A lot of us are working remotely these days with nearly seven in ten employees still working remotely all or part of the time (Gallup). That means remote workers are routinely accessing sensitive corporate data from mobile devices more than ever. Mobile security presents some unique challenges in comparison to traditional cybersecurity for a number of reasons. We've highlighted a few common mobile security pitfalls that are often overlooked - potentially leaving your business vulnerable to security breaches or data leaks.
- Mobile security requires a specialized skillset, and there’s a pervasive skills gap in cybersecurity already.
In fact, in 2018-2019, a cybersecurity skills shortage impacted 53% of organizations (ESG). Worse yet, 66% of organizations claim that the cybersecurity skills shortage has resulted in an increased workload on existing staff. At least one component of the proverbial resource gap – time, people and expertise – is usually the culprit of an incomplete mobile security plan. Further, mobile security is its own specialized field, and it’s not the same as traditional network security.
- End users are often the primary mobile security risk.
Consider your users: the employees across departments and divisions that keep your business running successfully. While end users expect to be able to easily use their tools, the security team’s efforts can sometimes be counterproductive to the overall mission. In a mobile, digitally driven working environment, restricting users’ ability to use tools through a clunky security plan encourages them to circumvent the system. When the average user encounters a blockade, moving corporate data to a personal Dropbox account, for example, becomes the preferred method for completing work. Simply locking down a corporate phone isn’t enough; without holistic data protection, people will work around you, and your efforts will be fruitless.
- Securing email in a fashion that adequately protects information on mobile devices isn’t an easy challenge to solve.
In particular, many organizations rely on Microsoft Office 365. Because of API limitations, only enrolled mobile devices can use the app. Without the connection to validate enrollment, MDM and EMM platforms must either restrict how users experience email or accept risk.
This presents an additional challenge because while the Android native app can be controlled, MDMs don’t get support on authentication. Many organizations have large Android deployments on a native mail application because it’s how configurations are pushed out through the MDM, but the mail app doesn’t support modern authentication; a difficult challenge to solve, and currently, there’s not a simple answer. If your business relies on Android, you must deploy a different mail app to support devices or figure out how to bridge the Office 365 gap to communicate with the MDM if a device is enrolled.
- Enrollment enforcement is great for all devices your business purchases going forward…but it’s not helpful for all the assets you have in the field already. Without the proper MDM/EMM tools, it’s difficult to present device access in the absence of enrollment.
Enrollment enforcement platforms have maintenance requirements, especially where iOS is concerned; certificate management in particular. If your security team isn’t diligent about maintaining certificates required to authenticate relationships between Apple DEP and the EMM, it will disconnect, and any added device will fail to pull the MDM profile or get enrollment enforcement. When these mistakes occur, while fixable, all devices activated during the gap must be factory reset to pick up the profile that enforces enrollment. Unsurprisingly, prompting users to factory reset a phone they already have data on is no easy feat.
When it comes to Android, enrollment hasn’t reached a maturity level equal to Apple DEP; only certain devices support zero touch. Also, while many people choose Android because it seems flexible, there are certain user-focused characteristics that pose security risks. For example: deploying an app essentially only requires emailing the user a link to the app. This is convenient for easily deploying an app, but dangerous without visibility into what kinds of apps a user might install which aren’t approved by your company. This kind of flexibility spawns a slew of apps developed to maliciously collect data or send valuable information back to a server. On a positive note, Android is fixing this by developing Android Enterprise, but it’s a painful process for organizations accustomed to the flexibility Android has had historically for ad hoc application deployment.
“Many companies have an MDM or EMM platform in place, but that solution alone doesn’t equate to strategic deployment of the rules that apply at a corporate level. It also doesn’t guarantee that an organization has taken the necessary steps for universal utilization.”
-Josh Anderson, Founder, Acuity
It’s more important than ever that business leaders recognize the importance of implementing mobile safeguards, and the financial repercussions they could face if they do fall victim to a breach. Many organizations struggle with effectively implementing mobile security alone, which is why our mission is to help customers no matter where they are in the process. Contact us to take advantage of a free benchmark assessment to gain insights into your current environment and MDM/EMM tool.