When it comes to mobile services, it’s been well-established that users value speed and convenience. But organizations that give it to the whims of consumers may face a mountain of security risk.

According to Verizon’s “Mobile Security Index 2018,” companies that knowingly choose expediency over security are more than twice as likely to suffer a data breach. Despite this, many organizations still forego security best practices in favor of business performance.

Speed and Convenience Trump Mobile Security

Enterprise risks from mobile devices and the Internet of Things (IoT) are well documented, and new threats are continuously emerging. McAfee’s “Mobile Threat Report” for Q1 2018 noted that mobile malware operators “set their sights firmly on monetization,” adding ransomware capabilities to traditional banking Trojans to create new mobile threats. Still, the Verizon report found that companies aren’t activating security features built into devices.

For these organizations, it’s all about ease and speed. Companies know that their customers and C-suite members want easy, seamless access to mobile services. So while concerns about employee misuse and the explosion of bring-your-own-device (BYOD) policies in the workplace mount, organizations are failing to take action. Only 1 in 7 companies has taken all four basic security precautions outlined in the Verizon report — changing default passwords, encrypting data transmitted over public networks, restricting access on a need-to-know basis and regularly testing security systems — and only 14 percent of respondents rated their current degree of protection as “very effective.” Additionally, more than half (51 percent) of the 600 companies Verizon surveyed said they lack a public Wi-Fi policy.

In today’s digital enterprise where the traditional perimeter is virtually nonexistent, it’s shocking that so few organizations have taken these steps toward effective protection. Maybe that’s because the majority of organizations (79 percent) are more concerned about security incidents causing disruptions to their business operations than they are about data theft.

Security — even mobile security — is about both business continuity and data integrity. Given the heavy consequences of a breach, why would decision-makers knowingly put their organizations at risk and not implement basic best practices for mobile security?

Mobile Administrative Access Control

Implementing solutions to secure corporate mobile devices, whether company-issued or employee-owned, is a significant problem for most organizations. Computer Weekly noted that organizations that lag behind don’t have appropriate access controls over all devices, which makes it a huge challenge to manage systems.

Nathan Wenzler, chief security strategist at AsTech, agrees. “In trying to protect data [that] may be stored on these devices, organizations are essentially left with using some sort of full disk encryption product to keep the entire hard drive and its contents encrypted and unreadable by an unauthorized user,” he said. To do that, they need to install additional encryption software on every device, which usually requires an additional user login. More software means more cost and more administrative headaches.

The result is that, more often than not, providing a great mobile user experience takes precedent over security. End users only see the impact that security controls have on their experience and the added steps they need to take to access their work systems. “Increased complaints over such security measures often drive management to remove these controls in order to make things easier for end users and keep them working more efficiently,” Wenzler said.

Then there is the issue of access. Many organizations struggle to provide their end users with administrative access to their mobile devices. “On one hand, by doing so, the end user can install new tools whenever they need, which can make them more effective in performing their jobs. On the other hand, they can also install unauthorized software [that] can compromise the system and lead to a data breach,” Wenzler said.

Security Shall Overcome

The good news is that many software companies in the enterprise mobility management (EMM) and mobile device management (MDM) spaces offer a variety of tools to help admins clear mobile security hurdles. Sixty-one percent of respondents to the Verizon survey reported that they expect their budgets to increase in the next year. Even more promising, 78 percent said they leverage third parties for help with mobile security solutions.

When it comes to preventing mobile breaches, organizations need to ensure that employees stay aware of new and emerging threats. It’s not enough to offer a one-time training to employees. Whether the risk starts at the perimeter or with mobile devices, humans are the weakest link in the security chain. In light of this reality, companies need to move beyond just talking about security and create a culture of cybersecurity awareness if they hope to be resilient in the face of mobile threats.

Download the IBM white paper: 11 Best Practices for Mobile Device Management

More from Endpoint

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…