The expanded market presence of IoT, 5G, machine learning, cloud security and other factors has resulted in an increasingly decentralized network for enterprise organizations to monitor and secure. This is no surprise to cyber security practitioners and some might even say that this is “the new normal.”
Risk that comes from mobile and IoT devices must be factored into the enterprise security program. Security leaders need to be looking at those risks holistically and strategically, rather than operationally.
Additionally, security leaders need to make sure that technology-driven innovation within their organization (such as digital transformation at a macro level or machine learning as a specific technology, for example) does not outpace their ability to maintain a secure environment.
The change in behavior for the contemporary enterprise cyber security leader is less about the procurement of mobile devices and more about the strategic security planning.
IoT Is Officially Part Of Enterprise Mobility
When Cyber Security Hub has surveyed enterprise security leaders, there is a clear understanding of security principals for mobility while the awareness and adoption of IoT devices lags significantly. Are IoT devices being readily accepted as part of enterprise mobility? We spoke to attendees at the annual RSA Conference in San Francisco along with the cybersecurity team at Verizon to gain perspective.
In the 2019 Verizon Mobile Security Index, 65 percent of respondents said that IoT was an 8 or higher (on a scale of 10) in criticality to their security program. This suggests that the gap – in understanding or placement of IoT within the realm of mobility – is shrinking.
IoT is not the only emerging technology that security teams are being quizzed on by executives, board members and the solution ecosystem. The spectrum includes artificial intelligence and machine learning; augmented and merged reality; 4G and 5G mobile communications; multi-cloud environments; and more. New technology can introduce both perils and potential for an organization. However, it won’t solve today’s security issues, though technology could provide insight into additional strategy requirements for the security program.
See Related: BYOD Rules And The Future Of Medical Data Security
Are Desktop And Server Threat Response Processes Distracting From Mobile Defense?
Enterprise mobile adoption has occurred in three, distinct phases over time to where the marketplace is today:
- At first, mobile devices were not considered smart. Instead, they were viewed as hardware to be managed.
- Recognition was achieved that mobile devices are now powerful and have high-value data along with loss and protection requirements. At the same time, cyber security teams now have a larger voice in determining policy and controls for these smart devices.
- The third step is the full integration of mobile risk visibility into security teams that are monitoring endpoints and services. The observation made in our conversations is that there remains a bit of an operational silo. This silo may be due to a lack of sufficient integration.
It is challenging to conclude that mobile devices were simply out of sight in favor of addressing desktop and server security strategies. Attackers have become more brazen and less discriminating in their efforts. As defenders innovate, attackers innovate too. The bad guys continue to find ways to exploit enterprise defenses.
In the 2020 Verizon Mobile Security Index, 39 percent of respondents said their organization had suffered a compromise from a mobility vector. Mobile is a potentially weak link if the proper controls are not put in place. Cryptojacking is now also part of the attacker’s arsenal. Besides the damage caused to data, cryptojacking can also drain the device battery, which impacts worker productivity and business operations. The attackers are getting more creative and utilizing the power of the cloud and machine learning.
Mobile introduces usability challenges that attackers can exploit to get around user awareness training. Email applications and web browsers make it tougher to see the full URL of a link due to the limited screen size. Phishing attacks target mobile devices as well. The payload differs somewhat from desktop counterparts, but payloads containing malware or ransomware are viable channels to compromise enterprise workers.
On the positive side, on-going enterprise programs to generate workforce awareness of phishing along with broad media coverage about ransomware are increasing user caution.
See Related: Email Phishing Overshadows Risk Of Mobile Malware
Actionable Steps For Enterprise Security Leaders
An area where security teams can add value through the use of mobile devices is the development and deployment of Acceptable Use Policies for mobile devices. The definition of an AUP will differ by organization or by the role within an organization. From the IT survey responses and casual conversations at RSAC2020, it was evident that few organizations have such a policy.
The three steps to an AUP are create the policy, communicating the policy and enforcing the policy. Verizon and others promote AUP-generation tools to assist in jumpstarting the effort. The intersection between consumer behavior and secure enterprise activities shows room for improvement when it comes to acceptable use.
Only 62 percent in the survey actually ban the installation of non-approved applications on a mobile device. It has been observed that some mobile applications request excessive permissions. For example, does my banking application really need microphone access? Many users will simply accept the permission requests. Security leaders face an uphill battle in communicating personal habits on mobile devices that make their way into the enterprise network.
The Perils Of Bad Wi-Fi
Everybody understands the importance of the VPN when it comes to computing outside of the physical network perimeter. Only 42% of the survey respondents said they prohibit employees from utilizing a public Wi-Fi service. Furthermore, 20% said that a security compromise in the past year originated from “bad Wi-Fi”. Further exploration is necessary to understand what aspects of public Wi-Fi access should be considered the most risky.
Identifying Desired Outcomes In Secure Enterprise Mobility
While enterprise mobility has matured, it has also increased its core definition to include new mobile endpoints and paths for communication that need to be secured. At the same time, the role of the security leader has evolved to discussing real business risk with other stakeholders in the organization. Modern mobile security requires an understanding of these moving parts and a willingness to pursue areas where teams have fewer experiences.
The sentiment from security practitioners is to leverage diverse mobile experiences from the past and design for better integration of IoT, public Wi-Fi and 5G data into the security executive landscape.
See Related: Enterprise Cyber Security Trends and Predictions 2020