When it comes to mobile services, it’s been well-established that users value speed and convenience. But organizations that give it to the whims of consumers may face a mountain of security risk.

According to Verizon’s “Mobile Security Index 2018,” companies that knowingly choose expediency over security are more than twice as likely to suffer a data breach. Despite this, many organizations still forego security best practices in favor of business performance.

Speed and Convenience Trump Mobile Security

Enterprise risks from mobile devices and the Internet of Things (IoT) are well documented, and new threats are continuously emerging. McAfee’s “Mobile Threat Report” for Q1 2018 noted that mobile malware operators “set their sights firmly on monetization,” adding ransomware capabilities to traditional banking Trojans to create new mobile threats. Still, the Verizon report found that companies aren’t activating security features built into devices.

For these organizations, it’s all about ease and speed. Companies know that their customers and C-suite members want easy, seamless access to mobile services. So while concerns about employee misuse and the explosion of bring-your-own-device (BYOD) policies in the workplace mount, organizations are failing to take action. Only 1 in 7 companies has taken all four basic security precautions outlined in the Verizon report — changing default passwords, encrypting data transmitted over public networks, restricting access on a need-to-know basis and regularly testing security systems — and only 14 percent of respondents rated their current degree of protection as “very effective.” Additionally, more than half (51 percent) of the 600 companies Verizon surveyed said they lack a public Wi-Fi policy.

In today’s digital enterprise where the traditional perimeter is virtually nonexistent, it’s shocking that so few organizations have taken these steps toward effective protection. Maybe that’s because the majority of organizations (79 percent) are more concerned about security incidents causing disruptions to their business operations than they are about data theft.

Security — even mobile security — is about both business continuity and data integrity. Given the heavy consequences of a breach, why would decision-makers knowingly put their organizations at risk and not implement basic best practices for mobile security?

Mobile Administrative Access Control

Implementing solutions to secure corporate mobile devices, whether company-issued or employee-owned, is a significant problem for most organizations. Computer Weekly noted that organizations that lag behind don’t have appropriate access controls over all devices, which makes it a huge challenge to manage systems.

Nathan Wenzler, chief security strategist at AsTech, agrees. “In trying to protect data [that] may be stored on these devices, organizations are essentially left with using some sort of full disk encryption product to keep the entire hard drive and its contents encrypted and unreadable by an unauthorized user,” he said. To do that, they need to install additional encryption software on every device, which usually requires an additional user login. More software means more cost and more administrative headaches.

The result is that, more often than not, providing a great mobile user experience takes precedent over security. End users only see the impact that security controls have on their experience and the added steps they need to take to access their work systems. “Increased complaints over such security measures often drive management to remove these controls in order to make things easier for end users and keep them working more efficiently,” Wenzler said.

Then there is the issue of access. Many organizations struggle to provide their end users with administrative access to their mobile devices. “On one hand, by doing so, the end user can install new tools whenever they need, which can make them more effective in performing their jobs. On the other hand, they can also install unauthorized software [that] can compromise the system and lead to a data breach,” Wenzler said.

Security Shall Overcome

The good news is that many software companies in the enterprise mobility management (EMM) and mobile device management (MDM) spaces offer a variety of tools to help admins clear mobile security hurdles. Sixty-one percent of respondents to the Verizon survey reported that they expect their budgets to increase in the next year. Even more promising, 78 percent said they leverage third parties for help with mobile security solutions.

When it comes to preventing mobile breaches, organizations need to ensure that employees stay aware of new and emerging threats. It’s not enough to offer a one-time training to employees. Whether the risk starts at the perimeter or with mobile devices, humans are the weakest link in the security chain. In light of this reality, companies need to move beyond just talking about security and create a culture of cybersecurity awareness if they hope to be resilient in the face of mobile threats.

Download the IBM white paper: 11 Best Practices for Mobile Device Management

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…