Mobile security failings putting enterprises at risk

A typical mobile security breach in a large organization can cost millions of dollars. Mobile Security can be a daunting task with many potential pitfalls to protect against. Knowing the key security exposure mechanisms can help you determine the best approach to security for your mobile users.

Nearly every enterprise these days has a critical component of their work environment powered by mobile devices. Indeed, we estimate that well in excess of 50% of workers employed mobile apps as part of their work before the current pandemic hit, and we estimate that has now increased to greater than 85% of users who work from home at least part time. With the critical nature of mobile in not only large businesses but smaller organizations as well, it’s imperative that companies maintain a secure posture for their devices and user apps. But are they doing so? Not so much…

In its recent Verizon Mobile Security Index for 2020, Verizon found that an alarming 43% of companies had sacrificed security getting their mobile solutions deployed, while 39% admit to having had a security breach that impacted their business (an increase from 33% in 2019). And while in the past many companies would say they may have sacrificed security due to lack of resources (funds, expertise), Verizon found that 62% said they compromised security for the sake of expediency, while 52% did so for convenience and 46% did so to maintain or increase profitability. Only 27% and 26% respectively compromised security for lack of budget and lack of expertise.

This is truly an appalling set of statistics. It’s highly unlikely that any organizations would have done this poor a job of security if it were related to traditional PC and/or server environments. Further, no company would be paying for a SaaS application or cloud installation if they were given similar statistics from their provider. And what’s all the more alarming is that since the current situation of work from home is so prevalent, the number and usage factor of mobile apps has increased dramatically, making this even more of a problem as the percentage of security breaches will likely continue to increase as well.

Our research shows that a typical mobile security breach in a large organization can cost millions of dollars. And the ultimate cost is increasing with more and more regulatory penalties being brought to bear by both local and federal laws (in fact, in Verizon’s report, 29% said they suffered a regulatory penalty as a result of a security breach). But the less easily measured monetary-specific impacts are equally penalizing, as any security breach will result in user downtime and increased IT workload, data loss or compromise, potential compromise of other devices through cross-infection, and loss of business and/or reputational damage.

So what should organizations be doing?

First and foremost companies must take an inventory of the number of mobile devices being used, the specific apps deployed for use, and the connection methodology that allows users access to corporate systems. You can’t fix a problem that you don’t know about, and few companies today do an actual inventory of all the mobile systems in use.

There are tools to help with this task (e.g., Unified Endpoint Management, UEM, can provide logging/discovery capability), but not all companies have such tools in place, even though they should, If you don’t already have one, there are several UEM tools available as a service that can be employed (e.g., BlackBerry, Citrix, Microsoft, MobileIron, VMware).

Know your exposure

Mobile security can be a daunting task with many potential pitfalls to protect against. Knowing the key security exposure mechanisms can help you determine the best approach to security for your mobile users. Here are several areas that you should be concentrating on.

• Phishing: Especially in times like these with so many work from homers, the amount of phishing attacks has increased dramatically. Mobile users are often targeted since they tend to not have the sophisticated anti-phishing tools available that many organizations now deploy on their internal infrastructure. The first line of defense for these socially-based attacks is user education.
• Malware: Similar to phishing, users often do not have the tools on their mobile devices necessary to defend against malicious installations from web sites, emails, etc. In fact, although the major mobile operating systems have made major security improvements over the past couple of years, companies should be deploying a robust anti-malware product on their mobile devices, just as they do on their PCs, although few do so. There are a number of mobile security products available (e.g., Lookout, BlackBerry Cylance, McAfee) that can help with this.
• Compromised apps: According to MobileIron, 4.5% of all apps on mobile devices contain malware. With potentially hundreds of mobile devices in use in an organization, there is virtually a 100% chance of at least one having malware installed, and that’s enough to compromise the entire organization. Many mobile users never read the terms of use when installing an app and simply accept the terms giving apps access to all of the services on the device even if they don’t need them (e.g., files, microphone, camera, location, contacts, etc.). Much of this can be avoided by only allowing users to download apps from a trusted location (e.g., corporate app store), but only 43% of companies do this according to Verizon. And while the ability to separate business from personal apps available in the major operating systems (e.g., Android for Enterprise, iOS, and even from many UEM vendors) is a major improvement in preventing breaches, this is not often enforced.
• Malicious web sites: Just like with PCs, surfing to malicious websites can cause a mobile compromise. Although perhaps more difficult to do than on a PC, there are nonetheless security compromises that can be proliferated in this way. And often, users are fooled into clicking on a link that takes them to a rogue site. User education is part of the defense against such attacks, but increasingly mobile malware tools are offering malicious web site defenses as well, especially those built on an AI infrastructure.
• Not updating device OS: Mobile OSes update often as they discover new security issues. This is particularly true of Android, although increasingly with iOS as well. Yet 48.5% of companies do not require updating to the latest version of the OS according to Verizon. Using UEM tools to verify that the latest version is installed, and forcing the installation if not, should be a prerequisite for mobile use in enterprises.
• Public Network access and charging: IBM surveyed business travelers and found 79% of them have connected their mobile device to a public charging station. Such behavior has the potential of exposing the device to malicious behavior from rogue charging stations. Once the device is connected, the charging station has access to its internal structure through the USB port, and can create potential data extraction, app compromise, or even destructive behavior of the device. Enterprises should discourage users from public charging stations as they represent a real risk. Similarly Wandera found that mobile users transfer 2.5 times as much data over Wi-Fi as they do over the cellular network. And 72% of employees use public Wi-Fi despite all the known dangers of doing so. Enterprises should enforce a “no public Wi-Fi” rule to prevent compromise, yet fewer than half do so.

The above is clearly not an all-inclusive list of potential security threats, but is a good start to securing your mobile users. Mobile devices can be powerful productivity tools for users, especially in the current remote work environment, but organizations need to take steps to educate users on best practices and deploy necessary tools and infrastructure to secure those devices. Failure to do so will expose companies to potential malware, data breaches and significant penalties. Make sure your organization takes the required steps, and don’t expose your organization for the sake of expediency.