Mobile security, especially regarding personal electronic devices, is unique because the threats and vulnerabilities are different from those of other endpoints. Whereas computers in their factory settings are often undersecured in terms of operating system configurations, missing patches and the like, modern mobile platforms like iOS and Android are reasonably secure from the get-go.

That’s true even on personal systems. In these cases, it’s not usually an outdated web browser facilitating exploits. The primary concerns in mobile security are the actual users of systems and the environments in which they operate, rather than threat actor infiltration. It’s what your users are doing with business assets via enterprise and personal apps that creates exposures; it’s the physical security risks and who steals a system or comes across it once it’s been lost.

How to Keep Pace With Changing Environments

This risk shift and the corresponding security approach has caused a lot of people to let their guard down in terms of properly securing their mobile environments. There’s a common assumption that all is well because policies are documented and technologies such as mobile device management, enterprise mobility management (EMM) and unified endpoint management (UEM) are in place. In the spirit of trust but verify, the assumption that business risks are minimized because the mobile security checkbox has been checked is often a mirage. In many organizations, mobile environments are creating indirect, yet tangible risks.

Businesses should move toward substantive mobile security practices. Talk is cheap, and you can’t base your mobile security on guidelines and recommendations alone. Take, for example, the following statements pulled from some mobile and bring-your-own-device (BYOD) security policies:

  • The scope of this policy applies to all forms of information and computer systems, including speech, whether spoken in person, communicated by phone or radio, or stored and processed via mobile phones.
  • All personally owned mobile systems must have:
    • Power-on passwords;
    • Encryption;
    • Passwords that meet or exceed existing domain password requirements;
    • Software updates; and
    • Data backups.
  • It is the responsibility of each employee to ensure that this policy is followed and the responsibility of management to ensure that it’s enforced.

The statements sound official, look great on paper and will undoubtedly contribute to a resilient mobile computing environment. But they’re vague on the details of practices and accountability and are simply not enough. Like many security policies, in the greater scheme of things, they really mean nothing unless they are made known and actively enforced.

Get a Grip on Personal Electronic Devices

There are four areas you must address to get ahead of mobile security challenges:

  1. Acknowledge that mobile computing is not an auxiliary part of your overall security program; it’s just as integral as any other network-connected device security.
  2. Get to know your mobile environment, including what platforms are being used, what percentage of devices are corporate-issued and what percentage are personally owned, along with how they are being used in day-to-day business practices.
  3. Fully understand your current level of mobile risk — not just your overall information security posture but your mobile-specific risks that can be measured, such as vulnerable business workflows, app usage, file sharing and syncing, and so on.
  4. Determine which security technologies and processes can provide you with the necessary visibility and control to either eliminate or minimize the high-priority risks that you have identified.

This approach may sound somewhat elementary, but you’d be surprised how many people ignore one or all of these steps. This is the level of focus required to acknowledge and resolve mobile risks.

Establish an Enterprisewide Security Mindset

Perhaps most importantly, a measured approach to mobile security needs to apply from the top down, starting with executive management. Be sure to include mobile phones and tablets, but don’t forget about the risks associated with laptop computers — especially personally owned systems that are accessing business information and network connections, yet may not be properly protected.

In the end, the mobile component of your overall security program relies on organizational culture as much as anything else. From the board and executive management down to the most junior employees, mobile operations need to be treated as an essential business function.

Read the Forrester Report: Mobile Vision 2020

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…