Virtually every organization, large and small, has some component of their business run from mobile devices. Smartphones, tablets and specialized rugged devices handle functions ranging from simple email connectivity to more complex sales force automation, field-based data collection, HR tasks and ERP applications.
Yet many companies are shortchanging their need to secure those devices, especially when it comes to transmitting and storing sensitive corporate data on mobile devices and in back-end office systems. This kind of laxity in security can have dire consequences, including malware epidemics, loss of sensitive data, rampant spyware infections across the user base and, ultimately, lawsuits or loss of business.
There's no one-size-fits-all management approach to mobile device security threats. Generally, however, there are five basic and effective tools and techniques that should be followed by all organizations to secure their mobile devices and associated data.
1. Unified endpoint management
The first line of defense against mobile device security threats is a mobile device management capability. Current security approaches that tie into PC and server management systems, generally known as unified endpoint management (UEM), can be deployed on premises and in the cloud, with a majority being cloud-based deployments.
Vendors such as BlackBerry, Citrix, IBM, Microsoft, MobileIron and VMware allow policies to be set and enforced on the devices. Some of these policies can be simple actions. They include ensuring that data residing on the device is encrypted, the device has password protection turned on, preferred business applications can be loaded on the device, restrictions can be placed on what apps can't be downloaded, the VPN can be turned on to secure transmitted data and access is restricted to only certain connections.
More specific settings can be enabled, depending on the device, and companies should create a specific set of policies for what needs to be enforced.
2. Mobile threat defense
It's common for PCs to have some form of threat defense, like antivirus software, installed. But that's far less common for mobile devices. This lack of security add-on is shortsighted since current generations of devices have a huge capacity for storing company data and can transmit malware to other devices over the corporate network.
Remedies can range from base-level on device signature-based antivirus-like systems to newer AI-based threat defenses that look not only at file signatures, but also at behaviors to identify mobile device security threats. Threat defense software like BlackBerry Cylance, Lookout, Zimperium and Symantec should be installed on mobile devices to prevent loss of corporate data.
3. Advanced identity management and MFA
Identity theft is indeed the number one method of compromising mobile, PC and cloud-based devices. Compromised devices are generally free to connect to corporate resources once their identity is established with the network, even though it may not be the authorized user trying to access those systems or could even be a "cloned" device.
Companies should move to a multifactor authentication capability that doesn't simply rely on username and password, such as products by Okta, RSA Security and Centrify. Newer biometric systems that allow access only after the designated user identity is verified can provide much needed authentication.
Methods of authentication can include fingerprint and facial recognition available on most higher end mobile devices; a Bluetooth-connected supplemental identity token; or simply a text message confirmation, a method that is coming under attack and being compromised but is still better than nothing. Newer systems can monitor the device user and know whether it's the actual user by identifying traits like unique typing styles and word usage.
4. Separate business and personal work areas
It's imperative that corporate mobile devices separate the work apps from the personal apps. Personal user apps are much more likely to be vulnerable to mobile device security threats than corporate apps, so companies need to deploy a barrier to prevent exfiltration of corporate data due to malware-infected personal apps.
Most devices are capable of segmenting and isolating a workspace from a user space. Many UEM vendors have these capabilities built into their products, but device vendors increasingly are also doing the same with their products, including Android Enterprise and Samsung Knox. This protection is relatively easy to implement and can pay major dividends in preventing data loss and devices from being compromised.
5. Corporate policy for bring your own device
BYODs should not be connected to corporate networks without a requirement that they come under management of a UEM security program. And not all BYOD devices should be acceptable. Companies with a BYOD policy should establish a limit of no more than five types of mobile devices that can connect to corporate systems.
In that way, mobile devices and older versions of operating systems known to be less secure can be eliminated, while maintaining a reasonable balance between personal user selection and enhanced corporate security measures.
Evaluate, implement, incorporate
With the massive influx of mobile devices in most companies, it's imperative that organizations evaluate their own needs and implement a viable defense strategy against mobile device security threats that's part of the overall corporate security plan. Otherwise, companies are subjecting themselves to potentially destructive attacks that can have a dramatic impact on their overall business -- and perhaps the company's future.