Mobile-powered initiatives are critical to profitability, productivity and competitiveness. Mobile devices and apps are how customers interact with organisations and how employees access resources, collaborate and work.
In virtually every sphere of our lives, mobile devices are ubiquitous. This ubiquity has created several key implications for organisations:
Diverse devices are accessing corporate data, including employee-owned mobile phones and other devices that aren’t managed by corporate IT teams.
Threats to mobile apps and devices continue to rise in both volume and sophistication. My company’s global mobile threat report 2023 (GMTR) highlights that 43% of all compromised devices were fully exploited, an increase of 187% yearly.
The number of mobile apps an organisation offers to employees continues to increase, and at the same time, the number and type of apps that are active on employee and customer devices is exploding.
The sophistication of risks related to mobile devices is increasing, and businesses want to provide more direct access to mobile devices in zero trust environments, creating new challenges for CISOs and security organisations. The GMTR highlighted that 80% of phishing attacks targeted mobile devices.
Regulations and mandates related to device, application and user data continue to be more onerous and more difficult to adhere to when addressing the global needs of an organisation – Such as the Australian Cyber Security Centre’s (ACSC) 38 mobile security controls.
Security teams face a new set of challenges and need to be aware of the risks:
Devices: In a BYOD environment, mobile users are the ‘device administrators’. Rather than operating in a relatively protected corporate environment, devices can be used anywhere, may be left anywhere, and are frequently connected to public Wi-Fi. Many organisations allow mobile devices on corporate Wi-Fi without full security assurance.
Apps for business: Traditional enterprise business applications run in a secure data centre on servers’ organisation control, and mobile apps are deployed to app stores, where they are exposed to reverse engineering and tampering by attackers. It’s imperative that organisations assess this potential risk on a continuous basis.
Apps for consumers: Consumer apps are making their way into the corporate world and pose potential security risks to the business. As security professionals, how do we assess the potential risks of such applications and have processes to assess and respond at scale?
Five key principles for mobile-first security
1. Prioritise and assess risk as close to the user or point of entry as possible. Organisations need to prioritise securing mobile-powered business initiatives across all mobile devices and apps, such as reviewing the Australian Information Security Manual (ISM) specific to mobile recommendations.
2. Operate in a known state - visibility and vulnerability assessment for all your entry points. Gain complete visibility of your mobile ecosystem and risk level. Automatically assess vulnerabilities and address them without throttling productivity. Establish safeguards that are measurable, auditable, and insurable.
3. Enhance your detection and response strategy for mobile. Detect anomalies and prioritise remediations based on contextual intelligence so the most critical gaps are addressed first. Embed security across the device and application lifecycle, provide a risk-based response, and enable zero trust assessment of mobile endpoints.
4. Start the autonomous journey. Dynamically respond to ever-changing threats and mobile ecosystems. Automatically isolate compromised devices and untrusted environments. Establish a proactive, resilient, and scalable security posture.
5. Minimise risk compliance failures. Stay ahead of regulations, data sovereignty and privacy standards while respecting employees’ work/life boundaries, such as the ACSC’s mobile security controls.
When developing applications internally, or if applications are developed for an organisation by third parties, consider the following questions:
- Often, organisations are using external services for application review - typically, security flaws are assessed. Knowing that development teams release versions of apps one to four times a month, consider how to deliver assurance of security at scale without impacting development performance.
- How are you assessing the privacy and compliance issues of the applications you are releasing?
- Are your apps using code obfuscation or integrity checking? How are you attempting to thwart reverse engineering?
- How well do your app protection approaches score when compared against Open Worldwide Application Security Project (OWASP), Mobile Application Security Verification Standard (MASVS), National Information Assurance Partnership (NIAP), or Mobile Payments on COTS (MPoC) standards?
There’s no turning back. The mobile-powered business is here to stay. Given that reality, what are practical steps that security teams can take? Here are some key questions to consider.
• How are you baselining your initial mobile device risk posture for both managed and unmanaged devices and responding dynamically to elevated risk?
• How many mobile devices are accessing corporate assets that are unmanaged or without visibility?
• What is the strategy for BYO devices and unmanaged applications?
• What are the zero trust initiatives, and where does mobile fit?
• What is the vision for consolidating mobile security telemetry as part of your data lake and extended detection and response (XDR) strategies?
• Organisations often have a solid strategy for email phishing attacks - How does the organisation reduce risk, measure, and respond to mobile phishing attacks?
• What is your strategy for mobile ransomware and spyware?
• How are you assessing the potential risk of publicly available applications on managed and unmanaged devices?
• How are you addressing local privacy and data laws and compliance needs across your mobile assets (devices and apps)? Such as the Australian Privacy Act.