Mobile Threats Need a User-Centered Security Strategy

With smartphones and tablets in wide use by workers, companies face a growing risk: the potential loss of critical data from lost, stolen, or poorly secured mobile devices.

The problem has reached a critical point as the number of mobile devices in use continues to grow. More than half of Internet traffic originates on mobile devices, according to Gartner. With smartphones and tablets becoming pervasive in the workplace, the risk to high-value business, customer, employee, and competitive data is immeasurable.

The 2018 Global State of Information Security Survey from PwC, CSO, and CIO found that 28% of senior business and technology executives cited mobile device exploits as the cause of security breaches at their organization, making mobile exploits the top threat vector they faced.

Check Point Software similarly found that 20% of companies said their mobile devices had been breached.  Worse: 24% of those surveyed didn’t even know whether they had experienced an attack.

Mobile security requires an all-hands approach

Tracking potential mobile attacks may ultimately be the responsibility of a company’s CSO, but the most effective security policies require a much wider degree of adoption, enforcement, and adherence across the entire workforce.  Here are some approaches that might be overlooked.

Reinforce password best practices. Workers still need to use resilient passwords. Fingerprint and iris scans are becoming common tools in the latest smartphones, but many gaps remain. Often, enterprise CSOs decide to use dual authentication, with a different password for each sensitive app on top of fingerprint access to a device.

Set realistic policies. Every company is different, so security policies will vary. Some organizations (government agencies, primarily) ban or lock down the use of smartphone cameras because they can pose a risk, while some large enterprises encourage the use of cameras to supplement work with video. End users will better respond to policies requiring secure access to applications if it is easy to connect to a VPN or Wi-Fi in a secure way.

Remind users when they’re vulnerable.  When workers are on the go, an automatic pop-up reminder that a free Wi-Fi network could be hacked might prevent a lot of misery down the road. Even with constant reminders, there are still going to be mobile users who absent-mindedly click on a nefarious link or an attachment, loading up a ransomware attack.   

High-level mobile security approaches

In addition to employee education, tools for data loss prevention (DLP) can limit the damage of a mobile device breach. These tools identify content, track activity, and can block transfer of sensitive data. Recent security approaches are more comprehensive, incorporating DLP within enterprise mobility management (EMM) solutions that can lock down a user’s device to prevent downloading an unauthorized app that could contain malware. EMM solutions also can limit access to sensitive data to a specific work group, such as human resources.

To protect against public Wi-Fi interference by bad actors, it is possible to encrypt traffic over Wi-Fi with a VPN. The challenge for security teams is finding a VPN that knows when to power down when an app or service is trusted, thus saving the battery life of a smartphone or tablet.

Mobile security will continue to be a top priority for any organization where smartphones and other devices have become a staple of business. The challenge remains providing robust tools, policies, and awareness training while recognizing the need for simplicity so that employees will comply.

AT&T offers a variety of mobile threat defense and EMM services and additional resources that will help organizations secure their mobile workforce.  

Matt Hamblen is a multi-media journalist covering mobile, networking and smart city tech. He previously was a senior editor at Computerworld.