Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Anne Bonaparte
Anne Bonaparte
Connect Directly
E-Mail vvv

What's the C-Suite Doing About Mobile Security?

While most companies have security infrastructure for on-premises servers, networks, and endpoints, too many are ignoring mobile security. They'd better get moving.

For too long, too many companies have viewed security as an IT problem. Breaches are considered just another cost of doing business rather than a risk that requires proactive focus by the C-suite.

But breaches are a risk to take seriously for C-suites and their companies. Don't believe me? Think about the recent Equifax breach, after which the CIO, CISO, and CEO all lost their jobs. If the C-suite wasn't paying attention before, it surely is now. And it should pay even more attention in the months and years ahead, as new ways of doing business open up new data breach vulnerabilities.

Mobile, in particular, is a broad threat vector with a huge number of permutations that are beyond the corporate perimeter. Android is now the world's most popular end-user operating system, having overtaken Windows last year, according to a report by Web analytics firm StatCounter. Employees are increasingly doing their work on mobile devices, regardless of company policy — according to analyst firm Gartner, today's employees use an average of three different devices in their daily routine.

Still, many C-suite executives have no idea how to deal with the problem of mobile threats, although they do at least acknowledge it: almost half of CIOs and IT executives identified mobile devices as the weakest link in their company's defense in a Tech Pro Research survey.

What most organizations have, still, is an elaborate security infrastructure for protecting on-premises servers, networks, and endpoints. Mobile, not so much. But they'd better get moving, because their employees are working on mobile devices everywhere, and, according to comScore, those devices are using apps 87% of the time, along with interacting with Wi-Fi networks and cloud services that are beyond organizational reach.

So, what should the C-suite do to protect against mobile threats? Here's are some ideas.

Accept the fact that mobile is here to stay. First, acknowledge that mobile is here and it brings risk. Start with a review of which risks can be blocked and which must be accepted and addressed as best as possible. Eliminating all the risk from mobile isn't realistic. Your employees will continue to use mobile devices because they're a huge part of how we communicate today. So, sort out where you stand, then formulate a mobile security plan.

Draw up a mobile security policy. Next, create a policy for managing mobile use. You can accept mobile and still put some parameters around it, such as getting visibility into what your employees are putting on their devices, so that you can mitigate risk. Then establish rules for acceptable mobile usage and practices. For instance, if employees are sideloading games from foreign app stores that could be full of malware, that should be forbidden on devices that are also accessing enterprise assets. It's likely that some people in your organization have privileged access to data and thus have a higher risk profile by virtue of that access, so they may need more rigorous rules applied. Can they send mobile data abroad? Creating a mobile-focused security policy and enforcing it is critical.

Don't reinvent the wheel. Almost every organization has pretty comprehensive security policies in place. So, think about how you can leverage what already exists. Some organizations are overwhelmed by the thought of managing mobile risk and end up doing nothing at all. That's not good. You don't have to think about mobile as a totally different animal that requires a completely new approach to security. Take what you have and extend it to mobile. The basics of security still apply. You still want to have good visibility and monitoring. You still want to follow the effective incident-response procedures that you've established within your organization.

Make employees a part of the solution. Mobile devices are now our constant companions. They go with us everywhere. That's why it is critical to make employees a part of any mobile security solution. Yes, employees are leery of having their mobile behavior monitored by their employers. But people are even more concerned about their own privacy and want to limit access to their personal data in a breach. The TRUSTe/National Cyber Security Alliance (NCSA) Consumer Privacy Index revealed that more Americans are concerned about data privacy than losing their main source of income. Let employees know that mobile security solutions designed for the enterprise have the added benefit of enabling employees to know if their personal apps are stealing their data or compromising their private information. If a game on a phone is exhibiting malicious behavior, anyone would want to know about it and take action. Companies should develop policies for employees who use the same device for both work and "life." And they should establish processes that will maintain the security and safety of the device, data, and the corporate infrastructure.

Measure better to manage better. You can't know whether or not your mobile security is successful until it's precisely tracked. After you've defined risks with your mobile security policy, you'll want to monitor those risks to see how well you're keeping the organization and your employees safe. And make sure you're measuring in a systematic way. There are several such monitoring tools on the market. (Full disclosure: Appthority offers one of these.) One benefit of systematic measurement is that it gives you data with which you can demonstrate to the organization that you're defending against and monitoring the right things, and that you're operating with a mobile risk posture that's aligned to your organization's overall security goals.

In today's business world, C-level executives are held accountable for the security of their organization. So, realize that while effective use of mobile can transform productivity, it also opens up serious risk — risk that needs to be proactively addressed. 

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Anne Bonaparte is an entrepreneur and cybersecurity industry veteran known for scaling emerging enterprise SaaS companies through high-growth stages to become businesses that endure. Before becoming CEO of Appthority, Anne served as CEO of BrightPoint Security, Xora, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.