alphaspirit - Fotolia

Next-generation security for a mobile culture: 10 risks, seven pointers

The number of mobile devices now outnumbers the number of people in the world. Mass mobilization calls for next-generation security tools and some forward thinking on the part of CIOs.

Most of us consider cybersecurity, with good reason, to be a technology problem. As with most "problems," the industry has risen to the challenge by offering us more and more sophisticated tech-based solutions. Within the mobile space, disciplines like enterprise mobility management (EMM), mobile application management (MAM) and next-generation encryption (NGE) have entered our vocabulary (and our IT budgets), complete with all of the requisite tools, methodologies, standards and procedures (and vendor offerings) befitting such an august and rapidly growing domain. Not surprisingly, despite a nearly $2 billion industry spend on mobile security in 2014, many still believe that significantly more investment is required to keep us safe. With all due respect, I suggest that exalting the need for increased spending on mobile cybersecurity is a bit like making the case for buying a bigger, better cork after you have left the dock, lost sight of the shoreline and find your rowboat has sprung a leak.

According to The Independent, Monday Feb. 16, 2015, "for the first time ever, there are more gadgets in the world than there are people, including a growing number that only communicate with other machines, according to data from digital analysts at GSMA Intelligence. The number of active mobile devices and human beings crossed over somewhere around the 7.19 billion mark."

The Independent shares with us a few other interesting factoids for our consideration:

  • GSMA's real-time tracker estimates that approximately 7.22 billion mobile devices are in use around the world.
  • The U.S. Census Bureau estimates that the number of people inhabiting our planet is somewhere between 7.19 billion and 7.2 billion.
  • The number of tablets, smartphones and not-so-smart phones are growing at a rate five times faster than the human population, which is currently growing at a rate of about two people per second, or 1.2% annually.

"No other technology has impacted us like the mobile phone. It's the fastest-growing man-made phenomenon ever -- from zero to 7.2 billion in three decades," said Kevin Kimberlin, chairman of Spencer Trask & Co.

Source: Davies Boren, Zachary. "There are officially more mobile devices than people in the world," The Independent, Oct. 7, 2014.

Let's look at where we are and, perhaps more importantly, where we are headed.

The current state of the art

EMM: "Enterprise mobility management (EMM) is an all-encompassing approach to securing and enabling employee use of smartphones and tablets. In addition to addressing security concerns, a strong EMM strategy also helps employees be more productive by providing them with the tools they need to perform work-related tasks on mobile devices."

Source: "What is enterprise mobility management (EMM),"

More and more enterprises have begun to exploit the business value of untethering their connected staff. Sales people routinely carry tablets, smartphones and wireless payment devices. Medical personnel have replaced traditional clipboards with virtual technologies that offer advice in addition to keeping records and retrieving history not necessarily available within the sheaves of seemingly randomly organized paper forms held together by those big metal clips. Factory workers have similarly replaced clipboards and fixed-station PCs with mobile devices that scan, monitor, detect, diagnose, and provide process feedback and control information that streamline and improve plant efficiency and output. Trends like consumerization and BYOD have "encouraged" our corporate establishment (in most cases) to embrace mobility and take steps to ensure continued security.

Today's enterprise are challenged by creating and maintaining mobile strategies that are aligned to business objectives and processes and are integrated within overall infrastructure and cybersecurity architectures that support mobile workers within the "workplace," which can be during work hours within physical places; behind enterprise firewalls; or, more simply described, anytime, anywhere using any device and/or network that is available. EMM helps to bring order to this seemingly unmanageable chaos.

MAM: "Mobile application management is the delivery and administration of enterprise software to end users' corporate and personal smartphones and tablets."

Source: "What is mobile application management (MAM),"

Next Generation Encryption (NGE) is composed of a set of globally created and reviewed, publicly available algorithms and standards and processes. It is the result of more than 30 years of global advances in cryptography, where each component has been developed and tested independently by groups representing industry, government and academic communities working in collaboration. For example, the Advanced Encryption Standard (AES), originally called Rijndael and created by two Belgian cryptographers, was adopted and endorsed by the U.S. National Institute of Standards and Technology, or NIST. The Elliptic Curve Digital Signature Algorithm (ECDSA) and the Elliptic Curve Diffie-Hellman (ECDH) anonymous key agreement protocol have had significant contributions by cryptographers from computer scientists in Japan, Canada and the United States.

