Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

ISF: Balance Is Key to Mobile Security

As the workforce becomes more mobile, companies can't lock everything down but also can't risk leaving their mobile environments wide open, Information Security Forum finds.

Mobile devices have become essential in the modern work environment and represent a significant security headache for IT departments that are trying to make them safer while still allowing employees to use them to do their jobs.

It's a concern that has plagued most businesses since the rise of BYOD (bring-your-own-device) a decade ago.

Somewhere along the security spectrum of locking down all devices and taking a hands-off approach is the sweet spot that allows for an increasingly mobile workforce while protecting the company's network and data. Finding that balance is the challenge, according to the Information Security Forum (ISF). (See Smartphones Remain the Most Vulnerable of Endpoints.)

In a report, Securing Mobile Apps: Embracing Mobile, Balancing Control, ISF outlines the challenges that come with employees downloading and using mobile apps and steps businesses can take to find a manageable middle ground. It's something that needs to be done, according to Steve Durbin, managing director of ISF, because there's no turning the clock back.

Mobile devices -- not only smartphones, but also tablets and other Internet of Things (IoT) systems -- now create half of website traffic and users spend twice as much time on them as desktop and laptop PCs, the firm noted.

In addition, as mobile devices become more ingrained in the workforce, more business is being done on them and more data stored in them. All this makes them attractive targets for cybercriminals. Check Point Software in a study last year analyzed 850 organizations around the world that in 2017 had at least 500 mobile devices and found that every one of them sustained a mobile attack, with the average number of attacks tagged at 54. In its study, the company also found that two-thirds of security professionals doubted that their companies could prevent their employee devices from being breached, and 94% report that they expect the frequency of attacks to increase.

ISF found that businesses were vulnerable in a number of ways.

Apps are key
Fifty percent of organizations have no budget for mobile security, and half of employees who choose to use their personal devices for business purposes -- the crux of BYOD -- do so without their employer knowing. Sixty percent of IT and security professionals expect their companies to be breached through an insecure app.

Apps are key to mobile security, Durbin said.

Mobile devices are always on and always connected, yet lack the security protection that is put on IT systems. Given that, app security is a crucial part to ensuring the mobile device remains secure and thus the corporate network is protected. Mobile app security firm NowSecure found in its 2016 security report that 25% of all mobile apps have at least one high-risk security flaw and that 35% of communications sent via mobile devices are unencrypted.

In addition, the average mobile device connects to 160 unique servers every day. (See Endpoint Security: A Never-Ending Battle to Keep Up.)

All that creates a conundrum for IT security professionals, according to ISF. The business world has gone mobile and that will only increase. At the same time, the mobile devices and apps that are downloaded by users are increasing the security threat to corporations and their networks. They are always on, always connected and are easily lost or stolen, and employees can download apps without the knowledge or consent of their employers.

"It is very much a company-culture issue and, perhaps more importantly, a user-culture issue," Durbin told Security Now in an email. "Mobile is user-driven and requires companies to adapt to the way in which their people are using technology. Users want to collaborate, to multi-task, to have easy access to information and systems, which is one of the reasons why mobile has become so popular as the access device of choice. Many companies are having to play catch-up with that cultural shift and for some that is a very real challenge."

Finding a balance
Somewhere in the middle is the necessary balance of mobility and security.

ISF's report points to several steps that companies can take to increase mobile security, including reducing the number of unauthorized apps that are downloaded, managing updates, developing secure apps and managing risk from insecure mobile devices. The organization also lists important lessons, the first being that managing apps and the risk they bring means knowing everything about the apps -- what they do, what data they're processing and who is running them.

ISF also recommends pragmatism, deciding whether an app is used based on risk, user satisfaction and its ability to meet business needs. In addition, security support for mobile apps should be similar to that of other types of business applications.

Where companies are in securing mobile as is a "mixed state," according to Durbin.

"Some companies have the situation well under control and have done for some while now with well established guidelines for the use of mobile devices and processes for download and use of mobile apps," Durbin said. "Others are not in that position and given the nature of mobile -- which by definition is user-driven, on the move with constant use, upload, download and sharing of information -- the need for continuous monitoring of the mobile use policy along with education of the user base should be a mainstream feature of business as usual for the majority of organizations."

They need to find that balance, he said. They can't turn back the clock to a less mobile time, and "companies that cannot adapt will be left behind and undoubtedly lose competitive advantage, whether that be in attraction and retention of staff or of customers. We are now in a mobile access era and companies will need to adapt if they have not already done so."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.