Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

6/11/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

ISF: Balance Is Key to Mobile Security

As the workforce becomes more mobile, companies can't lock everything down but also can't risk leaving their mobile environments wide open, Information Security Forum finds.

Mobile devices have become essential in the modern work environment and represent a significant security headache for IT departments that are trying to make them safer while still allowing employees to use them to do their jobs.

It's a concern that has plagued most businesses since the rise of BYOD (bring-your-own-device) a decade ago.

Somewhere along the security spectrum of locking down all devices and taking a hands-off approach is the sweet spot that allows for an increasingly mobile workforce while protecting the company's network and data. Finding that balance is the challenge, according to the Information Security Forum (ISF). (See Smartphones Remain the Most Vulnerable of Endpoints.)

In a report, Securing Mobile Apps: Embracing Mobile, Balancing Control, ISF outlines the challenges that come with employees downloading and using mobile apps and steps businesses can take to find a manageable middle ground. It's something that needs to be done, according to Steve Durbin, managing director of ISF, because there's no turning the clock back.

Mobile devices -- not only smartphones, but also tablets and other Internet of Things (IoT) systems -- now create half of website traffic and users spend twice as much time on them as desktop and laptop PCs, the firm noted.

In addition, as mobile devices become more ingrained in the workforce, more business is being done on them and more data stored in them. All this makes them attractive targets for cybercriminals. Check Point Software in a study last year analyzed 850 organizations around the world that in 2017 had at least 500 mobile devices and found that every one of them sustained a mobile attack, with the average number of attacks tagged at 54. In its study, the company also found that two-thirds of security professionals doubted that their companies could prevent their employee devices from being breached, and 94% report that they expect the frequency of attacks to increase.

ISF found that businesses were vulnerable in a number of ways.

Apps are key
Fifty percent of organizations have no budget for mobile security, and half of employees who choose to use their personal devices for business purposes -- the crux of BYOD -- do so without their employer knowing. Sixty percent of IT and security professionals expect their companies to be breached through an insecure app.

Apps are key to mobile security, Durbin said.

Mobile devices are always on and always connected, yet lack the security protection that is put on IT systems. Given that, app security is a crucial part to ensuring the mobile device remains secure and thus the corporate network is protected. Mobile app security firm NowSecure found in its 2016 security report that 25% of all mobile apps have at least one high-risk security flaw and that 35% of communications sent via mobile devices are unencrypted.

In addition, the average mobile device connects to 160 unique servers every day. (See Endpoint Security: A Never-Ending Battle to Keep Up.)

All that creates a conundrum for IT security professionals, according to ISF. The business world has gone mobile and that will only increase. At the same time, the mobile devices and apps that are downloaded by users are increasing the security threat to corporations and their networks. They are always on, always connected and are easily lost or stolen, and employees can download apps without the knowledge or consent of their employers.

"It is very much a company-culture issue and, perhaps more importantly, a user-culture issue," Durbin told Security Now in an email. "Mobile is user-driven and requires companies to adapt to the way in which their people are using technology. Users want to collaborate, to multi-task, to have easy access to information and systems, which is one of the reasons why mobile has become so popular as the access device of choice. Many companies are having to play catch-up with that cultural shift and for some that is a very real challenge."

Finding a balance
Somewhere in the middle is the necessary balance of mobility and security.

ISF's report points to several steps that companies can take to increase mobile security, including reducing the number of unauthorized apps that are downloaded, managing updates, developing secure apps and managing risk from insecure mobile devices. The organization also lists important lessons, the first being that managing apps and the risk they bring means knowing everything about the apps -- what they do, what data they're processing and who is running them.

ISF also recommends pragmatism, deciding whether an app is used based on risk, user satisfaction and its ability to meet business needs. In addition, security support for mobile apps should be similar to that of other types of business applications.

Where companies are in securing mobile as is a "mixed state," according to Durbin.

"Some companies have the situation well under control and have done for some while now with well established guidelines for the use of mobile devices and processes for download and use of mobile apps," Durbin said. "Others are not in that position and given the nature of mobile -- which by definition is user-driven, on the move with constant use, upload, download and sharing of information -- the need for continuous monitoring of the mobile use policy along with education of the user base should be a mainstream feature of business as usual for the majority of organizations."

They need to find that balance, he said. They can't turn back the clock to a less mobile time, and "companies that cannot adapt will be left behind and undoubtedly lose competitive advantage, whether that be in attraction and retention of staff or of customers. We are now in a mobile access era and companies will need to adapt if they have not already done so."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15703
PUBLISHED: 2020-10-31
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivile...
CVE-2020-5991
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
CVE-2020-15273
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
CVE-2020-15276
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
CVE-2020-15277
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.