Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

6/11/2018
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

ISF: Balance Is Key to Mobile Security

As the workforce becomes more mobile, companies can't lock everything down but also can't risk leaving their mobile environments wide open, Information Security Forum finds.

Mobile devices have become essential in the modern work environment and represent a significant security headache for IT departments that are trying to make them safer while still allowing employees to use them to do their jobs.

It's a concern that has plagued most businesses since the rise of BYOD (bring-your-own-device) a decade ago.

Somewhere along the security spectrum of locking down all devices and taking a hands-off approach is the sweet spot that allows for an increasingly mobile workforce while protecting the company's network and data. Finding that balance is the challenge, according to the Information Security Forum (ISF). (See Smartphones Remain the Most Vulnerable of Endpoints.)

In a report, Securing Mobile Apps: Embracing Mobile, Balancing Control, ISF outlines the challenges that come with employees downloading and using mobile apps and steps businesses can take to find a manageable middle ground. It's something that needs to be done, according to Steve Durbin, managing director of ISF, because there's no turning the clock back.

Mobile devices -- not only smartphones, but also tablets and other Internet of Things (IoT) systems -- now create half of website traffic and users spend twice as much time on them as desktop and laptop PCs, the firm noted.

In addition, as mobile devices become more ingrained in the workforce, more business is being done on them and more data stored in them. All this makes them attractive targets for cybercriminals. Check Point Software in a study last year analyzed 850 organizations around the world that in 2017 had at least 500 mobile devices and found that every one of them sustained a mobile attack, with the average number of attacks tagged at 54. In its study, the company also found that two-thirds of security professionals doubted that their companies could prevent their employee devices from being breached, and 94% report that they expect the frequency of attacks to increase.

ISF found that businesses were vulnerable in a number of ways.

Apps are key
Fifty percent of organizations have no budget for mobile security, and half of employees who choose to use their personal devices for business purposes -- the crux of BYOD -- do so without their employer knowing. Sixty percent of IT and security professionals expect their companies to be breached through an insecure app.

Apps are key to mobile security, Durbin said.

Mobile devices are always on and always connected, yet lack the security protection that is put on IT systems. Given that, app security is a crucial part to ensuring the mobile device remains secure and thus the corporate network is protected. Mobile app security firm NowSecure found in its 2016 security report that 25% of all mobile apps have at least one high-risk security flaw and that 35% of communications sent via mobile devices are unencrypted.

In addition, the average mobile device connects to 160 unique servers every day. (See Endpoint Security: A Never-Ending Battle to Keep Up.)

All that creates a conundrum for IT security professionals, according to ISF. The business world has gone mobile and that will only increase. At the same time, the mobile devices and apps that are downloaded by users are increasing the security threat to corporations and their networks. They are always on, always connected and are easily lost or stolen, and employees can download apps without the knowledge or consent of their employers.

"It is very much a company-culture issue and, perhaps more importantly, a user-culture issue," Durbin told Security Now in an email. "Mobile is user-driven and requires companies to adapt to the way in which their people are using technology. Users want to collaborate, to multi-task, to have easy access to information and systems, which is one of the reasons why mobile has become so popular as the access device of choice. Many companies are having to play catch-up with that cultural shift and for some that is a very real challenge."

Finding a balance
Somewhere in the middle is the necessary balance of mobility and security.

ISF's report points to several steps that companies can take to increase mobile security, including reducing the number of unauthorized apps that are downloaded, managing updates, developing secure apps and managing risk from insecure mobile devices. The organization also lists important lessons, the first being that managing apps and the risk they bring means knowing everything about the apps -- what they do, what data they're processing and who is running them.

ISF also recommends pragmatism, deciding whether an app is used based on risk, user satisfaction and its ability to meet business needs. In addition, security support for mobile apps should be similar to that of other types of business applications.

Where companies are in securing mobile as is a "mixed state," according to Durbin.

"Some companies have the situation well under control and have done for some while now with well established guidelines for the use of mobile devices and processes for download and use of mobile apps," Durbin said. "Others are not in that position and given the nature of mobile -- which by definition is user-driven, on the move with constant use, upload, download and sharing of information -- the need for continuous monitoring of the mobile use policy along with education of the user base should be a mainstream feature of business as usual for the majority of organizations."

They need to find that balance, he said. They can't turn back the clock to a less mobile time, and "companies that cannot adapt will be left behind and undoubtedly lose competitive advantage, whether that be in attraction and retention of staff or of customers. We are now in a mobile access era and companies will need to adapt if they have not already done so."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27621
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
CVE-2020-27620
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27619
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVE-2020-17454
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
CVE-2020-24421
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.