In the fast paced modern world, mobile phones are considered invaluable business tools, allowing employees the benefit of flexible working and the ability to stay connected wherever there is a signal. But no benefit comes without risks, and choosing mobile is choosing risk. Most devices operate outside the traditional enterprise network, yet are frequently connecting to it, with employees using mobile devices to access sensitive enterprise data such as work emails or corporate presentations whilst on the move. However, the issue with this is many of these devices do not have adequate protections installed on them. At the same time, malicious actors, and hackers, are finding new ways to specifically target mobiles in the enterprise — because they know the huge amounts of data they could unlock could be financially rewarding. The good news is, that like any other risk, the mobile risk can be mitigated.
Knowing the components of risk and their threat vectors is half the battle
Lookout recently published a mobile risk matrix, illustrating the array of mobile risks, from apps through to networks, to enable enterprises to accurately identify, assess and secure their mobile workforce. Within the framework, new insights revealed the prevalence of enterprise mobile risks, identified using a massive data set of mobile code from existing enterprise and personal customers. It found that on average, 47 out of 1000 Android enterprise devices encountered an app-based threat, and as of April 14th 2017, 57 per cent of Apple users had not updated their iOS above 10.3 — concerning as 10.3.1 patches code execution flaws that could be exploited via WiFi.
In addition to the app-based threats and outdated operating systems causing mobile security risks, sensitive app behaviours can also lead to problems such as enterprise data leakage that rogue apps can access. This last point is of particular concern as access permissions are not always obvious to the user. This can pose a significant compliance risk for enterprise security policies or industry regulations. It is obvious that a maps app will need access to GPS to work, however it would be more concerning if that same app was also able to access the device's contacts or microphone as these in-routes make it more financially viable for hackers to invest money in finding ways to access these apps, in terms of the data returns that can be achieved. To put this in perspective, across the Lookout iOS enterprise device network, 30 per cent of apps access contacts, 30 per cent of apps access GPS, 31 per cent access calendar, 39 per cent access microphone, 75 per cent access camera. From a social interaction perspective, 43 per cent connect to Facebook, and 14 per cent connect to Twitter.
Unfortunately, the majority of enterprises don’t manage mobile devices, keep track of software updates or set policy around problem applications like they should. Some don’t have the right technology in place to do so, while others don’t have the expertise to know where to start.
So, where do you start?
Firstly, you need to be able to group together your risk components. For mobile there are three core risk components. These are threats (mostly external), software vulnerabilities and behaviour & configuration. Within these categories you can group almost any mobile risk that you will face in the enterprise. From hackers launching a mobile specific attack, through to your CEO downloading a sketchy app — without knowing he’s putting the business at risk of data leakage.
Secondly, within each of these risk components you have to think about what the threat vectors are. For mobile they are applications, devices, networks and web & content. With the world rapidly evolving and continuously embracing mobile in the enterprise, knowing what is going on in your enterprise’s mobile ecosystem is becoming as critical as it is to know what your data centre defences are. Beyond the risk components and threat vectors, you also have to understand the prevalence of threats — something which may be hard to do without professional mobile focused solutions in place. For example, do you know what apps are active on your mobile, and do you know which operating system updates and security patches are available for that device since you last updated? You might know that information for your own device, but you are very unlikely to know that level of information for every device in the enterprise. It is also likely you will know some of the approved apps you are using — but it’s unlikely that you will know everything that is going on within your mobile ecosystem.
But the reality is, it’s vital to get to know what is going on within your mobile ecosystem for the protection of the enterprise as malicious mobile apps, or infected devices, can do many nefarious things, from stealing information, through to physical damage of devices and the monitoring of a user’s or organisation’s activities.
The opportunity to protect your enterprise against the spectrum of mobile risks
Knowing the risk vectors however is just half the battle. IT security professionals need to recognise that the reality is the spectrum of mobile risks will impact each enterprise differently, and so each enterprise must assess it for itself. There is no magic bullet to make all mobile risks in all enterprises disappear, much as is the case with all cyber security.
The big questions is, where to start to evaluate the business you may be working for based on its own unique risk factors? The following are starter questions to ask when evaluating your enterprise against the spectrum of mobile risk:
- How are you measuring the risk from each element of the matrix in your current environment?
- Then ask how you are controlling that element of your mobile risk?
These questions are a good starting point. For the forward thinking enterprises taking mobile risk seriously, there is information out there and security companies that can help enterprise IT security professionals to find the right solutions that will enable them to mitigate risk and help the business extract the maximum value from mobile and all its benefits.
There’s no doubt, that most enterprises will find that they have very limited visibility into most mobile risks, and are similarly limited in how to control these risks with existing solutions. The first step towards mitigating mobile risk is to acknowledge that the world has changed and your security needs to change with it. The next step is to understand how mobile risk is impacting the overall security of your business, so you can implement the right strategy to protect your data.
Gert-Jan Schenk, Vice President International, Lookout
Image Credit: Carballo / Shutterstock