These days, mobile devices are integral to the way we work, and many employees spend their days switching between their phones and their computers.
While most organizations have a robust cybersecurity strategy in place to protect their laptops and corporate networks, mobile devices are often left underprotected. And that’s a big problem because mobile devices are frequently faced with risks like phishing attacks and operating system vulnerabilities.
In this blog post, we’ll debunk six common myths about mobile device security and explore the capabilities organizations need to level up their mobile security game.
Myth #1: Mobile Devices are More Secure Than Desktops and Laptops
One of the most prevalent mobile security myths is that mobile devices are inherently more secure than traditional endpoints like desktops and laptops. But this is a dangerous misconception — mobile devices simply have a different set of vulnerabilities that leave them open to a variety of cybersecurity risks.
Users download scores of unvetted mobile applications to their devices, and those don’t have to be malicious to be risky. Many mobile apps ask for permissions like access to the phone’s address book, local files, and location, which could prove risky if the app is compromised. Out-of-date OSs can also leave mobile devices vulnerable to zero-day attacks.
In addition to OS and app vulnerabilities, mobile devices are in some ways more vulnerable to phishing attacks than traditional endpoints. Mobile-specific attacks like smishing and quishing make mobile devices appealing targets to attackers and can lead to malware and account compromise.
Myth #2: You Don’t Need to Worry About Sensitive Data on Mobile Devices
Another mistaken belief is that sensitive data isn’t stored on mobile devices so you don’t have to worry about data protection the same way you do with laptops and desktops.
While most employees aren't storing sensitive data directly on their mobile devices, they are using their mobile devices to access cloud apps that store scores of sensitive data. These devices are also closely tied to your users, often being used as a second form of authentication for single sign-ons and account verifications.
If a mobile device is compromised, an attacker could easily steal credentials, gain access to your infrastructure, and put the data in your business-critical apps at risk. That's why it's critical to be able to detect and prevent data loss — even on mobile devices.
Myth #3: MDM is Sufficient to Protect Mobile Devices
When it comes to reining in mobile devices, many organizations have turned to mobile device management (MDM) solutions. And MDM is great for keeping an inventory of your company-owned mobile devices. But it isn't so great for mobile security.
One of the biggest reasons MDM solutions fall short is that many employees now use personal devices for work instead of employer-owned devices, and MDMs don't extend to personal devices.
MDMs also can't do much to track and remediate mobile security risks. While you might be able to use your MDM to locate and wipe lost devices, distribute enterprise apps and block others, it can't detect the risks and threats your devices encounter and respond accordingly. That's why you need a mobile security solution that works in concert with your MDM, complementing the management capabilities with robust protection.
Myth #4: Personal Devices are Secure Enough
With bring-your-own-device (BYOD) programs practically ubiquitous these days, IT and security departments are likely losing sleep over the risks these personal, unmanaged mobile devices introduce. After all, with a BYOD model, employees are responsible for making their own software updates and they’re constantly flipping between personal and work use.
One of the worst mistakes an organization can make is believing that there’s nothing they can do to bring these unmanaged devices into the fold, or assuming that these devices are secure enough on their own. The right mobile security solution will enable you to protect all mobile devices, managed or unmanaged, without compromising the privacy of your employees.
Myth #5: One-Time authentication is enough to secure mobile devices
With mobile devices being used to access corporate data from everywhere, it's important to understand who is actually using those devices. You may think a one-time authentication is enough to confirm identity, but that's not the case. If a device is compromised after authentication takes place, there’s no way for you to know. Any threats or risks that the device poses to your organization may go completely unnoticed.
Instead, you should strive for a zero-trust approach that's based on continuous conditional access. By consistently monitoring elements like device health and user behavior in addition to identity checks, you'll have a better understanding of the risk levels of each device that has access to your resources.
Myth #6: Mobile threat intelligence is a “Nice to Have”
Some IT and security teams prioritize threat intelligence that focuses mainly on desktops, laptops, or servers — but because mobile devices are such an appealing target for cybercrime, threat intelligence that covers mobile-specific threats is critical.
Mobile threat intelligence helps to paint a picture of the mobile threats that your organization is facing so you can mount an effective response, and it shouldn’t be treated as optional. With a steady flow of up-to-date mobile threat intelligence, your IT and security teams will be able to identify trends in attacks, connect the kill chains to get the full scope, and recognize their adversary, which will enable them to improve your organization’s mobile security posture.
Mitigating Mobile Device Security Risks
Mobile devices are now as much a part of work as desktops and laptops, and because of that, it’s not enough to safeguard your traditional endpoints. Mobile device security must be a part of your overall cybersecurity strategy. To understand the role of mobile security in your organization, check out our free e-book, The Mobile Security Playbook: Key Questions for Protecting Your Data. You’ll learn about why proper implementation of mobile security is critical for data protection and the capabilities you need to mitigate mobile device security risks.
Blog courtesy of Lookout. See more Lookout blogs and news here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.