Cybersecurity has become a top-level priority for enterprises, but a majority of leaders say their organizations still face significant security risk -- with mobile vulnerabilities a big contributor to that heightened risk profile.
In its "2016 Annual Security Report," Cisco found that 65% of respondents believe they're facing a significant level of security risk, with 50% listing mobility at high risk for a security breach.
Meanwhile, 451 Research in its 2016 US Enterprise Mobility: IT Decision-Maker Survey reports that mobile security is the No. 1 technology priority among the leaders it polled.
That's how it should be, said Chris Marsh, research director of enterprise mobility channel at 451 Research. Mobile capabilities have introduced numerous new vulnerabilities in recent years.
Smartphones and tablets are easily lost or stolen, employees download apps with malicious code, users access malicious Wi-Fi networks -- all of which can expose data to loss or theft and potentially can even expose corporate systems to targeted attacks or opportunistic hackers.
"If you just protect one piece, you're still vulnerable," said Yuri Diogenes, senior member of the Fort Worth chapter of the Information Systems Security Association (ISSA), a professor at EC-Council University and author of multiple IT and security-related books.
In response, experts said leading IT executives are introducing more layers of security to their mobile environment.
Some strategies already have a strong foothold in the mobile security platform at many organizations, experts agreed. Security layers include containerization, in which corporate apps and data are essentially contained on the mobile device separate from the employee's personal elements, and mobile device management (MDM) tools that allow the enterprise to remotely access devices to enforce certain security measures (i.e., encryption) and to take certain security actions (e.g., wiping all data from lost or stolen devices).
These security layers fall under the header of enterprise mobility management, which in many organizations includes MDM for device management, secure mobile containers, secure content collaboration and enterprise access controls.
Security layers: Tools and technologies
Tools and technologies that increasingly show up in the security portfolio at organizations include:
- Biometrics. Some companies, particularly in highly regulated industries such as finance, are moving beyond passwords and even two-factor authentication to using fingerprints and other user biometrics to allow device access, said Nisha Sharma, a managing director in Accenture Mobility, part of Accenture Digital.
Yuri Diogenessenior member, ISSA Fort Worth Chapter, @yuridiogenes
- Monitoring. Monitoring traffic on the network and looking for suspicious activity coming from mobile devices, such as users trying to interact with off-limits data, is another strategy within a growing number of organizations. Such monitoring allows organizations to "know what mobile devices are connecting to their networks, especially via wireless entry points and what data and potential malware they might expose the network to,” explained Andrea Hoy, president of the ISSA International Board of Directors. "There are tools that specifically monitor wireless access that support seeing rogue devices detected via wireless, but very hard to differentiate without monitoring."
- Advanced testing tools. Vendors have introduced more tools that allow developers better testing to ensure that the mobile apps used within the enterprise are as secure as they should be, Sharma said. These tools can be used on propriety apps as well as publicly available ones.
- MAM. Mobile application management (MAM) software is similar to MDM technology, but instead of targeting the device, it applies to the applications, Diogenes explained. MAM often appeals to organizations with BYOD policies whose employees don't want the company controlling their devices. MAM also allows enterprises to customize the user experience for each app. Moreover, because MAM doesn't manage devices, employees can use new or different mobile devices without first registering those devices with the company. MAM, though, can require more IT resources to administer, Diogenes says. And it may not be the right fit for every enterprise. MDM allows organizations to authenticate both the user and the device, and some organizations, particularly those with high security requirements, want dual authentications.
Mobile security layers: How much is too much?
Solving security problems with mobile apps: Six tips