Mobile security, especially regarding personal electronic devices, is unique because the threats and vulnerabilities are different from those of other endpoints. Whereas computers in their factory settings are often undersecured in terms of operating system configurations, missing patches and the like, modern mobile platforms like iOS and Android are reasonably secure from the get-go.

That’s true even on personal systems. In these cases, it’s not usually an outdated web browser facilitating exploits. The primary concerns in mobile security are the actual users of systems and the environments in which they operate, rather than threat actor infiltration. It’s what your users are doing with business assets via enterprise and personal apps that creates exposures; it’s the physical security risks and who steals a system or comes across it once it’s been lost.

How to Keep Pace With Changing Environments

This risk shift and the corresponding security approach has caused a lot of people to let their guard down in terms of properly securing their mobile environments. There’s a common assumption that all is well because policies are documented and technologies such as mobile device management, enterprise mobility management (EMM) and unified endpoint management (UEM) are in place. In the spirit of trust but verify, the assumption that business risks are minimized because the mobile security checkbox has been checked is often a mirage. In many organizations, mobile environments are creating indirect, yet tangible risks.

Businesses should move toward substantive mobile security practices. Talk is cheap, and you can’t base your mobile security on guidelines and recommendations alone. Take, for example, the following statements pulled from some mobile and bring-your-own-device (BYOD) security policies:

  • The scope of this policy applies to all forms of information and computer systems, including speech, whether spoken in person, communicated by phone or radio, or stored and processed via mobile phones.
  • All personally owned mobile systems must have:
    • Power-on passwords;
    • Encryption;
    • Passwords that meet or exceed existing domain password requirements;
    • Software updates; and
    • Data backups.
  • It is the responsibility of each employee to ensure that this policy is followed and the responsibility of management to ensure that it’s enforced.

The statements sound official, look great on paper and will undoubtedly contribute to a resilient mobile computing environment. But they’re vague on the details of practices and accountability and are simply not enough. Like many security policies, in the greater scheme of things, they really mean nothing unless they are made known and actively enforced.

Get a Grip on Personal Electronic Devices

There are four areas you must address to get ahead of mobile security challenges:

  1. Acknowledge that mobile computing is not an auxiliary part of your overall security program; it’s just as integral as any other network-connected device security.
  2. Get to know your mobile environment, including what platforms are being used, what percentage of devices are corporate-issued and what percentage are personally owned, along with how they are being used in day-to-day business practices.
  3. Fully understand your current level of mobile risk — not just your overall information security posture but your mobile-specific risks that can be measured, such as vulnerable business workflows, app usage, file sharing and syncing, and so on.
  4. Determine which security technologies and processes can provide you with the necessary visibility and control to either eliminate or minimize the high-priority risks that you have identified.

This approach may sound somewhat elementary, but you’d be surprised how many people ignore one or all of these steps. This is the level of focus required to acknowledge and resolve mobile risks.

Establish an Enterprisewide Security Mindset

Perhaps most importantly, a measured approach to mobile security needs to apply from the top down, starting with executive management. Be sure to include mobile phones and tablets, but don’t forget about the risks associated with laptop computers — especially personally owned systems that are accessing business information and network connections, yet may not be properly protected.

In the end, the mobile component of your overall security program relies on organizational culture as much as anything else. From the board and executive management down to the most junior employees, mobile operations need to be treated as an essential business function.

Read the Forrester Report: Mobile Vision 2020

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…