CenturyLinkVoice: Securing Mobile Data Requires Layers Of Protection

Security News ThreatsCybercrime Uncategorized

If you’re looking to keep enterprise mobile devices secure, whether they were issued by the organization or authorized under bring-your-own-device (BYOD) programs, you should consider taking a multilayered approach.


Even a user with verified passwords should be blocked, or at least subject to reduced permissions, if the device connects from an unapproved network, or from a geographic location where the user is not authorized to be.

Administrative tools such as mobile device management (MDM) make it easier to configure devices and install or remove apps from a central location, but they don’t protect against the growing range of cybersecurity threats facing mobile users, according to Aaron Cockerill, chief strategy officer at the mobile security firm Lookout. Multiple controls are needed for that.

Enterprise security leaders must take mobile devices very seriously. Android is now the world’s most popular operating system of any kind, having eclipsed Windows’ total usage in March 2017, according to StatCounter. These devices are ripe targets for attack because they not only have privileges to access a variety of enterprise data repositories, but also have sensors, cameras and microphones that can be hijacked to spy on their users.

Between October 2016 and March 2017, 4.7 percent of Android enterprise devices monitored by Lookout encountered an app-based threat, compared to just 0.1 percent for iOS. The more open Android ecosystem makes it easier to persuade users to install apps from app repositories with weaker controls than Google’s, or even to directly install a malicious app from an email or SMS link.

Many of the new mobile attacks start as phishing attempts or misleading advertising rather than zero-day security exploits. The attacks try to persuade or frighten users into clicking links or installing malicious apps under the guise of being helpful. That’s why mobile deployments need layers of protection beyond the device itself, Cockerill told tech leaders in June at the Gartner Security & Risk Management Summit in Maryland.

Increased monitoring and education are particularly important because on-device scanning has diminished returns. Mobile device constraints make high-intensity malware scanning difficult and inconvenient. “You can’t scan devices constantly the way you scan desktops because you’ll kill the battery,” he said.

Consider these starting points when implementing a multilayer mobile security policy.

User education. Better mobile security must start with users, because the users of mobile devices are top targets. It’s easier to launch phishing attacks on mobile because many of the familiar desktop security practices, such as hovering over links and checking browser security credentials, are significantly harder to do on mobile. And the immediacy and intimacy of the mobile device experience means that users can be less disciplined about good security practices.

“Mobile devices feel personal, and that’s why users are so easily tricked,” Cockerill said.

App behavior. Apps can compromise your organization even if they’re not malware. That’s because even approved, authentic mobile apps can be significant sources of data leakage. Apps that collect and transmit sensitive data can put corporate security, privacy and regulatory compliance at risk just as much as malware can.

For example, 38 percent of apps in the Lookout enterprise monitoring panel access GPS. Many do so for legitimate reasons, but the high percentage of apps collecting detailed user location data is a reminder of how easy it is to suffer a data leak. “You have to ask: What are these apps doing with your data?” Cockerill said.

Contextual credentials. The usual approach to improving desktop-oriented security was to add layers of authentication, such as physical security tokens or one-time authorization codes sent to a phone or email device. But the old rules of “what you know” and “what you have” mean less when there are so many ways a mobile device can be compromised.

“Today, the user gets access if they have the right password,” Cockerill said. “What you should want to know is if the device is malware-free, configured appropriately, compliant with corporate policies, and in an appropriate location and using an appropriate network.”

Even a user with verified passwords should be blocked, or at least subject to reduced permissions, if the device connects from an unapproved network, or from a geographic location where the user is not authorized to be.

Senior leadership. Enterprise leaders have to be on board with tighter controls over mobile access. Denying service at the data or network layer is tricky because users, especially those at the highest levels of the organizations, expect their mobile devices to provide reliable, convenient access whenever and wherever they choose. Enforcement and screening policies must be understood and supported by senior management. Chief information security officers and their charges have to be able to act without fear of retribution.

“You have to be confident that you’re not going to be fired because the CEO was denied access to email,” Cockerill said.

Do you want to learn more about how to protect your business against growing cybersecurity threats? Talk to a security expert at CenturyLink today.