April 23, 2019 By Sue Poremba 3 min read

Mobile devices have taken over the enterprise. Ninety-five percent of us own a cellphone, and a full 100 percent of people between the ages of 18–29 carry one, according to Pew Research Center. And those mobile devices are making their way into the workplace, whether they are corporate-owned or via a bring-your-own-device (BYOD) policy. In any case, once these devices are in the workplace, they are always nearby, turned on and ready to use.

While smartphones and tablets have become more ubiquitous in the workplace, organizations are flat-out ignoring mobile security risks. In fact, according to studies released during RSA Conference 2019, many enterprises tend to cut corners when it comes to mobile security. By not emphasizing the security of mobile applications, chief information security officers (CISOs) and other security leaders are opening up the organization to all sorts of security threats and data compromise.

The Mobile Disconnect

Data breaches and other cybersecurity incidents tend to focus on network infrastructure. Whenever a major incident occurs, security experts and the media both focus on the genesis of the incident, such as a phishing email or third-party vulnerability. According to Verizon’s “Mobile Security Index 2019,” compromise that occurs due to mobile devices is rarely included in those discussions. Yet, as the report noted, 33 percent of companies reported having suffered a compromise due to mobile security risks.

Here’s the problem: While the focus is on how an incident happened (e.g., an employee clicking on a malicious link in a phishing email) or what was compromised in the incident (e.g., passwords, medical information, credit card numbers), we ignore where it happened. As more employees rely on their smartphones and tablets for work, both in and out of the office, chances are greater than ever that the phishing email responsible for the compromise was read on a mobile device or the third-party breach was due to malicious mobile applications on a vendor’s phone.

If CISOs and security leadership aren’t putting more emphasis on where the incident was generated, they also aren’t putting more emphasis on addressing those risks. They are disconnected from mobile’s impact.

This means mobile devices and applications aren’t receiving the same level of cybersecurity protections as other parts of corporate infrastructure. The Verizon report found that two-thirds of respondents admitted they were less confident about the protection of their mobile resources compared to the protection of desktop computers and other endpoints.

Mobile Security Risks in the Age of Data Privacy

Mobile applications are the Achilles’ heel of mobile security risks; they are the most likely places for data leakage and malware infection. They collect vast amounts of information that often have nothing to do with the app’s function — for example, why does your phone’s flashlight need to know your location or have access to text messages? Add to that the disconnect from overall security that surrounds mobile devices and you have a recipe for violating any one of an increasing number of data privacy regulations.

Pradeo’s “Mobile Security Report” even refers to mobile applications as “privacy’s sworn enemy.” According to the report, free mobile apps embed an average of six marketing libraries from which user data is collected and resold. That in itself may put the mobile app in violation of Vermont’s new data privacy law, which allows users to opt out of having their information resold by data brokers.

What if that app is gathering information about your organization’s customers? Now, it isn’t just the mobile app that is violating the law, but the organization that hasn’t taken steps to warn customers of the threat to their personal information. If leadership isn’t paying attention to data privacy risks because they aren’t paying enough attention to mobile security, it could be costly in both fines and the financial losses of hurt reputation.

BYOD also makes it more difficult for CISOs and IT to monitor the data that is on mobile devices or in shadow cloud applications that have access to enterprise files. A stolen or lost phone, or a phone compromised by a malicious app, puts the organization at risk of a General Data Protection Regulation (GDPR) violation, depending on the type of data put at risk.

In the age of increasing data privacy awareness and regulations, data compromise via mobile device is more than an inconvenience. The rise of awareness and regulations, on the other hand, may be what brings mobile security the attention it needs. While some organizations will do the minimum necessary to meet compliance, it still means that someone is paying attention to mobile’s role in data privacy.

Have You Taken Steps to Secure Your Mobile Devices?

Still, there is a lot of work to do. Employees need more awareness training that provides guidance and understanding of mobile risks. CISOs, IT and other security decision-makers need to recognize mobile’s role within the organization, how employees use devices for work and play and that data compromise is more likely to come from a smartphone as it is to come from a desktop computer.

Now that mobile devices have taken over the enterprise, it is time for leadership to approach these devices and their security as they would traditional workplace technology.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today