Clearing the Hurdles: Why Companies Have Not Implemented Basic Best Practices for Mobile Security

When it comes to mobile services, it’s been well-established that users value speed and convenience. But organizations that give it to the whims of consumers may face a mountain of security risk.

According to Verizon’s “Mobile Security Index 2018,” companies that knowingly choose expediency over security are more than twice as likely to suffer a data breach. Despite this, many organizations still forego security best practices in favor of business performance.

Speed and Convenience Trump Mobile Security

Enterprise risks from mobile devices and the Internet of Things (IoT) are well documented, and new threats are continuously emerging. McAfee’s “Mobile Threat Report” for Q1 2018 noted that mobile malware operators “set their sights firmly on monetization,” adding ransomware capabilities to traditional banking Trojans to create new mobile threats. Still, the Verizon report found that companies aren’t activating security features built into devices.

For these organizations, it’s all about ease and speed. Companies know that their customers and C-suite members want easy, seamless access to mobile services. So while concerns about employee misuse and the explosion of bring-your-own-device (BYOD) policies in the workplace mount, organizations are failing to take action. Only 1 in 7 companies has taken all four basic security precautions outlined in the Verizon report — changing default passwords, encrypting data transmitted over public networks, restricting access on a need-to-know basis and regularly testing security systems — and only 14 percent of respondents rated their current degree of protection as “very effective.” Additionally, more than half (51 percent) of the 600 companies Verizon surveyed said they lack a public Wi-Fi policy.

In today’s digital enterprise where the traditional perimeter is virtually nonexistent, it’s shocking that so few organizations have taken these steps toward effective protection. Maybe that’s because the majority of organizations (79 percent) are more concerned about security incidents causing disruptions to their business operations than they are about data theft.

Security — even mobile security — is about both business continuity and data integrity. Given the heavy consequences of a breach, why would decision-makers knowingly put their organizations at risk and not implement basic best practices for mobile security?

Mobile Administrative Access Control

Implementing solutions to secure corporate mobile devices, whether company-issued or employee-owned, is a significant problem for most organizations. Computer Weekly noted that organizations that lag behind don’t have appropriate access controls over all devices, which makes it a huge challenge to manage systems.

Nathan Wenzler, chief security strategist at AsTech, agrees. “In trying to protect data [that] may be stored on these devices, organizations are essentially left with using some sort of full disk encryption product to keep the entire hard drive and its contents encrypted and unreadable by an unauthorized user,” he said. To do that, they need to install additional encryption software on every device, which usually requires an additional user login. More software means more cost and more administrative headaches.

The result is that, more often than not, providing a great mobile user experience takes precedent over security. End users only see the impact that security controls have on their experience and the added steps they need to take to access their work systems. “Increased complaints over such security measures often drive management to remove these controls in order to make things easier for end users and keep them working more efficiently,” Wenzler said.

Then there is the issue of access. Many organizations struggle to provide their end users with administrative access to their mobile devices. “On one hand, by doing so, the end user can install new tools whenever they need, which can make them more effective in performing their jobs. On the other hand, they can also install unauthorized software [that] can compromise the system and lead to a data breach,” Wenzler said.

Security Shall Overcome

The good news is that many software companies in the enterprise mobility management (EMM) and mobile device management (MDM) spaces offer a variety of tools to help admins clear mobile security hurdles. Sixty-one percent of respondents to the Verizon survey reported that they expect their budgets to increase in the next year. Even more promising, 78 percent said they leverage third parties for help with mobile security solutions.

When it comes to preventing mobile breaches, organizations need to ensure that employees stay aware of new and emerging threats. It’s not enough to offer a one-time training to employees. Whether the risk starts at the perimeter or with mobile devices, humans are the weakest link in the security chain. In light of this reality, companies need to move beyond just talking about security and create a culture of cybersecurity awareness if they hope to be resilient in the face of mobile threats.

Download the IBM white paper: 11 Best Practices for Mobile Device Management

Zurkus is an influential writer covering a range of security topics with a focus on mitigating risks to businesses. Her work has been published in a variety of industry publications, most notably in CSO Online, where she also penned her own blog, Security Newb. She currently writes about cybersecurity for Medium and has contributed to CyberDB, Cybersecurity Ventures, K12 Tech Decisions, CIO Magazine, and The Parallax. In addition, she is a ghost writer and author of a memoir.