Secure Hash Algorithm (SHA-2) is a set of cryptographic hash functions designed by the NSA (U.S. National Security Agency). By comparing the computed "hash" (the output of the algorithm) to a known and expected hash value, data integrity can be confirmed, e.g., computing the hash of a downloaded file and comparing the result to a previously published value can expose modifications or tampering with a downloaded file. An important attribute of a cryptographic hash function is its one-way nature -- given only a computed hash value, it is generally impossible to derive the original data.

The National Security Agency (NSA) has certified that the integrated deployment of AES, ECDSA, ECDH and SHA-2 is sufficient to provide adequate information assurance for classified information.

Source: "Next Generation Encryption," Cisco; "Suite B Cryptography," National Security Agency (NSA); "Elliptical curve cryptography,"

Top 10 mobile security risks

When enterprises began to deal with mobile security, it was about protecting corporate email and data. The "big event" was an employee loss of a laptop or mobile phone in an airport, restaurant or wherever else employees go and become distracted by activities more compelling in the moment than protecting corporate assets (I am not going there -- use your own imagination). Needless to say, especially looking at the continued explosion of mobile devices and capabilities, worrying about passwords on mobile phones or encryption on laptop hard drives (think: more devices than people on the planet) is what most what now say is a real good start.

According to the Open Web Application Security Project, or OWASP, the top 10 mobile security risks in 2014 included:

  1. Weak server-side controls
  2. Insecure data storage
  3. Insufficient Transport Layer protection
  4. Unintended data leakage
  5. Poor authorization and authentication
  6. Broken cryptography
  7. Client-side injection
  8. Security decisions via untrusted inputs
  9. Improper session handling
  10. Lack of binary protections

Ask yourself how many of these vulnerabilities your organization has been or is currently exposed to. If your answer is a number greater than zero, you have a couple of options: (a) rethink your mobile security strategy and implement an enhanced plan or (b) rethink your career path and rewrite your resume, post it and hope that it goes viral.

Seven-point mobile security checklist

Assuming that you are going with the aforementioned option A, here are a few goals and objectives to consider when formulating your new strategy and plan:

  • Mobile cybersecurity needs to be an integral part of an overall enterprise cybersecurity strategy, architecture, plan and governance structure. Good cybersecurity should be envisioned and implemented from end to end. It should not be siloed or considered as a "bolt-on" to existing cybersecurity domains.
  • Requirements for good mobile cybersecurity should be balanced and complementary with requirements for cybersecurity across all channels of the enterprise. Banks, for example, have focused heavily on securing their mobile platforms and have recently, in some cases, been left open to attacks against their websites.
  • Thinking about mobile cybersecurity should include thoughts about the cybersecurity associated with all devices; in particular, think about connecting mobile cybersecurity strategies, plans and governance structures to those being developed for the Internet of Things, or IoT. After all, mobile phones, laptops and tablets are things just like connected watches; bracelets; traffic sensors; automobiles (lots of sensors and computers, hard drives and networks); and home automation devices like thermostats, lighting controls, security alarms, etc. All of these "devices" will need to interoperate and maintain security at all levels and stages of operation.
  • Consider using biometrics, e.g., fingerprint scanning, retina scanning, voice recognition, facial recognition, etc., as potential forms of authentication. While biometric technologies have had their challenges in the past, the enormous and rapid proliferation of mobile devices and improvements in the underlying technologies have brought them into the mainstream.
  • Ensure that you are protecting data, both at rest and while in motion.
  • Always ensure that all hardware and software components in your environment are upgraded to the latest releases.

Always ensure that you either sunset technologies that are at or beyond end of life, or ensure that you have implemented a (likely very expensive) plan to maintain ongoing integrity and security.

Next Steps

Application consolidation is the foundation of enterprise agility

What's in store for CIOs in 2015?

CIO tip sheet for surviving and thriving in 2015

How to fill the IT skills gap: Be a leader

Dig Deeper on Enterprise information security management