This content is part of the Essential Guide: An IT security strategy guide for CIOs

IT battles the top three mobile security threats

These common mobile security threats are rapidly growing due to user negligence, and because IT doesn't always know the best ways to combat them.

Mobile security threats are on the rise, and it's up to IT pros to keep up with the best ways to protect their organizations' data.

Threats such as mobile malware are increasingly common, and best practices to combat them are evolving, said Doug Grosfield, president and CEO of Five Nines IT Solutions, an IT consultancy in Kitchener, Ont.

"The number of threats is growing, but so is the number of ways to protect yourself," Grosfield said. "It's about staying educated to stay protected."

In addition to malware, data leakage and the threats from user error have grown more common in the mobile era. Many businesses lack in their approaches to warding off these potential risks.

Mobile malware

IT has allowed mobile malware to become a rapidly growing threat by not properly addressing it, Grosfield said.

Some companies try to combat mobile malware with the same technologies used on desktop PCs, such as antivirus software. But mobile malware is a different ballgame. It often comes from users downloading compromised apps that have made their way into Apple's App Store or the Google Play store. 

More than 95% of businesses have no protection against mobile malware, according to a report from enterprise mobility management vendor MobileIron, which aggregates data from its customers.

App reputation and mobile threat prevention platforms from companies, such as Appthority, FireEye, Check Point Software Technologies and others, can help protect against faulty or malicious app store apps. Those tools identify which apps have malware and allow IT to automatically quarantine devices that download them.

Cloud data leakage

The growth of cloud-based storage and file-sync applications has increased the potential for data leakage. Employees may store or share corporate content on consumer versions of tools, such as Dropbox, Google Drive and Microsoft OneDrive, which can lead to data loss, and may not comply with an organization's security and regulatory policies.

But data leakage is addressable, said Robby Hill, founder and CEO of HillSouth, an IT consultancy in Florence, S.C. Many IT departments combat cloud data leakage by blacklisting apps they don't want employees to use.

It's harder to stop a person who is intent on taking information, but you can mitigate the accidental scenarios.
Robby Hillfounder and CEO of HillSouth

"It's harder to stop a person who is intent on taking information, but you can mitigate the accidental scenarios," Hill said. "Create some hurdles to make it harder for it to happen."

But adding roadblocks only forces employees to find workarounds to get their jobs done, said Jack Gold, principal and founder of J. Gold Associates, a mobile analyst firm in Northborough, Mass.

"Blacklisting apps doesn't solve the issue," he said. "With every app you block, the employee will find three others to use." 

Of the top 10 blacklisted apps in corporate IT, five of them are cloud file-sharing applications, according to the MobileIron report. IT is better served by approving apps that employees are allowed to use, Gold said. It's important to include some alternatives to unsecure email and file-sharing platforms. For example, IT can ban users from sharing corporate documents over personal email accounts, such as Gmail, but it might approve the enterprise versions of Box or Dropbox.

"The bottom line is to get the users on your side by solving their needs, so they don't look to get around your roadblocks," Gold said.

User error

Many employees put their organizations at risk by ignoring security measures IT puts in place, or even losing their devices.

Unsecured devices are an all-too-common problem, Grosfield said.

"You could walk through a crowded coffee shop or airport lounge and pick up half a dozen smartphones that don't have a screen lock, or are not encrypted and have access to their corporate data, email apps and [virtual private network] clients," he said. "Many people are still failing to protect their devices by leaving the door wide open."

In some cases, employees remove the PINs from their devices, or try to remove IT's mobility management software. In these scenarios, IT can quarantine a device, restricting the employee's access to corporate content until they maintain compliance. When a device is lost, IT can perform a remote wipe of the work container, or the entire device, to protect corporate data.

Twenty-two percent of enterprise customers had users who removed PINs from their phones, and 33% of companies experienced lost or stolen devices, according to the MobileIron report. It's important to reinforce policies that prevent employees from bypassing security measures in the first place. With these three mobile security threats in mind, organizations can better prepare for securing corporate content, while still enabling mobile workers.

Next Steps

MDM vs. MAM for mobile security

Look beyond malware for mobile security

The numbers behind enterprise mobile security  

Dig Deeper on Enterprise mobile security