Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

6/11/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

ISF: Balance Is Key to Mobile Security

As the workforce becomes more mobile, companies can't lock everything down but also can't risk leaving their mobile environments wide open, Information Security Forum finds.

Mobile devices have become essential in the modern work environment and represent a significant security headache for IT departments that are trying to make them safer while still allowing employees to use them to do their jobs.

It's a concern that has plagued most businesses since the rise of BYOD (bring-your-own-device) a decade ago.

Somewhere along the security spectrum of locking down all devices and taking a hands-off approach is the sweet spot that allows for an increasingly mobile workforce while protecting the company's network and data. Finding that balance is the challenge, according to the Information Security Forum (ISF). (See Smartphones Remain the Most Vulnerable of Endpoints.)

In a report, Securing Mobile Apps: Embracing Mobile, Balancing Control, ISF outlines the challenges that come with employees downloading and using mobile apps and steps businesses can take to find a manageable middle ground. It's something that needs to be done, according to Steve Durbin, managing director of ISF, because there's no turning the clock back.

Mobile devices -- not only smartphones, but also tablets and other Internet of Things (IoT) systems -- now create half of website traffic and users spend twice as much time on them as desktop and laptop PCs, the firm noted.

In addition, as mobile devices become more ingrained in the workforce, more business is being done on them and more data stored in them. All this makes them attractive targets for cybercriminals. Check Point Software in a study last year analyzed 850 organizations around the world that in 2017 had at least 500 mobile devices and found that every one of them sustained a mobile attack, with the average number of attacks tagged at 54. In its study, the company also found that two-thirds of security professionals doubted that their companies could prevent their employee devices from being breached, and 94% report that they expect the frequency of attacks to increase.

ISF found that businesses were vulnerable in a number of ways.

Apps are key
Fifty percent of organizations have no budget for mobile security, and half of employees who choose to use their personal devices for business purposes -- the crux of BYOD -- do so without their employer knowing. Sixty percent of IT and security professionals expect their companies to be breached through an insecure app.

Apps are key to mobile security, Durbin said.

Mobile devices are always on and always connected, yet lack the security protection that is put on IT systems. Given that, app security is a crucial part to ensuring the mobile device remains secure and thus the corporate network is protected. Mobile app security firm NowSecure found in its 2016 security report that 25% of all mobile apps have at least one high-risk security flaw and that 35% of communications sent via mobile devices are unencrypted.

In addition, the average mobile device connects to 160 unique servers every day. (See Endpoint Security: A Never-Ending Battle to Keep Up.)

All that creates a conundrum for IT security professionals, according to ISF. The business world has gone mobile and that will only increase. At the same time, the mobile devices and apps that are downloaded by users are increasing the security threat to corporations and their networks. They are always on, always connected and are easily lost or stolen, and employees can download apps without the knowledge or consent of their employers.

"It is very much a company-culture issue and, perhaps more importantly, a user-culture issue," Durbin told Security Now in an email. "Mobile is user-driven and requires companies to adapt to the way in which their people are using technology. Users want to collaborate, to multi-task, to have easy access to information and systems, which is one of the reasons why mobile has become so popular as the access device of choice. Many companies are having to play catch-up with that cultural shift and for some that is a very real challenge."

Finding a balance
Somewhere in the middle is the necessary balance of mobility and security.

ISF's report points to several steps that companies can take to increase mobile security, including reducing the number of unauthorized apps that are downloaded, managing updates, developing secure apps and managing risk from insecure mobile devices. The organization also lists important lessons, the first being that managing apps and the risk they bring means knowing everything about the apps -- what they do, what data they're processing and who is running them.

ISF also recommends pragmatism, deciding whether an app is used based on risk, user satisfaction and its ability to meet business needs. In addition, security support for mobile apps should be similar to that of other types of business applications.

Where companies are in securing mobile as is a "mixed state," according to Durbin.

"Some companies have the situation well under control and have done for some while now with well established guidelines for the use of mobile devices and processes for download and use of mobile apps," Durbin said. "Others are not in that position and given the nature of mobile -- which by definition is user-driven, on the move with constant use, upload, download and sharing of information -- the need for continuous monitoring of the mobile use policy along with education of the user base should be a mainstream feature of business as usual for the majority of organizations."

They need to find that balance, he said. They can't turn back the clock to a less mobile time, and "companies that cannot adapt will be left behind and undoubtedly lose competitive advantage, whether that be in attraction and retention of staff or of customers. We are now in a mobile access era and companies will need to adapt if they have not already done so."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.