The potential for data loss will dramatically increase as more companies mobilize apps and adopt internet of things devices, but most IT departments don't realize it.
Research from my firm, Lopez Research, shows that only 64% of companies view security as a key mobile concern. Even worse, 22% of companies don't know if they've had a security breach, and 42% believe they've never had a mobile security breach, according to J. Gold Associates.
There are four things IT should do to prepare for upcoming mobile security challenges.
Secure application code as the first line of defense
Many organizations struggle to keep pace with mobile application development demands. As a result, developers may limit their application testing efforts. Mobile developers can't detect applications with vulnerabilities if they don't properly test them across various operating system types and versions.
Many security exploits take advantage of weaknesses in code. Threats can even arise from compromised development tools. For example, last year, developers that inadvertently used a modified version of Apple's development environment enabled hackers to infect dozens -- possibly thousands -- of apps.
Move security to the app level
Mobile device management is not enough to overcome all of today's mobile challenges. As companies embrace bring your own device programs and deploy apps to contractors, agents and other third parties, it has become a requirement to secure apps with mobile application management. Security-conscious organizations are going even further by building self-defending apps with code guards that prevent hackers from reverse-engineering the binary code.
Implement multifactor authentication
Nearly half of all security breaches occur because of compromised credentials, according to Verizon. A mobile security breach can even allow hackers to harvest data such as credentials without users' knowledge. One way to prevent a compromised username and password from opening up the doors to a company's data is to implement multifactor authentication for access to sensitive data. IT should require a certain number of authentication methods for access to an app based on the following:
- The type of data contained in the app;
- The security of the user's location and network; and
- Whether the device is company-approved.
If the data is especially sensitive, or the location or device is unfamiliar to IT, for instance, the department should require more authentication factors. Authentication methods may include the user's fingerprint, facial scan, voice and a PIN.
Evaluate threat detection software
Traditional security tools focus on threat prevention, but it's equally necessary to quickly detect when a breach occurs. It takes an enterprise more than 200 days to detect a security breach and 80 days to contain it, costing an average of $12 million per incident, according to Microsoft. In the nine months it takes to detect and contain the average mobile security breach, attackers could steal data and create other avenues to maintain access to systems -- even after the organization detects and contains the original breach. To mitigate these risks, companies should evaluate a new class of breach detection services.
Companies need to focus on contextual security based on user identity and other information, such as location, time of day, role and the type of data a person is accessing. Despite the desire for simplified security plans, businesses must continue to pursue layered strategies -- and mobile must be part of them.
This article originally appeared in the September issue of the Modern Mobility e-zine.
Health IT faces mobile security challenges
Three mobile security threats IT must flag
Why IT struggles with top mobile security threats