In-brief: organizations need to better understand mobile risks if they want to protect critical data, writes Aaron Cockerill of the firm Lookout.
Mobile devices have become an integral part of enterprises’ critical infrastructure, allowing for increased productivity and flexibility. As mobility increases, so does the amount of sensitive corporate data being used on these devices. Threats, vulnerabilities, and other potential risks to data that affect PCs also apply to mobile endpoints, yet most companies do little, or nothing to secure mobile devices. Enterprises must rethink and redefine their approach to risk management in the mobile world, and re-architect security solutions accordingly.
The first step towards mitigating mobile risk is to acknowledge that the world has changed and that your security must change with it. Critical data is constantly being accessed by mobile devices. Employees use the same device to send confidential emails, snap family photos, inspect customer records and documents, get directions to meetings, and scrutinize financial reports. Because these devices operate on networks outside your control, there is no visibility into the use of sensitive corporate data, and little or no ability to enforce security policies or behaviors.
The next step is to understand and quantify the security risks associated with enterprise mobility. By understanding these risks, organizations can better implement the right strategy to protect critical data, while still encouraging the benefits of mobility.
The Mobile Risk Matrix
To make this task less daunting, Lookout developed the Mobile Risk Matrix. Its purpose is to help security organizations understand the impact and likelihood of threats, vulnerabilities and behavioral or configurational issues in the mobile world. This is important as now enterprises have access to quantitative data on these risks allowing CISOs to prioritize mobility in their security strategy.
To create the matrix, we analyzed data from our uniquely massive global dataset of mobile code, device software, web, and network attacks compiled from both enterprise and personal active users, together with our ten years of research into mobile risks.
Understanding Mobile Threats
Mobile threats are being reported with increasing frequency. They also continue to increase in sophistication, with the Pegasus spyware on iOS and Android as the ultimate example of a professional mobile espionage attack. Pegasus is classified as a device threat in the Mobile Risk Matrix. However, the full attack includes spear-phishing a target (a web & content threat) and exploiting multiple previously unknown operating system vulnerabilities (zero day) to remotely jailbreak the device.
Lookout found that over the fourth quarter of 2016 and first quarter of 2017, 47 in 1,000 Android enterprise devices encountered app-based threats.
Measuring Risk from Device Vulnerabilities
We all understand the necessity to protect against vulnerabilities in our enterprise systems, few however translate this need to mobile devices. At best, companies look at the version of mobile operating systems as a guide to vulnerabilities, even this fails in the fragmented Android ecosystem. Companies constantly monitor for vulnerabilities in corporate applications but since users choose apps on mobile devices, enterprises are not in the loop. Most enterprises have no visibility into vulnerabilities on mobile devices and apps that put corporate data at risk.
The Mobile Risk Matrix shows that as of April 2017, just 43% of users have updated their iOS operating system above 10.3
Risks from Behaviors & Configurations Can Come From Apps, Devices and Employees
Employees in many cases are introducing mobile risk into an organization because they’re often using their own devices for work, and these devices are much more likely to be configured in ways that conflict with an organization’s security policy. Many CISOs want to enable a BYOD policy, but need visibility into behaviors and configurations to confidently secure corporate data.
The Mobile Risk Matrix shows that 30% of all apps access contacts across enterprise iOS devices protected by Lookout.
Protecting Against the Spectrum of Mobile Risk
No two organizations’ use of mobile are alike. Each will have different needs that are functions of their unique business. After assessing the likelihood and impact of these risks, organizations will be in a better position to plan their bespoke mobile security strategy, rather than pursuing a “one-size-fits-all” model. Start this process by asking two key questions of your security organization:
- How you are measuring the risk from each element of the matrix in your current environment
- How you are controlling for that element of your mobile risk?
Enterprises that gain visibility into the entire spectrum of risk, as well as provide an effective mobile threat defense, assurances of handling sensitive corporate data, and mobile vulnerability management, will enable their organizations to get the most value from mobile technology, securely.
In today’s enterprise environment, organizations who enable employees to get the most value from mobile technology will see a more flexible and productive workforce. However, it is critical that as mobile adoption increases, so does the focus on securing enterprise and employee devices. With visibility into the Spectrum of Mobile Risk organizations can feel empowered to identify, assess and act on risks facing critical data from mobility.
Aaron Cockerill is the Chief Strategy Officer at Lookout where he is responsible for developing, validating and implementing cross-functional strategic product initiatives that align with the Lookout vision of a secure connected world.