Serg Nvns - Fotolia

Mobile security training is the first line of defense

Mobile security threats, including user-based threats, are around every corner these days. As a result, it's important to train users on how to protect themselves.

The security equation has always been complex for IT departments to solve. The influx of mobile devices only makes it more complicated.

Work is not tethered to the PC anymore. Devices with business critical applications and data can be just about anywhere nowadays, exposing companies to more risk than ever before. All it takes is for one user to leave a phone lying around without a password and an entire company can be compromised. As a result mobile security training is essential to mitigating risks.

Find out what Eddie Schwartz, a board member for ISACA, a professional organization that advises companies on IT governance, has to say about current mobile security threats in the following interview. Schwartz, the COO of White Ops, a cybersecurity vendor in the digital advertising market, explains the value of mobile security training and important mistakes to avoid.

Q: What are the top mobile security threats today?

Eddie Schwartz: Situations where users do not adequately protect the security of their device. You see devices that don't have passwords or use rudimentary four-digit PINs. The devices are left out in the open where others can touch them. End users need to have an awareness of what are appropriate security settings and appropriate behaviors on the device.

If you live in a dangerous neighborhood, you can't just leave the doors unlocked and the windows open and expect nothing is going to happen to you.
Eddie SchwartzISACA board

Criminals can figure out on certain platforms how to install Trojan apps, provide legitimate functionality to users and get in the middle of different processes -- whether it's just getting in the middle of the advertising food chain to defraud advertisers or, on some platforms, actually installing services and processes that can be used to steal data or take data right off the phone. Even if malware is not installed, the intended purposes of the device may be perverted by things like HTTP redirects or other types of situations where the end user's device suddenly becomes out of [his] control.

We see in today's world the major manufacturers releasing new versions of the same phone every six to nine months. We see apps updating themselves every few days in some cases. We don't really understand what's in these updates. Some of the underlying operating systems we know are not secure. At the same time, we see a world where it's very difficult for corporations to constrain end users and say, well, we really haven't approved the Samsung [Galaxy] S7 or we really haven't approved the iPhone 6s, or something like that. It's a world of rapid change, and it's a world where security has to be adaptive.

Q: How can IT pros keep up with the rapid changes?

Schwartz: It's important to have comprehensive mobile security training that's job specific -- addressing how one would go about securing company assets on a personally owned device or any device. It's important for corporations to provide information to their constituencies, constantly reminding them to use good security practices and keeping them simple.

We all are responsible for our own security and safety. If you live in a dangerous neighborhood, you can't just leave the doors unlocked and the windows open and expect nothing is going to happen to you. You have to recognize that the Internet is not always the most friendly place, and we have to inform ourselves how we lock the doors and shut the windows and at least don't invite criminals to steal from us.

Security teams have to create standards and monitor and enforce [them]. Security teams have to educate themselves on the risks. They don't control the devices in a lot of cases. They don't control the underlying operating systems. A lot of the apps are going to be off-the-shelf apps that have questionable security principles. It's incumbent [upon] all of us to continually examine our strategies for mobile.

Q: What's the biggest mistake an IT department can make when it comes to mobile security threats?

Schwartz: Treating mobile security the way you treat desktop security would be making a lot of bad assumptions. Another mistake would be thinking that everything is under your control. When you don't know what you're doing, find partners out there that really are experts in the areas you need to focus.

Next Steps

Security strategy must do more than monitor malware

Three need-to-know mobile threats

How to improve Android security

Dig Deeper on Enterprise mobile security