadership to approach these devices and their security as they would traditional workplace technology.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…