Author: Aaron Cockerill, VP of Products, Lookout
The recent FBI vs. Apple showdown has forced smartphone security and privacy into the spotlight. While a special and tragic case, the debate has truly shown how our mobile phones have become the gateway to just about everything we do, not only in our personal lives, but our professional ones too.
For enterprise CIOs and CISOs, this truth has an especially important implication: mobile devices cannot be treated as a forgotten step-child from a security perspective. Smartphones hold even more sensitive information than what’s sitting inside our PCs, including a unique combination of corporate and personal data. Today, employees demand simultaneous access to work apps like Salesforce and personal apps like Facebook on these devices. Soon, they will expect mobile access to everything, including HR and business apps that hold highly sensitive information, alongside their selfies and games.
Individuals are far more likely to fall for attacks, particularly phishing, when the device is personally enabled, as most corporate owned devices have become. This is illustrated by a recent study of IT and security leaders which found that for an average Global 2,000 enterprise with 50,000 mobile devices, there are more than 1,700 infected mobile devices connecting to the global network every day. This puts enterprise data at risk and it’s also costing businesses a total of £8.8 million to manage these infected devices in the workplace.
At the same time, ambiguity around mobile risk continues when news headlines on corporate hacks generally focus on the impact to the business – the data loss – rather than how the attack happened. What’s not reported is that many data breaches are complex and typically involve many steps. For example, a phishing attack, followed by a network penetration, followed by an app vulnerability that accesses a database
The key here is that mobile devices are often the tip of the iceberg in a complex attack chain. In fact, the same study also found that two-thirds (67 percent) of organisations reported having had a data breach that resulted directly from employees using their mobile devices to access the company’s sensitive and confidential information. Despite this, 61% don’t consider the protection of confidential information accessed by employees with their mobile devices “a priority”.
That said, there is a way for enterprises to be both mobile and secure.
Restricting versus securing
The answer is absolutely not to restrict mobile access or limit the extent of your BYOD programme. That’s an unrealistic solution in today’s workplace, where enterprise mobility is vital.
Cloud-access and mobility show no signs of slowing. Less than 20 percent of enterprise apps today are SaaS based, yet 87 percent of enterprises prefer cloud solutions. We are just scratching the surface when it comes to mobile productivity.
Furthermore, blocking mobile phone access just doesn’t work. Every suitably paranoid CIO should assume that his or her employees are using smartphones for work, whether or not they have a BYOD programme explicitly allowing them to do so.
You don’t know what you don’t know
The answer starts with CIOs gaining visibility into what’s actually happening in their enterprise. This includes seeing what devices are connected to the network, how apps are getting on devices, if there’s malware hidden within those apps, and the security of the networks devices they are connected to – all in a manner that does not invade on employee privacy. This is visibility most organisations simply don’t have.
One respondent to a recent IDG survey of 100 security professionals in large organisations said it took her team an entire month to figure out how they were breached. Just think of the damage an attacker could do in that time. At first, they thought an employee had been leaking sensitive information externally, but later discovered the culprit was a corporate mobile device that had been compromised with malware. If they had known that device was infected to begin with, they likely could have avoided the whole situation.
The mobile path forward
The simple truth is that the world is mobile and if you resist it, you will frustrate your employees and put your enterprise at risk.
I’m not suggesting that enterprises need to worry about mass malware infections from official app stores run by Apple, Google, Amazon, and other name-brands. While a few incidents have made headlines recently, there is still a very low probability of malicious attack through these sources. Instead, I anticipate we will see much more sophisticated, targeted attacks on enterprise devices. And as we’ve seen from the data shared above, those attacks are already happening.
The attackers follow the data and your data is going mobile. Take this opportunity to embrace mobility without sacrificing security.