Mobile security: 5 misunderstandings that persist

Mobile has become ubiquitous in the enterprise: So why do so many organizations still buy into these security misconceptions?
338 readers like this.

Nearly all companies allow their employees to use smartphones for work-related interactions. With the advanced capabilities and power of the modern smartphone, it has become a go-to productivity tool that’s employed by a majority of workers across industries. Yet, in talking to many IT organizations responsible for managing end-point access, it’s surprising how many still have misconceptions about the security of these devices. 

[ Why do containers rewrite the rules for enterprise mobile apps? Read our related article, Why mobile and containers are better together. ]

Let's address five critical misconceptions that companies should not buy into when enabling mobile device access:

1. Users protect their devices

In truth a large number of users have no interest in making sure their devices are secure. When left to their own discretion, the majority do not even enable password protection as its seen as an inconvenience. And anything inconvenient is to be avoided. Further, few really have a handle of the type of data living on their device, nor how to best assure its not exposed. Few users are security experts, so organizations that assume users will protect their devices from hacking and/or data leakage are taking a big leap of faith.

2. Mobile devices don’t carry any corporate sensitive data

For convenience, your users have likely downloaded customer contacts, company data sheets, and more.

Many companies assume that mobile devices simply access corporate back office apps via a browser and/or light client and therefore no corporate data stays on the device. Yet in fact, that is not the case. With the vast amounts of storage in the modern mobile device, as much as 64GB-256 GB, or more, it’s very likely that your end users have at least some sensitive data onboard that they’ve downloaded for their convenience (e.g., customer contacts including what and amount of purchase, company data sheets and confidential presentations, competitive information, etc.). Assume end-user mobile devices carry sensitive data, and act accordingly.

3. Mobile devices don't get hacked

Our research shows that about two thirds of companies believe their mobile devices either have never had a data breach or don’t know if they’ve had one. Yet when asked, more than half of end users state they have had a data breach on their devices. While it’s more difficult to spread malware on a mobile device than on a PC, it nevertheless exists and is becoming more prevalent, particularly as the number of apps users download increases. You must assume that mobile devices are susceptible to hacking, and therefore need to be protected, just as PCs need to be.

4. Enterprise transactions don't occur that often on mobile

Companies must assume smartphone access will be at least as prevalent as PC access.

Organizations often assume that smartphones are occasional use devices and the majority of interactions with corporate systems occur on a PC. Yet if you look at the statistics, many users, especially millennials and digital natives now interact with corporate systems more often on a smartphone than on a PC. In fact, in many organizations, smartphones have become the majority end-point transaction device over the PC. Companies must assume smartphone access will be at least as prevalent as PC access, and will continue to grow in many organizations, and therefore require an increasing focus on protecting mobile devices.

5. I can allow any BYOD that the user chooses

When it comes to mobile security, not all devices are created equal. While many people assume that the iPhone with its iOS system is more secure than Android, that is not necessarily the case. In fact, the latest versions of Android are at least as secure if not more so. But the problem is that while Apple maintains a single OS for virtually all devices still in use, there are many versions of Android available, especially with older devices still in use. With BYOD, companies are essentially allowing users to pick and choose any device no matter what version of OS it has.

To maintain a maximum security posture, I recommend that no company allow a smartphone that is more than two versions of Android older than the current version to access the network. That means old phones that can’t be upgraded can be used, but also creating a policy that provides users with a list of approved phones that can be used for BYOD that’s been vetted by IT.

Reducing your risk

It is imperative that companies assume that smartphones are a security risk, just like any other end point device accessing the corporate network. As such, mobile devices can’t just be tolerated and ignored in your security policy. Instead, you must include acknowledgement of the various factors that are somewhat unique to the smartphones.

Without a strong security strategy, and eliminating several of these misconceptions about mobile devices, companies will find themselves at a more significant risk for a costly data breach.

[ How do containers help manage risk? Get the related Red Hat whitepaper: Ten Layers of Container Security. ]

Jack E. Gold is Founder and Principal Analyst at J.Gold Associates, LLC. Mr. Gold has been a technology analyst for more than 25 years, and has more than 45 years of experience in the computer and electronics industries.