It’s not outrageous to suggest that you might be reading this on a mobile device. Nor is it outrageous to think that most people use a mobile device for the majority of their reading these days. I’m even writing this on a mobile device. So for those not following along, at this point, mobile security is really just security. There really isn’t any difference anymore.

What Makes Mobile Security Different?

The unique challenge with mobile devices is that we haven’t accepted them as what they are: powerful pocket computers that are always transferring and storing data. Today’s pocket devices absolutely steamroll a 1999 workstation and transfer and store data like it’s a commodity. They’re ubiquitous too.

That’s what makes mobile device management so difficult today: The devices are powerful, they store and transfer extremely valuable data, and there are just so darn many of them. Not too long ago, it was one desktop for a household of four. Now, it’s four devices per person — and that may even be an understatement for some.

You No Longer Own Your Pipeline

Remember when you owned the infrastructure you used? There was a different mindset then. You invested in it, you owned it and you maintained it. Nowadays, it’s all about services, meaning a lot of what happens is actually happening outside of your own ecosystem. You not only have to worry about your own network, you also have to worry about that random Wi-Fi network you’re plugging into.

So how did we get here? Simple: We sought freedom and convenience. Security was not really on our mind. You can really only have two of the three, and with security concerns on the rise, we need to reweigh and reallocate our priorities.

To best manage mobile security within your enterprise, you also need to maintain another balance: technology, enterprise and user responsibilities. With more mobile devices on the way due to 5G deployment, winning this device management game means establishing the right foundations before you start divvying up responsibilities.

Treat the Problem From a Risk Management Perspective

According to Verizon’s “Mobile Security Index 2019,” 33 percent of respondents admitted suffering at least one compromise due to a mobile device, with the majority saying the impact was major. Furthermore, 67 percent said they’re less confident about their mobile security than other IT assets. Clearly, there is marketplace worry and a lack of confidence.

At the center of any security issue is the concept of risk, so if you are not treating this problem from a risk management perspective, you’re missing the boat. This piece won’t go into the how-to of risk management; there is plenty of information on that. This piece outlines what you need to know to properly divvy up responsibilities between the three groups mentioned above. Just keep in mind these risk choices as we run through considerations:

  • Risk acceptance
  • Risk transfer
  • Risk avoidance
  • Risk mitigation
  • Risk deferral
  • Risk exploitation

Define Your Business Processes and Needs

Assume for a moment that you have done all your standard risk management work. Does it mean anything without proper definitions of your business processes and needs? Not really. You see, if you define your business processes and needs, you can map out how certain vulnerabilities will impact your business. More importantly, you can decide which risk choice you wish to make.

For example, does a particular business process absolutely require a certain application that has known security flaws and must be installed on all devices? Well, if it does, you may find yourself in a case where you have to choose risk acceptance.

This initial mapping is incredibly important, because if you muck it up, you’re just building on poor foundations where the result is increased fragility. It won’t matter what you do later if you’re starting on shaky ground.

Configure and Set the Right Permissions

By now, you should be at the point where you know what you want and you know what risk choices you’re going to make. This is where the nitty-gritty comes in — the stage where you make the technical changes that align all your business processes and needs against your risk choices.

Need certain ports open? Fine, make sure those are open and close all the others. Don’t need an application? Create a rule that bans installation of it on any device. Have concerns about certain hardware products? Put them on a ban list, preventing them from entering the procurement process.

At this phase, you should also be asking the following questions:

You’ll note that so far, this sure looks like a lot of enterprise work. Well, it is. The enterprise really needs to ensure the foundations are set up correctly if it wants to get mobile security and device management right.

Shared Responsibility

Now comes the tough stuff: figuring out who is responsible and accountable for what. A metaphor could be useful here. Imagine a well-built, three-room house. The builders got everything right in the construction stages. Certifications, licenses, the best materials — you name it. Now imagine this house has three occupants, one for each room. They all live harmoniously together, can enter each other’s rooms pretty freely, with some expectation of privacy of course.

Sounds good so far, right? Well, there is one requirement: Each occupant is responsible for maintaining their room, because if one room is not well-maintained, it can ruin it for the others. They’re all connected, and what impacts one impacts the others.

Welcome to the world of mobile security and device management. That’s exactly the scenario you’re dealing with, and it’s only going to get more difficult to manage as we see more and more devices and data. The bottom line is that all three aspects — technology, the enterprise and the user — must be responsible for their own piece of the mobile security pie.

Mobile Security Isn’t Easy

There are plenty of resources out there to help identify mobile security problems. The Open Web Application Security Project (OWASP)’s Mobile Top 10 is a great place to start for technical issues. Unfortunately, I think we’re still a ways away from a UL-type certification for mobile and internet of things (IoT) devices. The marketplace isn’t ready for that slowdown.

The key to deciding who is responsible for what in the mobile security arena really begins with getting your risk management assessment and mapping right. These assessments and, specifically, the risk choices are not easy, but remember the old rule: Anything worth doing isn’t easy. Protecting your critical data is always worth doing.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…