Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

3/13/2018
10:30 AM
Anne Bonaparte
Anne Bonaparte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What's the C-Suite Doing About Mobile Security?

While most companies have security infrastructure for on-premises servers, networks, and endpoints, too many are ignoring mobile security. They'd better get moving.

For too long, too many companies have viewed security as an IT problem. Breaches are considered just another cost of doing business rather than a risk that requires proactive focus by the C-suite.

But breaches are a risk to take seriously for C-suites and their companies. Don't believe me? Think about the recent Equifax breach, after which the CIO, CISO, and CEO all lost their jobs. If the C-suite wasn't paying attention before, it surely is now. And it should pay even more attention in the months and years ahead, as new ways of doing business open up new data breach vulnerabilities.

Mobile, in particular, is a broad threat vector with a huge number of permutations that are beyond the corporate perimeter. Android is now the world's most popular end-user operating system, having overtaken Windows last year, according to a report by Web analytics firm StatCounter. Employees are increasingly doing their work on mobile devices, regardless of company policy — according to analyst firm Gartner, today's employees use an average of three different devices in their daily routine.

Still, many C-suite executives have no idea how to deal with the problem of mobile threats, although they do at least acknowledge it: almost half of CIOs and IT executives identified mobile devices as the weakest link in their company's defense in a Tech Pro Research survey.

What most organizations have, still, is an elaborate security infrastructure for protecting on-premises servers, networks, and endpoints. Mobile, not so much. But they'd better get moving, because their employees are working on mobile devices everywhere, and, according to comScore, those devices are using apps 87% of the time, along with interacting with Wi-Fi networks and cloud services that are beyond organizational reach.

So, what should the C-suite do to protect against mobile threats? Here's are some ideas.

Accept the fact that mobile is here to stay. First, acknowledge that mobile is here and it brings risk. Start with a review of which risks can be blocked and which must be accepted and addressed as best as possible. Eliminating all the risk from mobile isn't realistic. Your employees will continue to use mobile devices because they're a huge part of how we communicate today. So, sort out where you stand, then formulate a mobile security plan.

Draw up a mobile security policy. Next, create a policy for managing mobile use. You can accept mobile and still put some parameters around it, such as getting visibility into what your employees are putting on their devices, so that you can mitigate risk. Then establish rules for acceptable mobile usage and practices. For instance, if employees are sideloading games from foreign app stores that could be full of malware, that should be forbidden on devices that are also accessing enterprise assets. It's likely that some people in your organization have privileged access to data and thus have a higher risk profile by virtue of that access, so they may need more rigorous rules applied. Can they send mobile data abroad? Creating a mobile-focused security policy and enforcing it is critical.

Don't reinvent the wheel. Almost every organization has pretty comprehensive security policies in place. So, think about how you can leverage what already exists. Some organizations are overwhelmed by the thought of managing mobile risk and end up doing nothing at all. That's not good. You don't have to think about mobile as a totally different animal that requires a completely new approach to security. Take what you have and extend it to mobile. The basics of security still apply. You still want to have good visibility and monitoring. You still want to follow the effective incident-response procedures that you've established within your organization.

Make employees a part of the solution. Mobile devices are now our constant companions. They go with us everywhere. That's why it is critical to make employees a part of any mobile security solution. Yes, employees are leery of having their mobile behavior monitored by their employers. But people are even more concerned about their own privacy and want to limit access to their personal data in a breach. The TRUSTe/National Cyber Security Alliance (NCSA) Consumer Privacy Index revealed that more Americans are concerned about data privacy than losing their main source of income. Let employees know that mobile security solutions designed for the enterprise have the added benefit of enabling employees to know if their personal apps are stealing their data or compromising their private information. If a game on a phone is exhibiting malicious behavior, anyone would want to know about it and take action. Companies should develop policies for employees who use the same device for both work and "life." And they should establish processes that will maintain the security and safety of the device, data, and the corporate infrastructure.

Measure better to manage better. You can't know whether or not your mobile security is successful until it's precisely tracked. After you've defined risks with your mobile security policy, you'll want to monitor those risks to see how well you're keeping the organization and your employees safe. And make sure you're measuring in a systematic way. There are several such monitoring tools on the market. (Full disclosure: Appthority offers one of these.) One benefit of systematic measurement is that it gives you data with which you can demonstrate to the organization that you're defending against and monitoring the right things, and that you're operating with a mobile risk posture that's aligned to your organization's overall security goals.

In today's business world, C-level executives are held accountable for the security of their organization. So, realize that while effective use of mobile can transform productivity, it also opens up serious risk — risk that needs to be proactively addressed. 

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Anne Bonaparte is an entrepreneur and cybersecurity industry veteran known for scaling emerging enterprise SaaS companies through high-growth stages to become businesses that endure. Before becoming CEO of Appthority, Anne served as CEO of BrightPoint Security, Xora, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
CVE-2019-9700
PUBLISHED: 2019-07-16
Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
CVE-2019-12990
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
CVE-2019-12991
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).