Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Anne Bonaparte
Anne Bonaparte
Connect Directly
E-Mail vvv

What's the C-Suite Doing About Mobile Security?

While most companies have security infrastructure for on-premises servers, networks, and endpoints, too many are ignoring mobile security. They'd better get moving.

For too long, too many companies have viewed security as an IT problem. Breaches are considered just another cost of doing business rather than a risk that requires proactive focus by the C-suite.

But breaches are a risk to take seriously for C-suites and their companies. Don't believe me? Think about the recent Equifax breach, after which the CIO, CISO, and CEO all lost their jobs. If the C-suite wasn't paying attention before, it surely is now. And it should pay even more attention in the months and years ahead, as new ways of doing business open up new data breach vulnerabilities.

Mobile, in particular, is a broad threat vector with a huge number of permutations that are beyond the corporate perimeter. Android is now the world's most popular end-user operating system, having overtaken Windows last year, according to a report by Web analytics firm StatCounter. Employees are increasingly doing their work on mobile devices, regardless of company policy — according to analyst firm Gartner, today's employees use an average of three different devices in their daily routine.

Still, many C-suite executives have no idea how to deal with the problem of mobile threats, although they do at least acknowledge it: almost half of CIOs and IT executives identified mobile devices as the weakest link in their company's defense in a Tech Pro Research survey.

What most organizations have, still, is an elaborate security infrastructure for protecting on-premises servers, networks, and endpoints. Mobile, not so much. But they'd better get moving, because their employees are working on mobile devices everywhere, and, according to comScore, those devices are using apps 87% of the time, along with interacting with Wi-Fi networks and cloud services that are beyond organizational reach.

So, what should the C-suite do to protect against mobile threats? Here's are some ideas.

Accept the fact that mobile is here to stay. First, acknowledge that mobile is here and it brings risk. Start with a review of which risks can be blocked and which must be accepted and addressed as best as possible. Eliminating all the risk from mobile isn't realistic. Your employees will continue to use mobile devices because they're a huge part of how we communicate today. So, sort out where you stand, then formulate a mobile security plan.

Draw up a mobile security policy. Next, create a policy for managing mobile use. You can accept mobile and still put some parameters around it, such as getting visibility into what your employees are putting on their devices, so that you can mitigate risk. Then establish rules for acceptable mobile usage and practices. For instance, if employees are sideloading games from foreign app stores that could be full of malware, that should be forbidden on devices that are also accessing enterprise assets. It's likely that some people in your organization have privileged access to data and thus have a higher risk profile by virtue of that access, so they may need more rigorous rules applied. Can they send mobile data abroad? Creating a mobile-focused security policy and enforcing it is critical.

Don't reinvent the wheel. Almost every organization has pretty comprehensive security policies in place. So, think about how you can leverage what already exists. Some organizations are overwhelmed by the thought of managing mobile risk and end up doing nothing at all. That's not good. You don't have to think about mobile as a totally different animal that requires a completely new approach to security. Take what you have and extend it to mobile. The basics of security still apply. You still want to have good visibility and monitoring. You still want to follow the effective incident-response procedures that you've established within your organization.

Make employees a part of the solution. Mobile devices are now our constant companions. They go with us everywhere. That's why it is critical to make employees a part of any mobile security solution. Yes, employees are leery of having their mobile behavior monitored by their employers. But people are even more concerned about their own privacy and want to limit access to their personal data in a breach. The TRUSTe/National Cyber Security Alliance (NCSA) Consumer Privacy Index revealed that more Americans are concerned about data privacy than losing their main source of income. Let employees know that mobile security solutions designed for the enterprise have the added benefit of enabling employees to know if their personal apps are stealing their data or compromising their private information. If a game on a phone is exhibiting malicious behavior, anyone would want to know about it and take action. Companies should develop policies for employees who use the same device for both work and "life." And they should establish processes that will maintain the security and safety of the device, data, and the corporate infrastructure.

Measure better to manage better. You can't know whether or not your mobile security is successful until it's precisely tracked. After you've defined risks with your mobile security policy, you'll want to monitor those risks to see how well you're keeping the organization and your employees safe. And make sure you're measuring in a systematic way. There are several such monitoring tools on the market. (Full disclosure: Appthority offers one of these.) One benefit of systematic measurement is that it gives you data with which you can demonstrate to the organization that you're defending against and monitoring the right things, and that you're operating with a mobile risk posture that's aligned to your organization's overall security goals.

In today's business world, C-level executives are held accountable for the security of their organization. So, realize that while effective use of mobile can transform productivity, it also opens up serious risk — risk that needs to be proactively addressed. 

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Anne Bonaparte is an entrepreneur and cybersecurity industry veteran known for scaling emerging enterprise SaaS companies through high-growth stages to become businesses that endure. Before becoming CEO of Appthority, Anne served as CEO of BrightPoint Security, Xora, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...