Coronavirus crisis

Can you be mobile AND secure?

Despite the security challenges mobile devices create, there is no going back. Users demand corporate access from their smartphones and companies benefit from this access with increased efficiency, better use of time and improved user experience. Here's how to be safe and mobile.

mobile security threat detection

Coronavirus crisis

Show More

Most companies today allow their workforce to employ mobile devices to access corporate back office systems (e.g., email, sale force automation, ERP, HR, data collection, form filling, collaboration, etc.). And while these devices can be convenient, it’s important that organizations know how to maximize the security of these corporately connected devices – both devices furnished by the company and through Bring Your Own Device (BYOD).

In fact, many companies I speak with say that they believe (or are unaware of) any mobile data breaches within their organization. Research we’ve done at J.Gold Associates shows that IT believes about 65 percent of mobile devices have never had a breach or are unaware of one happening (e.g., lost, stolen, attacked by malware), while greater than 50 percent of end users admit to having a breach on their device, although not all exposed corporate data, and most never got reported to IT.

Despite the security challenges mobile devices create, there is no going back. Users demand corporate access from their smartphones (and in some cases tablets), and companies benefit from this access with increased efficiency, better use of time and improved user experience. Indeed, millennials and other digital natives often require a “mobile first”, or even “mobile only” approach when accessing enterprise back office application.

But companies should not be blind to the fact that mobile devices, especially newer devices with massive amounts of onboard storage capability, can present a security threat. This is true in virtually all industries, but is especially problematic in regulated industries. Many companies I speak to have no idea what kind of data or how much data users have loaded onto their personal mobile devices.  Enterprises must have a strategy in place to deal with mobile security and not just hope for the best.

What should companies do?

It’s no longer possible for companies to turn a blind eye and hope for the best. Companies must have a sound mobile security strategy, but this strategy should be an extension of existing corporate security strategy, and not stand alone specifically for mobile devices. This is the only way to rationalize security across all users and devices in the organization.

Companies should place responsibility for mobile security into the same group where the rest of corporate security resides, even though there will be some special skills required specifically to handle mobile. Nevertheless, its imperative that a unified security strategy take hold, especially since there is a such a preponderance or work being done on mobile devices today, and I expect it to continue to grow (indeed, in some companies, as much as 50 percent or more of corporate interactions are now being done through mobile devices).

While there are several enterprise-class third-party security products targeted at mobile devices (e.g., Lookout, Zimperium, Cylance), deploying such services in a vacuum offers less protection that doing so strategically. And deploying mobile security must first and foremost be built on top of a robust mobile management capability.

Many traditional mobile management vendors have now moved to a Unified Endpoint Management (UEM) approach to allow for a combined mobile and PC management approach (e.g., BlackBerry, Citrix, IBM, MobileIron, Vmware), but even if your organization only deploys the more basic Enterprise Mobile Management (EMM) suite of products, it is imperative that this device management capability be closely coupled to any add-on specialized security products. In fact, I estimate the effectiveness of third-party security apps without a robust EMM/UEM suite to monitor and manage them reduces their capabilities by 50-65 percent.

Companies like BlackBerry that has a robust mobile management platform, has seen the writing on the wall and recently acquired Cylance to add a mobile (and other devices) security component which they are in process of integrating into their suite. IBM MaaS360 is coupling its EMM platform with its suite of software services and tools like Watson.

Others (e.g., VMware, Citrix, Microsoft) have partnered with others to create a synergistic unified management and security capability. I expect to see more security acquisitions going forward as UEM and mobile security become even more closely intertwined, and the UEM vendors see this as a strategic need to stay competitive as more mobile management capability make their way into enterprise apps suites.

Are there platform differences between Android and iOS?

Yes. Android and iOS are uniquely distinct when it comes to device security, although despite some claims to the contrary, both platforms have had malware attacks. The biggest challenge is in keeping older devices secure. In the Android-supported environment, there can be as many as 3-5 generations of older Android version in service, primarily on older devices that have never been upgraded, or cannot be. In fairness to Apple, this is less of an issue as most Apple devices several generations old get the OS upgraded once it is release.

Apple makes sure to create a backwards compatible OS, while Google allows the device manufactures to decide if they will allow OS upgrades for older devices (this is beginning to change as Google enforces an upgrade policy, but doesn’t help the existing older devices already in service).

I recommend that companies supporting Android device not allow any devices more than two generation behind in the least version of the OS onto its corporate networks. This can be monitored and enforced by the EMM/UEM suite. In a BYOD environment this may be problematic as companies have much less say in what devices users acquire.

Nevertheless, I encourage companies to enforce the policy and require even BYOD users to have current OS powered products as much as possible. Security feature enhancements are perhaps the biggest reason Android is being upgraded regularly. With BYOD iOS devices, this is less of an issue as indicated earlier.

Still, monitoring and enforcing a current OS strategy is a great enhancement to a security posture within the company. And third party tools on older devices, while helpful, should not be a substitute for having up to date instances of the OS. As a final protection, I recommend organizations, especially in regulated industries, to deploy enhanced Android secured devices, either from Samsung with their Knox features, or with Android for Enterprise added security features available from several smartphone vendors.

Bottom Line: First and foremost in maximizing mobile security, enterprises must enable robust mobile device management to set profiles, enforce polices and manage access as a minimal requirement before deploying additional capabilities. Once such capabilities are in place, enterprises should look to supplement existing EMM/UEM with specific add-ons to further prevent data breaches and malware.

Organizations should also require up to date devices with current OSes to minimize any potential for malware attacks and data breaches. Finally, companies must have a total security strategy that encompasses mobile devices and mobile work, rather than a standalone security strategy for mobile alone. Without these steps, we will be seeing many more mobile data breaches in the near future.