Light Dark
September 5, 2018 By Kevin Beaver 3 min read
CISO
Endpoint

Mobile security, especially regarding personal electronic devices, is unique because the threats and vulnerabilities are different from those of other endpoints. Whereas computers in their factory settings are often undersecured in terms of operating system configurations, missing patches and the like, modern mobile platforms like iOS and Android are reasonably secure from the get-go.

That’s true even on personal systems. In these cases, it’s not usually an outdated web browser facilitating exploits. The primary concerns in mobile security are the actual users of systems and the environments in which they operate, rather than threat actor infiltration. It’s what your users are doing with business assets via enterprise and personal apps that creates exposures; it’s the physical security risks and who steals a system or comes across it once it’s been lost.

How to Keep Pace With Changing Environments

This risk shift and the corresponding security approach has caused a lot of people to let their guard down in terms of properly securing their mobile environments. There’s a common assumption that all is well because policies are documented and technologies such as mobile device management, enterprise mobility management (EMM) and unified endpoint management (UEM) are in place. In the spirit of trust but verify, the assumption that business risks are minimized because the mobile security checkbox has been checked is often a mirage. In many organizations, mobile environments are creating indirect, yet tangible risks.

Businesses should move toward substantive mobile security practices. Talk is cheap, and you can’t base your mobile security on guidelines and recommendations alone. Take, for example, the following statements pulled from some mobile and bring-your-own-device (BYOD) security policies:

  • The scope of this policy applies to all forms of information and computer systems, including speech, whether spoken in person, communicated by phone or radio, or stored and processed via mobile phones.
  • All personally owned mobile systems must have:
    • Power-on passwords;
    • Encryption;
    • Passwords that meet or exceed existing domain password requirements;
    • Software updates; and
    • Data backups.
  • It is the responsibility of each employee to ensure that this policy is followed and the responsibility of management to ensure that it’s enforced.

The statements sound official, look great on paper and will undoubtedly contribute to a resilient mobile computing environment. But they’re vague on the details of practices and accountability and are simply not enough. Like many security policies, in the greater scheme of things, they really mean nothing unless they are made known and actively enforced.

Get a Grip on Personal Electronic Devices

There are four areas you must address to get ahead of mobile security challenges:

  1. Acknowledge that mobile computing is not an auxiliary part of your overall security program; it’s just as integral as any other network-connected device security.
  2. Get to know your mobile environment, including what platforms are being used, what percentage of devices are corporate-issued and what percentage are personally owned, along with how they are being used in day-to-day business practices.
  3. Fully understand your current level of mobile risk — not just your overall information security posture but your mobile-specific risks that can be measured, such as vulnerable business workflows, app usage, file sharing and syncing, and so on.
  4. Determine which security technologies and processes can provide you with the necessary visibility and control to either eliminate or minimize the high-priority risks that you have identified.

This approach may sound somewhat elementary, but you’d be surprised how many people ignore one or all of these steps. This is the level of focus required to acknowledge and resolve mobile risks.

Establish an Enterprisewide Security Mindset

Perhaps most importantly, a measured approach to mobile security needs to apply from the top down, starting with executive management. Be sure to include mobile phones and tablets, but don’t forget about the risks associated with laptop computers — especially personally owned systems that are accessing business information and network connections, yet may not be properly protected.

In the end, the mobile component of your overall security program relies on organizational culture as much as anything else. From the board and executive management down to the most junior employees, mobile operations need to be treated as an essential business function.

Read the Forrester Report: Mobile Vision 2020

 |  |  |  |  |  | 
Kevin Beaver
Independent Information Security Consultant

More from CISO
April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

January 22, 2024

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature