Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

ISF: Balance Is Key to Mobile Security

As the workforce becomes more mobile, companies can't lock everything down but also can't risk leaving their mobile environments wide open, Information Security Forum finds.

Mobile devices have become essential in the modern work environment and represent a significant security headache for IT departments that are trying to make them safer while still allowing employees to use them to do their jobs.

It's a concern that has plagued most businesses since the rise of BYOD (bring-your-own-device) a decade ago.

Somewhere along the security spectrum of locking down all devices and taking a hands-off approach is the sweet spot that allows for an increasingly mobile workforce while protecting the company's network and data. Finding that balance is the challenge, according to the Information Security Forum (ISF). (See Smartphones Remain the Most Vulnerable of Endpoints.)

In a report, Securing Mobile Apps: Embracing Mobile, Balancing Control, ISF outlines the challenges that come with employees downloading and using mobile apps and steps businesses can take to find a manageable middle ground. It's something that needs to be done, according to Steve Durbin, managing director of ISF, because there's no turning the clock back.

(Source: Flickr)
(Source: Flickr)

Mobile devices -- not only smartphones, but also tablets and other Internet of Things (IoT) systems -- now create half of website traffic and users spend twice as much time on them as desktop and laptop PCs, the firm noted.

In addition, as mobile devices become more ingrained in the workforce, more business is being done on them and more data stored in them. All this makes them attractive targets for cybercriminals. Check Point Software in a study last year analyzed 850 organizations around the world that in 2017 had at least 500 mobile devices and found that every one of them sustained a mobile attack, with the average number of attacks tagged at 54. In its study, the company also found that two-thirds of security professionals doubted that their companies could prevent their employee devices from being breached, and 94% report that they expect the frequency of attacks to increase.

ISF found that businesses were vulnerable in a number of ways.

Apps are key
Fifty percent of organizations have no budget for mobile security, and half of employees who choose to use their personal devices for business purposes -- the crux of BYOD -- do so without their employer knowing. Sixty percent of IT and security professionals expect their companies to be breached through an insecure app.

Apps are key to mobile security, Durbin said.

Mobile devices are always on and always connected, yet lack the security protection that is put on IT systems. Given that, app security is a crucial part to ensuring the mobile device remains secure and thus the corporate network is protected. Mobile app security firm NowSecure found in its 2016 security report that 25% of all mobile apps have at least one high-risk security flaw and that 35% of communications sent via mobile devices are unencrypted.

In addition, the average mobile device connects to 160 unique servers every day. (See Endpoint Security: A Never-Ending Battle to Keep Up.)

All that creates a conundrum for IT security professionals, according to ISF. The business world has gone mobile and that will only increase. At the same time, the mobile devices and apps that are downloaded by users are increasing the security threat to corporations and their networks. They are always on, always connected and are easily lost or stolen, and employees can download apps without the knowledge or consent of their employers.

"It is very much a company-culture issue and, perhaps more importantly, a user-culture issue," Durbin told Security Now in an email. "Mobile is user-driven and requires companies to adapt to the way in which their people are using technology. Users want to collaborate, to multi-task, to have easy access to information and systems, which is one of the reasons why mobile has become so popular as the access device of choice. Many companies are having to play catch-up with that cultural shift and for some that is a very real challenge."

Finding a balance
Somewhere in the middle is the necessary balance of mobility and security.

ISF's report points to several steps that companies can take to increase mobile security, including reducing the number of unauthorized apps that are downloaded, managing updates, developing secure apps and managing risk from insecure mobile devices. The organization also lists important lessons, the first being that managing apps and the risk they bring means knowing everything about the apps -- what they do, what data they're processing and who is running them.

(Source: ISF)
(Source: ISF)

ISF also recommends pragmatism, deciding whether an app is used based on risk, user satisfaction and its ability to meet business needs. In addition, security support for mobile apps should be similar to that of other types of business applications.

Where companies are in securing mobile as is a "mixed state," according to Durbin.

"Some companies have the situation well under control and have done for some while now with well established guidelines for the use of mobile devices and processes for download and use of mobile apps," Durbin said. "Others are not in that position and given the nature of mobile -- which by definition is user-driven, on the move with constant use, upload, download and sharing of information -- the need for continuous monitoring of the mobile use policy along with education of the user base should be a mainstream feature of business as usual for the majority of organizations."

They need to find that balance, he said. They can't turn back the clock to a less mobile time, and "companies that cannot adapt will be left behind and undoubtedly lose competitive advantage, whether that be in attraction and retention of staff or of customers. We are now in a mobile access era and companies will need to adapt if they have not already done so."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.