10:30 AM
Anne Bonaparte
Anne Bonaparte
Connect Directly
E-Mail vvv

What's the C-Suite Doing About Mobile Security?

While most companies have security infrastructure for on-premises servers, networks, and endpoints, too many are ignoring mobile security. They'd better get moving.

For too long, too many companies have viewed security as an IT problem. Breaches are considered just another cost of doing business rather than a risk that requires proactive focus by the C-suite.

But breaches are a risk to take seriously for C-suites and their companies. Don't believe me? Think about the recent Equifax breach, after which the CIO, CISO, and CEO all lost their jobs. If the C-suite wasn't paying attention before, it surely is now. And it should pay even more attention in the months and years ahead, as new ways of doing business open up new data breach vulnerabilities.

Mobile, in particular, is a broad threat vector with a huge number of permutations that are beyond the corporate perimeter. Android is now the world's most popular end-user operating system, having overtaken Windows last year, according to a report by Web analytics firm StatCounter. Employees are increasingly doing their work on mobile devices, regardless of company policy — according to analyst firm Gartner, today's employees use an average of three different devices in their daily routine.

Still, many C-suite executives have no idea how to deal with the problem of mobile threats, although they do at least acknowledge it: almost half of CIOs and IT executives identified mobile devices as the weakest link in their company's defense in a Tech Pro Research survey.

What most organizations have, still, is an elaborate security infrastructure for protecting on-premises servers, networks, and endpoints. Mobile, not so much. But they'd better get moving, because their employees are working on mobile devices everywhere, and, according to comScore, those devices are using apps 87% of the time, along with interacting with Wi-Fi networks and cloud services that are beyond organizational reach.

So, what should the C-suite do to protect against mobile threats? Here's are some ideas.

Accept the fact that mobile is here to stay. First, acknowledge that mobile is here and it brings risk. Start with a review of which risks can be blocked and which must be accepted and addressed as best as possible. Eliminating all the risk from mobile isn't realistic. Your employees will continue to use mobile devices because they're a huge part of how we communicate today. So, sort out where you stand, then formulate a mobile security plan.

Draw up a mobile security policy. Next, create a policy for managing mobile use. You can accept mobile and still put some parameters around it, such as getting visibility into what your employees are putting on their devices, so that you can mitigate risk. Then establish rules for acceptable mobile usage and practices. For instance, if employees are sideloading games from foreign app stores that could be full of malware, that should be forbidden on devices that are also accessing enterprise assets. It's likely that some people in your organization have privileged access to data and thus have a higher risk profile by virtue of that access, so they may need more rigorous rules applied. Can they send mobile data abroad? Creating a mobile-focused security policy and enforcing it is critical.

Don't reinvent the wheel. Almost every organization has pretty comprehensive security policies in place. So, think about how you can leverage what already exists. Some organizations are overwhelmed by the thought of managing mobile risk and end up doing nothing at all. That's not good. You don't have to think about mobile as a totally different animal that requires a completely new approach to security. Take what you have and extend it to mobile. The basics of security still apply. You still want to have good visibility and monitoring. You still want to follow the effective incident-response procedures that you've established within your organization.

Make employees a part of the solution. Mobile devices are now our constant companions. They go with us everywhere. That's why it is critical to make employees a part of any mobile security solution. Yes, employees are leery of having their mobile behavior monitored by their employers. But people are even more concerned about their own privacy and want to limit access to their personal data in a breach. The TRUSTe/National Cyber Security Alliance (NCSA) Consumer Privacy Index revealed that more Americans are concerned about data privacy than losing their main source of income. Let employees know that mobile security solutions designed for the enterprise have the added benefit of enabling employees to know if their personal apps are stealing their data or compromising their private information. If a game on a phone is exhibiting malicious behavior, anyone would want to know about it and take action. Companies should develop policies for employees who use the same device for both work and "life." And they should establish processes that will maintain the security and safety of the device, data, and the corporate infrastructure.

Measure better to manage better. You can't know whether or not your mobile security is successful until it's precisely tracked. After you've defined risks with your mobile security policy, you'll want to monitor those risks to see how well you're keeping the organization and your employees safe. And make sure you're measuring in a systematic way. There are several such monitoring tools on the market. (Full disclosure: Appthority offers one of these.) One benefit of systematic measurement is that it gives you data with which you can demonstrate to the organization that you're defending against and monitoring the right things, and that you're operating with a mobile risk posture that's aligned to your organization's overall security goals.

In today's business world, C-level executives are held accountable for the security of their organization. So, realize that while effective use of mobile can transform productivity, it also opens up serious risk — risk that needs to be proactively addressed. 

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Anne Bonaparte is an entrepreneur and cybersecurity industry veteran known for scaling emerging enterprise SaaS companies through high-growth stages to become businesses that endure. Before becoming CEO of Appthority, Anne served as CEO of BrightPoint Security, Xora, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...