What's the C-Suite Doing About Mobile Security?While most companies have security infrastructure for on-premises servers, networks, and endpoints, too many are ignoring mobile security. They'd better get moving.
For too long, too many companies have viewed security as an IT problem. Breaches are considered just another cost of doing business rather than a risk that requires proactive focus by the C-suite.
But breaches are a risk to take seriously for C-suites and their companies. Don't believe me? Think about the recent Equifax breach, after which the CIO, CISO, and CEO all lost their jobs. If the C-suite wasn't paying attention before, it surely is now. And it should pay even more attention in the months and years ahead, as new ways of doing business open up new data breach vulnerabilities.
Mobile, in particular, is a broad threat vector with a huge number of permutations that are beyond the corporate perimeter. Android is now the world's most popular end-user operating system, having overtaken Windows last year, according to a report by Web analytics firm StatCounter. Employees are increasingly doing their work on mobile devices, regardless of company policy — according to analyst firm Gartner, today's employees use an average of three different devices in their daily routine.
Still, many C-suite executives have no idea how to deal with the problem of mobile threats, although they do at least acknowledge it: almost half of CIOs and IT executives identified mobile devices as the weakest link in their company's defense in a Tech Pro Research survey.
What most organizations have, still, is an elaborate security infrastructure for protecting on-premises servers, networks, and endpoints. Mobile, not so much. But they'd better get moving, because their employees are working on mobile devices everywhere, and, according to comScore, those devices are using apps 87% of the time, along with interacting with Wi-Fi networks and cloud services that are beyond organizational reach.
So, what should the C-suite do to protect against mobile threats? Here's are some ideas.
Accept the fact that mobile is here to stay. First, acknowledge that mobile is here and it brings risk. Start with a review of which risks can be blocked and which must be accepted and addressed as best as possible. Eliminating all the risk from mobile isn't realistic. Your employees will continue to use mobile devices because they're a huge part of how we communicate today. So, sort out where you stand, then formulate a mobile security plan.
Draw up a mobile security policy. Next, create a policy for managing mobile use. You can accept mobile and still put some parameters around it, such as getting visibility into what your employees are putting on their devices, so that you can mitigate risk. Then establish rules for acceptable mobile usage and practices. For instance, if employees are sideloading games from foreign app stores that could be full of malware, that should be forbidden on devices that are also accessing enterprise assets. It's likely that some people in your organization have privileged access to data and thus have a higher risk profile by virtue of that access, so they may need more rigorous rules applied. Can they send mobile data abroad? Creating a mobile-focused security policy and enforcing it is critical.
Don't reinvent the wheel. Almost every organization has pretty comprehensive security policies in place. So, think about how you can leverage what already exists. Some organizations are overwhelmed by the thought of managing mobile risk and end up doing nothing at all. That's not good. You don't have to think about mobile as a totally different animal that requires a completely new approach to security. Take what you have and extend it to mobile. The basics of security still apply. You still want to have good visibility and monitoring. You still want to follow the effective incident-response procedures that you've established within your organization.
Make employees a part of the solution. Mobile devices are now our constant companions. They go with us everywhere. That's why it is critical to make employees a part of any mobile security solution. Yes, employees are leery of having their mobile behavior monitored by their employers. But people are even more concerned about their own privacy and want to limit access to their personal data in a breach. The TRUSTe/National Cyber Security Alliance (NCSA) Consumer Privacy Index revealed that more Americans are concerned about data privacy than losing their main source of income. Let employees know that mobile security solutions designed for the enterprise have the added benefit of enabling employees to know if their personal apps are stealing their data or compromising their private information. If a game on a phone is exhibiting malicious behavior, anyone would want to know about it and take action. Companies should develop policies for employees who use the same device for both work and "life." And they should establish processes that will maintain the security and safety of the device, data, and the corporate infrastructure.
Measure better to manage better. You can't know whether or not your mobile security is successful until it's precisely tracked. After you've defined risks with your mobile security policy, you'll want to monitor those risks to see how well you're keeping the organization and your employees safe. And make sure you're measuring in a systematic way. There are several such monitoring tools on the market. (Full disclosure: Appthority offers one of these.) One benefit of systematic measurement is that it gives you data with which you can demonstrate to the organization that you're defending against and monitoring the right things, and that you're operating with a mobile risk posture that's aligned to your organization's overall security goals.
In today's business world, C-level executives are held accountable for the security of their organization. So, realize that while effective use of mobile can transform productivity, it also opens up serious risk — risk that needs to be proactively addressed.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.
Anne Bonaparte is an entrepreneur and cybersecurity industry veteran known for scaling emerging enterprise SaaS companies through high-growth stages to become businesses that endure. Before becoming CEO of Appthority, Anne served as CEO of BrightPoint Security, Xora, ... View Full Bio