Corporate Mobile Security Isn’t Cutting It

Posted on by Robert Ackerman

Let’s get right to the point immediately. It’s almost as if corporations have blinders on regarding some aspects of cybersecurity, including, in particular, mobile security and its vulnerable apps.

According to a recent study by Verizon that surveyed 671 professionals in charge of mobile device management at their organizations, companies are clearly falling down on the job when it comes to protecting their mobile assets.

One in three organizations admitted they suffered a breach in recent months due to mobile devices—five percent more than a similar survey a year ago. And the security bar is not high, Verizon found, noting that breaches often occurred because companies failed to meet a basic level of preparedness.

Mobile Security Gets No Respect

When corporate discussions turn to computer security, the reality is that attention too often is focused mostly on personal computers, enterprise computing and the cloud. Computing assets that are within the “perimeter” and the domain of IT security professionals. Mobile security threats usually get short shrift. And a decade or so ago, this pretty much made sense.

Back then, mobile malware was considered a new and largely unlikely threat because apps were far less common and, unlike today, few enterprises had BYOD (bring your own device) policies—policies that substantially complicate security. The point is that times change. The mobile security situation today is as different as night and day.

To be sure, things could be worse. Apple® and AndroidTM have made strides in creating more secure operating software, and security is becoming the top priority in app design.


Also helping is the introduction and growth of DevSecOps. Like predecessor DevOps, it is a highly sophisticated corporate software development and implementation approach that seeks to achieve greater efficiency, productivity and quality through team collaboration. Practitioners work alongside developers every step of the way. DevSecOps also injects security principles into the mix. It builds security into applications so that it’s baked in, rather than applied after the fact. Its tenets, among other things, include automation of security tasks, threat modeling and risk assessment. 

Nonetheless, far more workers today are using internet-enabled smartphones targeted by malicious actors armed with deceptive malware. It may seem easy to avoid social engineering cons, but in fact they remain extremely effective.

Working Remotely Is Ubiquitous

More than two-thirds of professionals worldwide work away from the office at least once a week, according to Switzerland-based office service provider According to Forrester,  tens of millions of information workers use at least three devices, work from multiple locations and typically use several apps to get their work done.

This makes it harder to be secure. And two attacks roughly two years ago underscored the reality that security is still far from bulletproof. In April 2017, hackers struck a Pegasus spyware version for Android that masqueraded as a normal app download while secretly gaining root access to devices to do broad surveillance of users over time. Then, in August, content delivery networks and content providers using Google Play Store apps were victimized by widescale denial-of-service attacks. Google removed the malicious apps from the Play Store and from all devices on which they were installed, but not before companies were targeted for nearly a month.

To better cope with malicious actors trying to infiltrate apps, there are still things that enterprises can do to better protect themselves. These include better control of corporate data leakage, better training of employees to sidestep phishing attacks, better understanding of the negative impact of Wi-Fi® “interference” and better tracking of Android devices whose software updates have expired.

Another positive step would be to be more mindful of growing cryptojacking attacks—attacks in which someone uses a device to mine for cryptocurrency without the owner’s knowledge. Still others would be incorporating better password hygiene and paying more attention to Internet of Things (IoT) malware, which is already being sold in underground websites.

Here are some additional details on some of these points:

  • So-called data leakage has become one of the biggest threats in enterprise security, particularly as it relates to mobile devices. It boils down to users inadvertently making ill-advised decisions about which apps are able to see and transfer their information. The primary challenge is the implementation of an app vetting process that doesn’t overwhelm administrators while simultaneously frustrating users. Helpful are some mobile defense solutions, such as Symantec’s Endpoint Protection Mobile or Zimperium’s ZIPs Protection, which scan for “leaky” behavior and automate helpful blocking. Companies must bear in mind that these won’t work in the case of overt user error, such as forwarding a confidential email to an unintended recipient. 
  • Phishing attacks obviously plague PCs and Macs as well as mobile devices, but a study by IBM   found that users are three times more likely to respond to a phishing attack on a mobile device than on a desktop, partly because a phone is where people are most likely to first see a message. Phishing attack victims tend to be repeat victims. Compounding the problem is that the line between work and personal computing keeps blurring. Workers increasingly are viewing multiple email in-boxes on their smartphones containing work and personal accounts, and most employees conduct some personal business while working. So the notion of receiving a camouflaged rogue personal email alongside a work email may not seem unusual.
  • Wi-Fi interference is another security problem. Research shows that corporate mobile devices connect to Wi-Fi nearly three times as much as a cellular tower, and a mobile device is only as secure as the network through which it transmits data. Public Wi-Fi networks are loaded with security holes. Selecting the right enterprise-class VPN might seem to be the answer, but it’s easier said than done. There are almost always trade-offs, including battery drain.

Better Training Is the Answer

Better mobile security is often at the top of corporate security department wish lists today because most workers routinely access corporate data from smartphones.

This makes keeping sensitive information out of the wrong hands an increasingly intricate puzzle. To help solve it, companies need to implement better behavior awareness and training programs. Reducing risk has always been the best way to cope with hackers.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Mobile & IoT Security

DevSecOps mobile security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs