There was a time when mobile devices just didn’t face the same kind of threats from attackers and malware as full-featured operating systems did. Those days are gone. Criminals, spies and whoever wants to access data have to make the transition to exploiting mobile devices because that’s where the users, apps and data reside today.
The market research firm Gartner estimates that by the end of next year, the enterprise user’s thirst for mobile apps will be five times the rate that mobile app development teams can deliver. The 2015 comScore Mobile App Report found that mobile devices account for well over half of Internet usage. If users are there, you can bet criminals and other attackers are too.
So how do enterprises protect their mobile users, apps and data? Here are six foundations I think should be part of any enterprise security efforts:
1 Allow users to choose their mobile devices from a selection that can be securely managed and maintained.
While some employees will want to be able to bring any mobile device they wish, for some jobs and industries, that’s really not a viable option. However, that doesn’t mean employees should go without devices they enjoy — and want — to use. Enterprise IT should be able to manage and support multiple platforms, allowing employees to pick the devices that can be kept secure, patched and updated. Devices that can’t be reasonably secured shouldn’t be allowed on the network.
2 Focus on securing apps and data, not devices.
Too many enterprise IT and security teams look for ways to manage the physical devices, or at least that’s where they place most of their attention. The focus instead needs to be on securing access to specific apps and data. This can and should include everything from providing multi-factor authentication for certain apps and resources to remote device wipe, as well as data-access tracking and policy enforcement.
3 Segment personal from work.
A couple of years ago, mobile phone makers started providing ways to segment enterprise and business apps from personal apps and data. This should be something welcomed by both parties. Employees and contractors get to use the phone the way they want on the personal side, and the enterprise can enforce security and regulatory compliance the way they need. Should the relationship with the employee or contractor change, enterprise data can be wiped without having to worry about destroying personal data. Likewise, should an employee download a game or app with malicious actors on the personal side of the device, enterprise data isn’t at significant risk.
4 Get security engaged in mobile and mobile app/data efforts.
As new apps and cloud services are deployed, enterprises need to make sure they are vetted for their level of security, from the code to the security processes and capabilities of the services provider. For apps that are designed and developed in-house, security should have a role in the design. Since different apps have different types of data and user profiles, application security teams need to make sure those apps are designed, deployed and managed securely and appropriately.
5 Vet cloud apps and platforms.
More businesses are turning to cloud platforms, and many of these services, such as Quicken and Salesforce, can be highly customized. Whenever a part of the business wants to use such a platform, the enterprise needs to vet it to make certain the platform as well as the apps developed (many of which will be used on mobile devices) are secure.
6 Keep an eye out for — and employees aware of — mobile threats.
The threats that target mobile devices are always growing and getting better. The malware is getting more sophisticated, and the attacks are increasing. According to the McAfee Labs 2016 Mobile Threat Report [.pdf], of 150 million app scans in more than 190 countries, 9 million had malwares, 9 million had suspicious apps, 3 devices were infected and 1 million apps had low-trust scores.
If the mobile threat landscape proves to be anything like the notebook and desktop landscape, things are just getting going right now.