Today our lives are inextricably tied to our mobile devices. We use them just like mini-computers, handling sensitive personal and work-related matters throughout the day. This trend is concerning because mobile devices were not designed with security in mind and are now arguably the biggest threat to both consumer and enterprise security.
Just like we have seen with the evolution of computer threats, cybercriminals are catching onto the new opportunities mobile presents. This past year, we have witnessed a dramatic spike in mobile-first cyberattacks like social media and SMS phishing, malicious apps and even robocalls. These attacks are also only going to increase with the bring your own device workplace.
Why mobile security is the most critical initiative today
The reason mobile security is so critical today is because of the sheer number of users. According to Pew Research, roughly three-quarters of Americans (77 percent) now own a smartphone. While smartphone ownership is nearly ubiquitous among younger adults (92 percent), growth in ownership over the past year has been especially pronounced among the older population. Now, nearly three-quarters (74 percent) of Americans aged 50-64 own a mobile device (a 16-percentage-point increase from 2015). However, as much as the rapid development of mobile technology has enabled our society to advance in many ways, it has also steadily become a disabling force — with new capabilities comes greater exposure and opportunity for compromise.
Cybercriminals are also increasingly using humans as a tool to launch their attacks — making mobile an ideal platform. There are two primary reasons for this: technical exploits are hard to find these days, and attacks that target humans are proving to be hugely successful. Take for example the mass cybersecurity epidemic that is ransomware.
The Challenge of Formalizing Mobile Security
There are two main reasons why mobile security will be the most challenging for enterprises to formalize.
Smartphones are first and foremost a consumer product.
Formalizing security standards and best practices around their use in a business setting is going to require more than just a technology roll out, but a huge cultural mind-shift. Users expect a fast, easy and seamless experience when using devices — whether it’s for business or personal use. Adding security layers will undoubtedly interfere with this to varying degrees (i.e. requiring users to wait for approval to download an app). While IT teams may find this extremely trivial when weighing it up against the consequences of a potential breach, it’s a reality they are going to have to address. As a CTO, I can guarantee that these teams will receive some level of resistance from users and albeit, attempted work-arounds.
Consumers place a huge amount of trust in the mobile technology and services they use today.
The amount of trust consumers place in their mobile devices is understandable because up until very recently they haven’t had much reason to fear vulnerabilities on their phones. Most users today assume that the popular cloud services, social media platforms or apps they use have taken the right security measures to ensure their data and communications are protected. However, this is a dangerous misunderstanding of the mobile ecosystem as we have witnessed with multiple high profile breaches such as with Dropbox and Evernote. With cybercriminals fast learning the major opportunities at hand, ongoing education and awareness is critical to shifting consumer perceptions around the need for mobile security and ultimately ensuring all business communications and assets are truly protected.
The Case of the “Unhackable” Phones
First off, at this time there is no such thing as an ‘unhackable phone’. Cybercriminals don’t just rely on technical exploits to gain access to sensitive data. They are increasingly targeting human behavior such as people’s propensity to click on links and also download apps without reading the clauses, which hardware solutions will be hard pressed to prevent making the “hardware first” approach, the wrong approach.
Let’s however, entertain this idea for a second — If all manufacturers move to designing hardware that is what they call ‘unhackable’, then the issue then becomes that the majority of the market is now left exposed. Hardware only solutions are extremely expensive and skew protections towards those that can afford the technology. On top of that, it can be much harder to enhance than software.
Software security only needs coding and an update for the technology to work immediately. This makes it more agile to address new threats in a fast-moving landscape. In a hardware-first approach, enterprises will be stuck in a vicious cycle of having to replace phones with new ones. As app developers are held to higher standards via legislation or competition to protect users and their information, the mobile space should offer better options for users.
Lastly, with the rapid evolution of cybercriminal tactics, creating a homogeneous mobile environment could lead to major problems should a hacker find a vulnerability to exploit. Similar to what we saw with the detrimental impact of “ransomworm”, if all employees are on the same operating system, this can create an ideal opportunity for cybercriminals to try and spread infections. And what’s for certain is that if you provide a big enough award, they will continue to try and find ways in. You can liken this idea to natural selection and how variation within a species or network of organisms will prevent its complete extinction if there is a major outbreak of a disease.
The Biggest Challenges for Enterprise IT Leaders Today
The biggest challenge is finding advanced technology that meets the very broad needs of today’s dynamic mobile ecosystem. This includes identifying solutions that can counter today’s and tomorrow’s mobile threats on multiple fronts, rather than offering reprieve from individual risks such as malicious apps. IT leaders currently deploying mobile security solutions are fast learning the level of admin resources needed to manage certain solutions that function on an ‘alert’ structure rather than those that remove the risks all together. While these technologies are still in their infancy, if companies do not have extra cash to burn on hiring more resources to manage these solutions then they need to consider their options carefully.
Where to next
According to a report by Markets and Markets, the mobile encryption market size is expected to grow from $761.4 Million USD in 2017 to $2,917.9 Million USD by 2022 as the threat of mobile devices continues to rise. While there is an urgency to secure enterprise mobile communications today, it’s important IT leaders take the time to carefully research the solutions currently on the market and identify any challenges they may pose from a larger business productivity and efficiency standpoint. You also need to ensure that education is a key part of the technology roll out, and develop an ongoing strategy to drive active employee support while being able to provide a broader secured enterprise platform incorporating elevated security throughout.